Identity and access management company Okta says it is facing an “unprecedented” scale of credential stuffing attacks, seeking to compromise user accounts of its online services.
Credential stuffing is a form of cyber attack in which threat actors use a previously obtained username/password list and “stuff” it into various services to see if they can gain access.
It’s basically just trying different combinations, but by using automation the process is incredibly fast and allows the attackers to try hundreds of combinations in a matter of minutes. The login details are usually purchased in advance on the black market.
Measures at the edge
Okta suspects that whoever is behind this campaign did the same against Cisco’s VPN services earlier this year, because the same infrastructure was used. In all attacks, the requests came from the TOR anonymization network and from various residential proxies.
While only a “small percentage” of customers allowed these requests to proceed to authentication, they all shared similar configurations, the company confirmed. These companies were almost always running on the Okta Classic Engine, with ThreatInsight configured in audit-only mode, as opposed to Log and Enforcement mode. Additionally, the authentication policy allowed requests from anonymizing proxies.
In the blog postOkta has provided a range of solutions to the network edge attacks, including going passwordless (for example, requiring Okta FastPass and FIDO2 WebAuthn), forcing users to generate stronger passwords, enforcing multi-factor authentication (MFA) at login, denying requests from locations where the organization is not active, denying authentication requests from IPs with a bad reputation, and monitoring and responding to anomalous login behavior.
The blog also announced a new feature for Workforce Identity Cloud and Customer Identity Solution users: the ability to block access requests coming from residential proxies prior to authentication. Residential proxies are IP addresses assigned to real residential locations, often by Internet Service Providers (ISPs). They act as an intermediary between the user and the Internet, masking the user’s real IP address and ensuring anonymity online.