Identity and access management company Okta says it is facing an “unprecedented” scale of credential stuffing attacks, looking to breach user accounts of its online services.
Credential stuffing is a type of cyberattack in which threat actors use a previously obtained username/password list and “stuff” them into different services, to see if they can gain access.
It’s basically just trying out different combinations, but by using automation the process is incredibly fast and the attackers can try hundreds of combinations in minutes. The login credentials are usually purchased off the black market in advance.
Mitigations at the edge
Okta suspects that whoever is behind this campaign has also done the same against Cisco’s VPN services earlier this year, as the same infrastructure was used. In all of the attacks, the requests came from the TOR anonymization network as well as different residential proxies.
While only a “small percentage” of customers had these requests proceed to authentication, they all shared similar configurations, the company confirmed. These firms were almost always running on Okta Classic Engine, with ThreatInsight configured in Audit-only mode, as opposed to Log and Enforce mode. What’s more, Authentication policies permitted requests from anonymizing proxies.
In the blog post, Okta provided a set of mitigations for the attacks at the network edge, including going passwordless (Require Okta FastPass and FIDO2 WebAuthn, for example), forcing users into generating stronger passwords, enforcing multi-factor authentication (MFA) on sign-in, denying requests from locations where the organization does not operate, denying authentication requests from IPs with poor reputation, and monitoring for, and responding to, anomalous sign-in behavior.
The blog also announced a new feature for Workforce Identity Cloud and Customer Identity Solution users – the ability to block access requests originating from residential proxies prior to authentication. Residential proxies are IP addresses assigned to real residential locations, often by Internet Service Providers (ISPs).They act as intermediaries between the user and the internet, masking the user’s real IP address and providing anonymity online.