The Information Highway

The Information Highway

Font size: +
2 minutes reading time (338 words)

Okta warns of "unprecedented" credential stuffing attacks on customers

Okta warns of an "unprecedented" spike in credential stuffing attacks targeting its identity and access management solutions, with some customer accounts breached in the attacks.

 Threat actors use credential stuffing to compromise user accounts by trying out in an automated manner lists of usernames and passwords typically purchased from cybercriminals.

In an advisory today, Okta says the attacks seem to originate from the same infrastructure used in the brute-force and password-spraying attacks previously reported by Cisco Talos.

In all attacks that Okta observed the requests came through the TOR anonymization network and various residential proxies (e.g. NSOCKS, Luminati, and DataImpulse).

Impact and recommendations

Okta says the observed attacks were particularly successful against organizations running on the Okta Classic Engine with ThreatInsight configured in Audit-only mode rather than Log and Enforce mode.

Likewise, organizations that do not deny access from anonymizing proxies also saw a higher attack success rate. The attacks were successful for a small percentage of customers Okta said.

The company provides a set of actions that can block these attacks at the edge of the network:

  • enable ThreatInsight in Log and Enforce Mode to block IP addresses known for involvement in credential stuffing proactively before they can even attempt authentication.
  • deny access from anonymizing proxies to proactively block requests that come through shady anonymizing services.
Blocking anonymized requests from Admin Console > Settings > Features
Okta
  • switching to Okta Identity Engine, which offers more robust security features, including CAPTCHA challenges for risky sign-ins and passwordless authentication options like Okta FastPass.
  • implement Dynamic Zones which enables organizations to specifically block or allow certain IPs and manage access based on geolocation and other criteria.
Okta also provides in its advisory a list of more generic recommendations that can help mitigate the risk of account takover. These include passwordless authentication, enforcing multi-factor authentication, using strong passwords, denying requests outside the company's locations, blocking IP addresses of ill repute, monitor and respond to anomalous sign-ins.
Killware: The emerging cyberthreat
Kaiser Permanente: Data breach may impact 13.4 mil...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 14 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023