βUnprecedented Scaleβ of Credential Stuffing Attacks Observed: Okta
29 April 2024 at 07:08
Okta reported an "unprecedented scale" of credential stuffing attacks targeting its identity and access management solutions, resulting in the breach of some customer accounts.
Threat actors employ credential stuffing techniques like password-spraying and brute-forcing to compromise user accounts by systematically trying lists of usernames and passwords in an automated fashion. These lists are often obtained from other data leaks, phishing and infostealer campaigns, or from underground cybercriminal forums where it is sold from a few tens to thousands of dollars.
βOver the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (βcombo listsβ), and scripting tools,β Okta said in a Saturday advisory.The identity and access management provider said the attacks appear to stem from the same infrastructure used in previously reported brute-force and password-spraying attacks targeting VPNs and SSH services identified by Cisco Talos.
Use of TOR in Credential Stuffing Attacks
Okta noted that in all observed attacks the requests originated from a TOR anonymization network and various residential proxies, such as NSOCKS, Luminati and DataImpulse. Residential proxies are a network of proxy servers that use IP addresses from residential users. They are useful for anonymous browsing, bypassing geo-restrictions and accessing secure websites. Providers rent access to real users' devices to anonymize traffic sources. They don't usually disclose how they build these networks, sometimes enrolling users knowingly or via malware, βwhat we would typically describe as a botnet,β Okta said. This results in traffic appearing to originate from everyday users' devices, not VPS providers. FBI had earlier warned of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks. Okta observed that the attacks were notably effective against organizations using the Okta Classic Engine with ThreatInsight configured in Audit-only mode, rather than Log and Enforce mode. Additionally, organizations failing to block access from anonymizing proxies experienced a higher success rate in these attacks. The attacks, however, succeeded for only a small percentage of Okta's customers, the IAM provider said. To counter these threats, Okta recommended:- Enabling of ThreatInsight in Log and Enforce Mode to proactively block IP addresses associated with credential stuffing attempts before authentication is attempted.
- Denying access from anonymizing proxies to preemptively block requests originating from suspicious anonymizing services.
- Transition to enhanced security features such as CAPTCHA challenges for risky sign-ins and password-less authentication.
- Implementing Dynamic Zones to manage access based on criteria like geolocation and selectively block or allow certain IPs.