Identity and access management provider Okta has warned customers of a significant uptick in credential stuffing attacks targeting their accounts in recent weeks.
Credential stuffing involves attackers using lists of breached username and password combinations from past data breaches to log into other accounts at a massive scale through automation.
Identity management companies like Okta are prime targets for these kinds of automated login attacks since they manage access to multiple business applications and servers.
From what Okta has shared, the credential stuffing onslaught seems to be leveraging the same infrastructure that past brute force and password spraying campaigns exploited according to Cisco Talos.
All the malicious login requests are originating through TOR and sketchy proxy services in an attempt to cloak the real attacker IP addresses and many proxy servers like NSOCKS, Luminati and DataImpulse, according to the authentication firm.
It seems the attackers have had the most success against organizations still on Okta’s older classic platform with threat insights just set to audit rather than block suspect activity.
Companies that don’t block all traffic from anonymity networks also left themselves vulnerable.
Organizations that did not deny access from anonymizing proxies also saw more account takeovers.
Only a small percentage of Okta users actually got compromised but even one stolen account is still too many for Okta.
The credential lists being weaponized were likely gleaned from previous breaches where people reused passwords across sites.
Recommended Mitigations for Okta Credential Stuffing Attacks
Okta provided several recommendations for organizations to block these types of credential stuffing attacks:
- Enable Threat Insight in log and enforcement mode to proactively block IPs involved in credential abuse.
- Deny all access from anonymizing proxies to shut out suspicious logins.
- Migrate to Okta Identity Engine for stronger security controls like CAPTCHAs on risky sign-ins.
- Implement dynamic access rules through zones to filter IPs and locations.
Additional other best practices in the advisory included passwordless authentication, mandatory multi-factor authentication, strong unique passwords, location-based access rules, blacklisting risky IP addresses, and monitoring for anomalous sign-in activity.
The identity provider warned all customers to closely scrutinize authentication logs and take immediate action if any unauthorized access or account takeovers are detected from these credential stuffing campaigns targeting their Okta installtions and user accounts.
This is a reminder that determined attackers are constantly iterating their tactics.
Staying on top of guidance from your technology partners is so important to help plug holes before the bad actors have a chance to slip past your defenses.