{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/atlassian-cloud/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Workday","Slack","GlobalProtect","Jira","Atlassian Cloud","Zoom","Okta"],"_cs_severities":["high"],"_cs_tags":["remote-employment-fraud","credential-compromise","okta"],"_cs_type":"advisory","_cs_vendors":["Workday","Slack","Palo Alto Networks","Atlassian","Zoom","Okta"],"content_html":"\u003cp\u003eThis detection identifies \u0026quot;improbable travel\u0026quot; scenarios where a user logs in from two geographically distant locations within a short timeframe, suggesting potential Remote Employment Fraud (REF) or compromised credentials. The analysis focuses on login events for critical applications like Workday, Slack, GlobalProtect, Jira, Atlassian Cloud, and Zoom, using Okta logs as a primary data source. This technique is relevant because REF actors and credential thieves often operate from different locations than the legitimate user, and time zone/geographic inconsistencies can expose fraudulent activity. The detection considers factors like user's work country, travel speed, and distance between login locations to assess the risk. This helps defenders identify suspicious logins that bypass traditional security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser credentials compromised via phishing or other methods (not directly observed in this detection, but a common precursor).\u003c/li\u003e\n\u003cli\u003eAttacker establishes initial access from Location A, authenticating to a target application (e.g., Workday) via Okta.\u003c/li\u003e\n\u003cli\u003eA short time later (minutes to hours), the attacker attempts to access the same or a different application from Location B, potentially on the other side of the world.\u003c/li\u003e\n\u003cli\u003eThe detection analyzes Okta logs and correlates login events based on the user ID, source IP, and timestamp.\u003c/li\u003e\n\u003cli\u003eGeolocation data (latitude, longitude) is obtained for both login locations based on the source IP addresses.\u003c/li\u003e\n\u003cli\u003eThe distance and travel speed between the two locations are calculated.\u003c/li\u003e\n\u003cli\u003eIf the calculated speed exceeds a defined threshold (e.g., 500 km/h) and distance exceeds a defined threshold (e.g., 750 km), the activity is flagged as suspicious.\u003c/li\u003e\n\u003cli\u003eThe user's work country is compared to the login locations to further assess the risk. If the login locations do not match the user's expected work location, the risk score is increased.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to unauthorized access to sensitive corporate resources, data exfiltration, and financial fraud. Compromised accounts used for Remote Employment Fraud can result in financial losses and reputational damage. While the exact number of victims and sectors targeted are not explicitly mentioned in the source, this type of attack can affect organizations of any size in any sector. A successful attack can result in significant financial losses and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGeographic Improbable Location\u003c/code\u003e to your SIEM, ensuring it is tuned to account for legitimate VPN usage and remote work scenarios.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eGeographic Improbable Location\u003c/code\u003e rule, focusing on users with high-value accounts and access to sensitive data.\u003c/li\u003e\n\u003cli\u003eUtilize the \u003ccode\u003eknown_devices_public_ip_filter.csv\u003c/code\u003e lookup table (mentioned in the \u0026quot;how_to_implement\u0026quot; section) to exclude known and trusted devices from the detection logic.\u003c/li\u003e\n\u003cli\u003eMonitor Okta logs for failed login attempts preceding improbable travel events to identify potential credential compromise attempts.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-geographic-improbable-location/","summary":"Detection of user logins originating from geographically distant locations within a short timeframe, indicative of potential Remote Employment Fraud or compromised credentials.","title":"Geographic Improbable Location Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-geographic-improbable-location/"}],"language":"en","title":"CraftedSignal Threat Feed - Atlassian Cloud","version":"https://jsonfeed.org/version/1.1"}