Okta has observed an unprecedented spike in credential stuffing attacks targeting its identity and access management solutions. Attackers are leveraging the TOR anonymization network and residential proxies to compromise user accounts. To mitigate this risk, Barracuda MSP recommends reading this Cybersecurity Threat Advisory in full and taking the recommended steps.
What is the threat?
Credential stuffing attacks are a form of cyberattack where attackers use automated scripts and tools to systematically test large numbers of username and password combinations obtained from previous data breaches on the login interface of a target service. Attackers leverage the broad availability of residential proxy services and lists of stolen credentials. This is to hide their true location and automate login attempts. By using these tools, attackers can quickly identify valid username and password combinations to gain unauthorized access to user accounts. In the case of Okta, the attacks seem to target organizations using the Okta Classic Engine with ThreatInsight configured in Audit-only mode, as well as those that do not deny access from anonymizing proxies. The successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and resources. This could potentially result in data breaches, financial losses, and reputational damage for affected organizations.
Why is it noteworthy?
This attack type is particularly relevant due to the use of Okta’s identity and access management solutions across various industries. Credential stuffing attacks can result in unauthorized access to sensitive information and resources, potentially leading to data breaches, financial losses, and reputational damage for affected organizations. Furthermore, the use of anonymizing services such as TOR and residential proxies makes it difficult to detect and block these attacks, increasing the risk of successful exploitation. Organizations that do not take proactive measures to mitigate this threat are at a higher risk of being targeted and compromised.
What is the exposure or risk?
This attack type primarily affects user accounts and sensitive information stored within Okta’s identity and access management solutions. Successful attacks can lead to unauthorized access to accounts, potentially compromising a wide range of resources, including confidential data, financial records, and proprietary information. Additionally, attackers can further compromise of internal systems and networks and move laterally or to launch more sophisticated attacks. Organizations using Okta’s Classic Engine with ThreatInsight configured in Audit-only mode or those that do not deny access from anonymizing proxies are particularly at risk of being damaged by this vulnerability.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of an attack:
- Enable ThreatInsight in Log and Enforce Mode to proactively block IP addresses known for involvement in credential stuffing attacks.
- Deny access from anonymizing proxies to block requests from shady anonymizing services.
- Switch to Okta Identity Engine for enhanced security features, including CAPTCHA challenges for risky sign-ins and passwordless authentication options like Okta FastPass.
- Implement Dynamic Zones to specifically block or allow certain IPs and manage access based on geolocation and other criteria.
- Enforce best practices such as passwordless authentication, multi-factor authentication, using strong passwords, denying requests outside the company’s locations, blocking IP addresses of ill repute, and monitoring and responding to anomalous sign-ins.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.darkreading.com/vulnerabilities-threats/okta-credential-stuffing-attacks-spike-via-proxy-networks
- https://thehackernews.com/2024/04/okta-warns-of-unprecedented-surge-in.html
- https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-credential-stuffing-attacks-on-customers/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.