{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pingid/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PingID","PingOne"],"_cs_severities":["high"],"_cs_tags":["pingid","mfa","persistence","credential-access"],"_cs_type":"advisory","_cs_vendors":["Ping Identity"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting the registration of new Multi-Factor Authentication (MFA) methods within PingID (PingOne) environments. The detection leverages JSON logs from PingID, specifically focusing on successful device pairing events. An attacker who gains unauthorized access to a user account may register a new MFA method to maintain persistence, bypass existing security measures, and potentially escalate privileges. This activity is particularly relevant for defenders because successful MFA enrollment by an attacker can grant them long-term access, even if the initial compromise is detected and remediated. The activity described here was reported to start being tracked around January 2023.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker compromises a user's credentials through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eAuthentication Bypass: The attacker uses the compromised credentials to attempt to log in to a PingID-protected application.\u003c/li\u003e\n\u003cli\u003eMFA Enrollment: Upon being prompted for MFA, the attacker initiates the enrollment of a new device.\u003c/li\u003e\n\u003cli\u003eDevice Pairing: The attacker successfully pairs a device they control with the user's account, registering it as a trusted MFA factor. This event is logged as \u0026quot;Device Paired\u0026quot; with status \u0026quot;SUCCESS\u0026quot; in PingID logs.\u003c/li\u003e\n\u003cli\u003ePersistence: With the new MFA device registered, the attacker can now bypass legitimate MFA challenges.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses their persistent access to move laterally within the network, accessing other systems and data.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker leverages their access and control to escalate privileges and gain administrative access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, systems, and applications. The number of victims depends on the scope of the compromised user accounts and the attacker's ability to move laterally within the network. Sectors that rely heavily on PingID for access control are particularly vulnerable, including finance, healthcare, and government. If the attack succeeds, the organization may suffer data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable JSON logging from PingID via Webhook or Push Subscription to ensure proper data ingestion for the Sigma rules (How to Implement).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;PingID New MFA Device Registered\u0026quot; to detect suspicious MFA registrations in your environment (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on users with recent suspicious activity or known compromised accounts (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eReview PingID logs for \u0026quot;Device Unpaired\u0026quot; events which can indicate MFA device removal by the attacker (Search Query).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from newly registered MFA devices to identify potential attacker activity (Network Logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-registration/","summary":"The creation of a new MFA registration in PingID could indicate an attacker attempting to maintain persistence after compromising a user account.","title":"PingID New MFA Method Registered For User","url":"https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-registration/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PingID","Windows","Active Directory"],"_cs_severities":["high"],"_cs_tags":["pingid","mfa","credential-access"],"_cs_type":"advisory","_cs_vendors":["Ping Identity","Microsoft"],"content_html":"\u003cp\u003eThis analytic identifies suspicious activity where a new MFA device is paired with a user account in PingID shortly after a password reset. The detection logic correlates Windows Event Logs for password changes (Event ID 4723, 4724) with PingID logs indicating device pairing events. This behavior is significant because it can indicate a social engineering attack, where a threat actor impersonates a valid user to reset their credentials and add a new MFA device under their control. The observed activity focuses on gaining unauthorized access to user accounts by bypassing traditional security measures through MFA manipulation. The timeframe analyzed is within one hour of the password reset.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker conducts reconnaissance to identify a target user within the organization.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password reset for the target user, possibly through social engineering or exploiting a vulnerability in the password reset process.\u003c/li\u003e\n\u003cli\u003eWindows Event Logs record a password change event (Event ID 4723 or 4724) on the Active Directory Domain Controller.\u003c/li\u003e\n\u003cli\u003eThe attacker pairs a new MFA device with the target user's PingID account. This could involve intercepting the original MFA device or using other unknown MFA enrollment bypass techniques.\u003c/li\u003e\n\u003cli\u003ePingID logs record a \u0026quot;Device Paired\u0026quot; event, including information about the device (e.g., IP address, device model).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly paired MFA device to authenticate as the target user, bypassing legitimate MFA controls.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive applications, data, and resources accessible to the target user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack allows the adversary to gain persistent access to a compromised account, bypassing multi-factor authentication. This could lead to unauthorized access to sensitive data, financial fraud, or further lateral movement within the organization. The impact includes potential data breaches, reputational damage, and financial loss. The references suggest that MFA fatigue is becoming a more common attack vector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePingID New MFA Method After Credential Reset\u003c/code\u003e to your SIEM and tune the \u003ccode\u003etimeDiffRaw\u003c/code\u003e parameter for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Windows Event Log collection on Active Directory Domain Controllers to capture password change events (Event ID 4723, 4724) as required by the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eIngest PingID logs, either via Webhook or Push Subscription, into your SIEM to enable correlation with password reset events for identifying potential MFA takeover attempts as used by the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement stricter password reset policies and MFA enrollment procedures to reduce the risk of social engineering attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-reset/","summary":"Detection of a new MFA device pairing in PingID shortly after a password reset in Windows Event Logs, potentially indicating a social engineering attack and unauthorized account access.","title":"PingID New MFA Method After Credential Reset","url":"https://feed.craftedsignal.io/briefs/2024-01-pingid-mfa-reset/"}],"language":"en","title":"CraftedSignal Threat Feed - Pingid","version":"https://jsonfeed.org/version/1.1"}