Okta warns of increased credential stuffing attacks

Identity and access management service provider Okta is currently warning of increased attacks on log-in data. In so-called credential stuffing, attackers try out many user name and password combinations in order to gain access to the services with such cracked accounts. Okta recommends that those affected take countermeasures.

In a security announcement, Okta writes that its in-house "Identity Threats Research" team observed a sharp increase in credential stuffing attacks on IT infrastructure such as VPN services in the period from April 19 to 26. Cisco and Duo Security reported that there had already been an increase in attacks on VPN devices and SSH services from mid-March to mid-April.

Similarities between the cyberattacks

All the attacks observed had one thing in common: the requests were sent through anonymization services such as The Onion Router (Tor). Millions of requests were also routed through so-called residential proxies. These are usually computers belonging to consumers. Some of them are knowingly part of a proxy network to use such services themselves or simply to earn money from them. However, they are often malware-infected, compromised computers – which are then usually part of a botnet. Residential proxies are usually offered for a fee.

Okta has also observed that mobile devices are increasingly being used in proxy networks. Their users have apparently installed apps that were developed with compromised SDKs. These SDKs provide desired functions for the programmers, but make the affected device part of the residential proxy network.

The company provides security tips: For example, the switch should be made to "passwordless", i.e. logging in with passkeys. The use of weak passwords should be prevented by checking whether they have appeared in data leaks, for example. Of course, the need for multifactor authentication should not be missing from the instructions. However, the firewall can also help by blocking access from locations where the organization is not active.

Authentication requests from IP addresses with a poor reputation should also be blocked. Recommended measures include protection against bots using CAPTCHAs. Okta offers its customers functions that can be used to detect and block access from anonymization services. They are available for the Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS).

In the warning, Okta also collects network segments (ASNs) from which most attacks originated. Apparently the reported user agent of the alleged web browser was also conspicuous, Okta names Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0 as suspicious.

Okta was the victim of a cyber intrusion last year. The attackers were able to access data from all customers who used the company's support. This included HAR files, which can contain session tokens that enable session hijacking attacks - the attackers can use the systems in the role of the victim. It also includes data that facilitates phishing attacks, such as usernames, company names, email addresses and telephone numbers.

(dmk)