<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PingID - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pingid/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pingid/feed.xml" rel="self" type="application/rss+xml"/><item><title>PingID New MFA Method Registered For User</title><link>https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-registration/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-registration/</guid><description>The creation of a new MFA registration in PingID could indicate an attacker attempting to maintain persistence after compromising a user account.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting the registration of new Multi-Factor Authentication (MFA) methods within PingID (PingOne) environments. The detection leverages JSON logs from PingID, specifically focusing on successful device pairing events. An attacker who gains unauthorized access to a user account may register a new MFA method to maintain persistence, bypass existing security measures, and potentially escalate privileges. This activity is particularly relevant for defenders because successful MFA enrollment by an attacker can grant them long-term access, even if the initial compromise is detected and remediated. The activity described here was reported to start being tracked around January 2023.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker compromises a user's credentials through phishing, credential stuffing, or other means.</li>
<li>Authentication Bypass: The attacker uses the compromised credentials to attempt to log in to a PingID-protected application.</li>
<li>MFA Enrollment: Upon being prompted for MFA, the attacker initiates the enrollment of a new device.</li>
<li>Device Pairing: The attacker successfully pairs a device they control with the user's account, registering it as a trusted MFA factor. This event is logged as &quot;Device Paired&quot; with status &quot;SUCCESS&quot; in PingID logs.</li>
<li>Persistence: With the new MFA device registered, the attacker can now bypass legitimate MFA challenges.</li>
<li>Lateral Movement: The attacker uses their persistent access to move laterally within the network, accessing other systems and data.</li>
<li>Privilege Escalation: The attacker leverages their access and control to escalate privileges and gain administrative access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to unauthorized access to sensitive data, systems, and applications. The number of victims depends on the scope of the compromised user accounts and the attacker's ability to move laterally within the network. Sectors that rely heavily on PingID for access control are particularly vulnerable, including finance, healthcare, and government. If the attack succeeds, the organization may suffer data breaches, financial losses, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable JSON logging from PingID via Webhook or Push Subscription to ensure proper data ingestion for the Sigma rules (How to Implement).</li>
<li>Deploy the Sigma rule &quot;PingID New MFA Device Registered&quot; to detect suspicious MFA registrations in your environment (Sigma Rule).</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on users with recent suspicious activity or known compromised accounts (Sigma Rule).</li>
<li>Review PingID logs for &quot;Device Unpaired&quot; events which can indicate MFA device removal by the attacker (Search Query).</li>
<li>Monitor network traffic for connections originating from newly registered MFA devices to identify potential attacker activity (Network Logs).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>pingid</category><category>mfa</category><category>persistence</category><category>credential-access</category></item><item><title>PingID New MFA Method After Credential Reset</title><link>https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-reset/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-reset/</guid><description>Detection of a new MFA device pairing in PingID shortly after a password reset in Windows Event Logs, potentially indicating a social engineering attack and unauthorized account access.</description><content:encoded><![CDATA[<p>This analytic identifies suspicious activity where a new MFA device is paired with a user account in PingID shortly after a password reset. The detection logic correlates Windows Event Logs for password changes (Event ID 4723, 4724) with PingID logs indicating device pairing events. This behavior is significant because it can indicate a social engineering attack, where a threat actor impersonates a valid user to reset their credentials and add a new MFA device under their control. The observed activity focuses on gaining unauthorized access to user accounts by bypassing traditional security measures through MFA manipulation. The timeframe analyzed is within one hour of the password reset.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker conducts reconnaissance to identify a target user within the organization.</li>
<li>The attacker initiates a password reset for the target user, possibly through social engineering or exploiting a vulnerability in the password reset process.</li>
<li>Windows Event Logs record a password change event (Event ID 4723 or 4724) on the Active Directory Domain Controller.</li>
