Analysis Summary

Okta alerts users to an extraordinary rise in credential stuffing attempts that are targeting its identity and access management products, potentially compromising customer accounts.

Credential stuffing is a tactic used by threat actors to break into user accounts. It involves automatically testing lists of usernames and passwords that are usually bought from cybercriminals. According to an advisory from Okta, the assaults appear to be coming from the same infrastructure as the password-spraying and brute-force attacks that Cisco Talos had previously disclosed.

The TOR anonymization network and several home proxies, such as NSOCKS, Luminati, and DataImpulse, were the source of requests in every attack that Okta monitored. According to the company, the detected cyberattacks proved especially effective against enterprises using the Okta Classic Engine with ThreatInsight set up in Audit-only mode as opposed to Log and Enforce mode.

Likewise, there was a higher success rate of attacks against firms that do not block access via anonymizing proxies. For a tiny subset of clients, the attacks were successful. The company offers a series of steps that can stop these attacks at the network's edge:

• Before they can even try login, block IP addresses known to be involved in credential stuffing by turning on ThreatInsight in Log and Enforce Mode.
• Proactively restrict queries coming through dubious anonymizing providers by denying access from anonymizing proxies.
• Transferring to Okta Identity Engine, which provides more comprehensive security capabilities, such as passwordless authentication choices like Okta FastPass and CAPTCHA challenges for dangerous sign-ins.
• Use Dynamic Zones, which give businesses the ability to manage access based on geography and other factors and to prohibit or permit specific IP addresses.

Additionally, Okta offers several more general suggestions in its report that may aid in reducing the danger of account takeover. These include employing strong passwords, enforcing multi-factor authentication, preventing requests from outside the company's locations, restricting ill-reputed IP addresses, and monitoring and reacting to unusual sign-ins.

Impact

• Credential Theft
• Unauthorized Access
• Exposure of Sensitive Data

Remediation

• Implement multi-factor authentication to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Prohibit password sharing and do not use the same password for multiple platforms, servers, or networks.
• Restrict installation of untrusted 3rd party applications.