Leading identity management company Okta warned customers of a new wave of credential stuffing attacks, launched on an “unprecedented scale.” Okta released an advisory identifying the attacks’ origins as the same infrastructure used in previous brute force campaigns.
Cybersixgill detected threat actors on popular cybercrime forums posting about similar attack vectors during the time frame that Okta warned about the recent credential stuffing attacks.
THE HEADLINE
On April 27, 2024, cloud-based authentication software provider Okta[1] released an alert warning their customers about an immediate threat targeting its Workforce Identity Cloud[2] (WIC) and Customer Identity Solution[3] (CIS) products. Okta noted that over the last month it detected an increase in the frequency and scale of credential stuffing[4] attacks targeting these services.
Such attacks are perpetrated using third-party combo lists[5] of stolen usernames and passwords to gain unauthorized access to accounts.
The goal of credential stuffing attacks is to exploit users’ tendency to reuse passwords and email addresses across multiple platforms and services. When threat actors find a match, they log in and steal data, which can be used for additional malicious activity. During the past year alone, the credential stuffing vector has been linked to attacks targeting American retail giant Hot Topic and security software provider Norton LifeLock. During the latter attack, threat actors utilized credentials to access accounts, potentially accessing password management systems.
Returning to the Okta alert, the company identified the following key used in the recent wave of attacks: residential proxy services[6] (proxies), combo lists and various scripting tools[7], all of which are either widely available from legitimate vendors or sold on the cybercriminal underground. In response, Okta noted that every customer using WIC or CIS can block access requests originating from residential proxies prior to authentication, which it suggested as a remediation effort to block credential stuffing attacks.[8]
Okta noted that all recent attacks relied on requests routed through anonymizing services such as TOR[9], with millions of requests also routed through popular anonymizing proxy providers (NSOCKS, Luminati and DataImpulse). Such proxies work by leveraging networks of legitimate user devices to route traffic on behalf of paid subscribers, which anonymizes the source of the traffic. This allows threat actors to launch credential stuffing attacks by leveraging mobile devices and browsers of users who may be unaware of their role in the campaigns.[10]
According to Okta, similar configurations were observed among the customers who received suspicious requests and proceeded to authentication. Specifically, the affected organizations (1) nearly always ran on the Okta Classic Engine, with the company’s ThreatInsight tool configured in Audit-only mode (as opposed to Log and Enforce mode), and (2) their authentication policies permitted requests from anonymizing proxies.
DIVING DEEPER
The Cybersixgill Investigative Portal collected multiple recent posts related to potential attack vectors targeting Okta. This includes the post below (Figure 1) from a popular dark web forum on which a Russian-speaking threat actor posted an article describing an attack vector that leverages exposed credentials and a method for sidestepping Okta security controls.
While the original article was written by a red teamer[11] (offensive security professional) and posted for educational purposes only, malicious actors could potentially use the information to launch attacks. To that end, the content was likely shared by the dark web forum member to assist others in malicious activities, as this forum is frequented by threat actors seeking new attack vectors to exploit in the wild.
While the vector was initially published for red team activities, it shows the feasibility of skirting Okta security features. Now that it is circulating on the underground, it is also possible that threat actors will attempt to abuse the technique in real-life attacks.
Figure 1: A potential attack vector spread on a cybercrime forum
Cybersixgill also observed members of a popular hacking and cracking forum advertising the type of residential proxy services that Okta flagged in its recent alert. In the post below, a forum member advertised a product that allows users to access the web from local machines without exposing their IP addresses. In short, this service provides anonymity, which can be abused by threat actors.
While the service itself may be legal, it can be used for malicious activities, such as credential stuffing attacks. Furthermore, the fact that it is being promoted on a hacking forum also suggests that it may be abused by threat actors for malicious purposes.
Figure 2: A forum member promotes a residential proxy service
TAKEAWAYS
The recent Okta advisory flagged a dangerous attack vector that could be replicated in the future. In the past, established threat actors have succeeded in exploiting the authentication management platform, despite the safeguards in place to prevent exploitation of accounts. As a result, organizations must remain vigilant regarding Okta attack vectors, implementing the following safeguards to prevent the abuse of access privileges:
· Maintain proper internal policies and controls related to incident response, password management, third-party access, remote access, account management, user monitoring, role-based access controls, etc.
· Report and respond immediately to suspicious behavior from employees or other internal stakeholders.
· Monitor security systems and internal logs to detect disruptive action.
· Remove all access and authorizations to corporate resources immediately following an employee’s termination or departure from the organization.
· Perform regular monitoring with the help of Cybersixgill’s Investigative Portal to proactively detect potential threat actors seeking insiders from organizations third-parties.
[1] Okta is one of the world’s top providers of identity and authentication management services, which control access to systems, applications, and data.
[2] Okta Workforce Identity Cloud (WIC) is a cloud-based product for managing and securing employee identities and access to various applications and resources within organizations. It provides single sign-on (SSO), multi-factor authentication (MFA), and user provisioning services.
[3] Okta Customer Identity Solution (CIS) is a cloud-based product for managing and securing customer identities and access to applications and services, which provides social login, registration, and consent management.
[4] The reuse of passwords leaves accounts vulnerable to infiltration when data breaches or leaks occur, after which threat actors test whether credentials grant access to other platforms.
[5] Combo lists contain troves of previously stolen usernames and passwords.
[6] Residential proxy services offer access to a network of residential IP addresses, which allows users to make it appear as if they are browsing the internet from different locations. These services can be used for web scraping, bypassing geo-restrictions, and other malicious activities.
[7] Threat actors use scripting tools to perform complex tasks automatically in vectors such as credential stuffing attacks, which require repetitive actions.
[8] https://sec.okta.com/blockanonymizers
[9] The Onion Router (TOR) is a network used to browse the internet anonymously by routing traffic through multiple relay servers, providing privacy and anonymity by encrypting and bouncing the users’ connections.
[10] Anonymizing proxy services hide users’ true IP addresses and locations by routing their internet traffic through a proxy server, acting as intermediaries between the user and the websites they visit, which makes it difficult to trace users’ activity back to their original IP addresses.
[11] Red teams simulate attacks to identify vulnerabilities and weaknesses in security practices.