<li>The attacker pairs a new MFA device with the target user's PingID account. This could involve intercepting the original MFA device or using other unknown MFA enrollment bypass techniques.</li>
<li>PingID logs record a &quot;Device Paired&quot; event, including information about the device (e.g., IP address, device model).</li>
<li>The attacker leverages the newly paired MFA device to authenticate as the target user, bypassing legitimate MFA controls.</li>
<li>The attacker gains unauthorized access to sensitive applications, data, and resources accessible to the target user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack allows the adversary to gain persistent access to a compromised account, bypassing multi-factor authentication. This could lead to unauthorized access to sensitive data, financial fraud, or further lateral movement within the organization. The impact includes potential data breaches, reputational damage, and financial loss. The references suggest that MFA fatigue is becoming a more common attack vector.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>PingID New MFA Method After Credential Reset</code> to your SIEM and tune the <code>timeDiffRaw</code> parameter for your environment to reduce false positives.</li>
<li>Enable Windows Event Log collection on Active Directory Domain Controllers to capture password change events (Event ID 4723, 4724) as required by the provided Sigma rule.</li>
<li>Ingest PingID logs, either via Webhook or Push Subscription, into your SIEM to enable correlation with password reset events for identifying potential MFA takeover attempts as used by the Sigma rule.</li>
<li>Implement stricter password reset policies and MFA enrollment procedures to reduce the risk of social engineering attacks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>pingid</category><category>mfa</category><category>credential-access</category></item><item><title>PingID MFA Bombing Attack</title><link>https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-bombing/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-bombing/</guid><description>Adversaries attempt to bypass multi-factor authentication by flooding users with push notifications, hoping they will eventually accept a fraudulent request, potentially leading to unauthorized access.</description><content:encoded><![CDATA[<p>This brief addresses the threat of MFA fatigue attacks targeting PingID environments. The attack involves overwhelming a user with numerous MFA push notifications in a short period, hoping they will eventually approve one accidentally or out of frustration. While the source doesn't attribute this activity to a specific actor, similar techniques have been associated with financially motivated groups and nation-state actors. The detection logic focuses on identifying users with 10 or more failed MFA attempts within a 10-minute window, using JSON logs from PingID. Defenders need to be aware of this technique as a successful bypass could grant attackers initial access or privilege escalation within the targeted network.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access using previously compromised credentials or through credential harvesting.</li>
<li>The attacker attempts to authenticate to a resource protected by PingID.</li>
<li>PingID prompts the legitimate user for MFA.</li>
<li>The attacker initiates repeated login attempts in rapid succession.</li>
<li>PingID sends multiple MFA push notifications to the user's registered device.</li>
<li>The user is bombarded with MFA requests and may accidentally or unknowingly approve one.</li>
<li>Upon successful MFA bypass, the attacker gains unauthorized access to the targeted resource or system.</li>
<li>The attacker performs malicious activities such as data exfiltration, lateral movement, or privilege escalation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful MFA fatigue attack can lead to a full compromise of user accounts, granting attackers access to sensitive data and systems. This can result in data breaches, financial losses, and reputational damage. While this technique can affect any organization using PingID for MFA, sectors with high-value data, such as finance and healthcare, may be particularly attractive targets. If successful, the attacker can bypass an intended security control and gain unauthorized access to critical resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect PingID Multiple Failed MFA Requests</code> to your SIEM to identify potential MFA fatigue attacks in real-time, tuning the threshold (mfa_prompts &gt;= 10) to suit your environment.</li>
<li>Investigate any alerts generated by the Sigma rule <code>Detect PingID Multiple Failed MFA Requests</code> to determine the legitimacy of the MFA requests and user behavior.</li>
<li>Implement user education programs to raise awareness about MFA fatigue attacks and advise users to reject any unexpected or excessive MFA requests.</li>
<li>Review and adjust PingID MFA settings to potentially limit the number of allowed MFA attempts within a specific time frame to mitigate the impact of MFA bombing.</li>
<li>Consider implementing additional security measures, such as IP-based access restrictions, to further protect against unauthorized access attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>mfa</category><category>credential-access</category><category>defense-evasion</category></item></channel></rss>