Cybersecurity Threat Advisory: Credential stuffing attacks targeting Okta

Home / QSOL IT News / Credential stuffing / Cybersecurity Threat Advisory: Credential stuffing attacks targeting Okta

Okta has observed an unprecedented spike in credential stuffing attacks targeting its identity and access management solutions. Attackers are leveraging the TOR anonymization network and residential proxies to compromise user accounts. To mitigate this risk, Barracuda MSP recommends reading this Cybersecurity Threat Advisory in full and taking the recommended steps.

What is the threat?

Credential stuffing attacks are a form of cyberattack where attackers use automated scripts and tools to systematically test large numbers of username and password combinations obtained from previous data breaches on the login interface of a target service. Attackers leverage the broad availability of residential proxy services and lists of stolen credentials. This is to hide their true location and automate login attempts. By using these tools, attackers can quickly identify valid username and password combinations to gain unauthorized access to user accounts. In the case of Okta, the attacks seem to target organizations using the Okta Classic Engine with ThreatInsight configured in Audit-only mode, as well as those that do not deny access from anonymizing proxies. The successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and resources. This could potentially result in data breaches, financial losses, and reputational damage for affected organizations.

Why is it noteworthy?

This attack type is particularly relevant due to the use of Okta’s identity and access management solutions across various industries. Credential stuffing attacks can result in unauthorized access to sensitive information and resources, potentially leading to data breaches, financial losses, and reputational damage for affected organizations. Furthermore, the use of anonymizing services such as TOR and residential proxies makes it difficult to detect and block these attacks, increasing the risk of successful exploitation. Organizations that do not take proactive measures to mitigate this threat are at a higher risk of being targeted and compromised.

What is the exposure or risk?

This attack type primarily affects user accounts and sensitive information stored within Okta’s identity and access management solutions. Successful attacks can can lead to unauthorized access to accounts, potentially compromising a wide range of resources, including confidential data, financial records, and proprietary information. Additionally, attackers can further compromise of internal systems and networks and move laterally or to launch more sophisticated attacks. Organizations using Okta’s Classic Engine with ThreatInsight configured in Audit-only mode or those that do not deny access from anonymizing proxies are particularly at risk of being damaged by this vulnerability.

What are the recommendations?

Barracuda MSP recommends the following actions to limit the impact of an attack:

  • Enable ThreatInsight in Log and Enforce Mode to proactively block IP addresses known for involvement in credential stuffing attacks.
  • Deny access from anonymizing proxies to block requests from shady anonymizing services.
  • Switch to Okta Identity Engine for enhanced security features, including CAPTCHA challenges for risky sign-ins and passwordless authentication options like Okta FastPass.
  • Implement Dynamic Zones to specifically block or allow certain IPs and manage access based on geolocation and other criteria.
  • Enforce best practices such as passwordless authentication, multi-factor authentication, using strong passwords, denying requests outside the company’s locations, blocking IP addresses of ill repute, and monitoring and responding to anomalous sign-ins.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.

This post originally appeared on Smarter MSP.

Related Post

Tech Time Warp: A nostalgic look at Mattel’s

Children of the 1980s are familiar with Transformers and can likely still sing “More than meets the eye…” but how

Computer toys, Computer Warriors, Featured, Mattel, Syndicated, Tech Insight, Tech Time Warp

Global MSP Day 2024: Celebrating the resilience and

This year marks the seventh time that Global MSP Day has taken place! An annual event celebrating managed service providers

Better Business, cybersecurity, events, Featured, Global MSP Day, MSPs, Syndicated, The Evolving Landscape of the MSP Business Report

Cybersecurity Threat Advisory: Black Basta ransomware surge

The Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories in response to the widespread of Black Basta ransomware attacks.

Black Basta, Cybersecurity Threat Advisory, Featured, malicious software, ransomware, Security, Syndicated

Cybersecurity Threat Advisory: Critical flaws discovered in Cacti

This Cybersecurity Threat Advisory breaks down multiple critical vulnerabilities in the Cacti framework, an open-source network monitoring and fault management

Cacti, Cacti framework, Critical vulnerabilities, Cybersecurity Threat Advisory, Featured, Security, Syndicated