Okta warns customers about credential stuffing onslaught
Credential stuffing attacks have exploded this April, Okta warns, and advises its customers to use available tools to block access requests originating from residential proxies before authentication takes place.
Abuse of proxy networks
“In credential stuffing attacks, adversaries attempt to sign-in to online services using large lists of usernames and passwords obtained from previous data breaches of unrelated entities, or from phishing or malware campaigns,” Okta’s Moussa Diallo and Brett Winterford explained.
“All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR. Millions of the requests were also routed through a variety of residential proxies including NSOCKS, Luminati and DataImpulse.”
The credential stuffing attacks are automated via scripting tools.
MDR provider Expel has recently shared that 69% of identity-based incidents the investigated in 2023 involved malicious logins from suspicious infrastructure: hosting providers or proxies.
The infrastructure used in these latest attacks observed by Okta is similar to the one Duo Security and Cisco Talos researchers spotted launching large-scale brute force attacks on VPN devices and SSH services in March.
The increasing use of residential proxy networks as the “last mile” of attack traffic has not gone unnoticed by security researchers.
While some users knowingly install “proxyware” on their devices, many others are unknowingly part of such a network because they installed malware or legitimate mobile apps developed using software development kits (SDKs).
Advice for customers
“The small percentage of customers where these suspicious requests proceeded to authentication shared similar configurations: The Org was nearly always running on the Okta Classic Engine, ThreatInsight was configured in Audit-only mode (not Log and Enforce mode), and Authentication policies permitted requests from anonymizing proxies,” Diallo and Winterford shared.
Switching to using Okta Identity Engine, enabling ThreatInsight in Log and Enforce mode and denying access requests from anonymizing proxies styimies these attacks.
“These basic features are available in all Okta SKUs. Upgrading to Okta Identity Engine is free, often highly automated, and provides access to a range of features including CAPTCHA challenges for risky sign-ins and passwordless authentication using Okta FastPass,” they added.
The company has also outlined broader recommendation for adding many layers to the defenses against account takeover attempts, and has shared the tactics, techniques, and procedures (TTPs) used in these most recent attacks.