<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PingOne - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pingone/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pingone/feed.xml" rel="self" type="application/rss+xml"/><item><title>PingID New MFA Method Registered For User</title><link>https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-registration/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-registration/</guid><description>The creation of a new MFA registration in PingID could indicate an attacker attempting to maintain persistence after compromising a user account.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting the registration of new Multi-Factor Authentication (MFA) methods within PingID (PingOne) environments. The detection leverages JSON logs from PingID, specifically focusing on successful device pairing events. An attacker who gains unauthorized access to a user account may register a new MFA method to maintain persistence, bypass existing security measures, and potentially escalate privileges. This activity is particularly relevant for defenders because successful MFA enrollment by an attacker can grant them long-term access, even if the initial compromise is detected and remediated. The activity described here was reported to start being tracked around January 2023.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker compromises a user's credentials through phishing, credential stuffing, or other means.</li>
<li>Authentication Bypass: The attacker uses the compromised credentials to attempt to log in to a PingID-protected application.</li>
<li>MFA Enrollment: Upon being prompted for MFA, the attacker initiates the enrollment of a new device.</li>
<li>Device Pairing: The attacker successfully pairs a device they control with the user's account, registering it as a trusted MFA factor. This event is logged as &quot;Device Paired&quot; with status &quot;SUCCESS&quot; in PingID logs.</li>
<li>Persistence: With the new MFA device registered, the attacker can now bypass legitimate MFA challenges.</li>
<li>Lateral Movement: The attacker uses their persistent access to move laterally within the network, accessing other systems and data.</li>
<li>Privilege Escalation: The attacker leverages their access and control to escalate privileges and gain administrative access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to unauthorized access to sensitive data, systems, and applications. The number of victims depends on the scope of the compromised user accounts and the attacker's ability to move laterally within the network. Sectors that rely heavily on PingID for access control are particularly vulnerable, including finance, healthcare, and government. If the attack succeeds, the organization may suffer data breaches, financial losses, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable JSON logging from PingID via Webhook or Push Subscription to ensure proper data ingestion for the Sigma rules (How to Implement).</li>
<li>Deploy the Sigma rule &quot;PingID New MFA Device Registered&quot; to detect suspicious MFA registrations in your environment (Sigma Rule).</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on users with recent suspicious activity or known compromised accounts (Sigma Rule).</li>
<li>Review PingID logs for &quot;Device Unpaired&quot; events which can indicate MFA device removal by the attacker (Search Query).</li>
<li>Monitor network traffic for connections originating from newly registered MFA devices to identify potential attacker activity (Network Logs).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>pingid</category><category>mfa</category><category>persistence</category><category>credential-access</category></item></channel></rss>