Tuesday, June 25, 2024

Okta Warns Credential Stuffing Attacks Targeting Customer Identity Cloud

Okta, a leading identity and access management company, has warned about credential stuffing attacks targeting its Customer Identity Cloud (CIC).

The company has identified that threat actors are exploiting the cross-origin authentication feature within CIC.

As part of its Okta Secure Identity Commitment, the company routinely monitors and reviews potentially suspicious activities and proactively notifies customers of any threats.

Nature of the Attack

Credential stuffing is a type of cyberattack where adversaries attempt to gain unauthorized access to online services by using large lists of usernames and passwords.

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

These credentials are often obtained from previous data breaches, phishing campaigns, or malware attacks.

Okta observed that the endpoints supporting the cross-origin authentication feature were being targeted in such attacks for several customers.

Suspicious Activity Period

The suspicious activity was first observed on April 15.

Okta has advised customers to review their logs for any unusual activity from that date forward.

The company has provided specific log events to review, including:

  • fcoa: Failed cross-origin authentication
  • scoa: Successful cross-origin authentication
  • pwd_leak: Attempted login with a leaked password

Log Review

Customers are advised to review their tenant logs for unexpected fcoa, scoa, and pwd_leak events.

If a tenant does not use cross-origin authentication but has scoa or fcoa events in their logs, they have likely been targeted in a credential stuffing attack.

Similarly, if a tenant using cross-origin authentication saw a spike in scoa events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), they may have been targeted.

If a user’s password was compromised in a credential-stuffing attack, Okta recommends rotating the user’s credentials immediately as a precaution.

Protecting Your Tenant from Credential Stuffing

Okta has provided several recommendations to help protect users from credential-stuffing attacks:

Longer-term Solution

  • Passwordless, Phishing-Resistant Authentication: Enroll users in passwordless authentication, with passkeys being the most secure option.
  • Passkeys are included in all Auth0 plans, from the free plan to the Enterprise.

Medium-term Mitigations

  • Strong Password Policies: To prevent users from choosing weak passwords, require a minimum of 12 characters for passwords and block passwords found in the Common Password List.
  • Multi-Factor Authentication (MFA): Require MFA, which is available on various Auth0 plans, including B2C Professional, B2B Essentials, B2B Professional, Startup, and Enterprise plans.

Short-term Mitigations

  • Disable Unused Endpoints: Disable the endpoint in the Auth0 Management Console for tenants not using cross-origin authentication.
  • Restrict Permitted Origins: If cross-origin authentication is required, restrict permitted origins.
  • Enable Breached Password Detection: Enable breached password detection or Credential Guard if supported in the current plan.
  • Breached password detection is available on B2C Professional, B2B Professional, Startup, and Enterprise plans, while Credential Guard is available as an add-on through an Enterprise plan.

Okta’s proactive measures and detailed guidance aim to help customers mitigate the risks associated with credential-stuffing attacks.

By following the recommended actions and implementing the suggested protections, customers can better safeguard their identities and maintain the security of their online services.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.


Latest articles

Hackers Exploit Multiple WordPress Plugins to Hack Websites & Create Rogue Admin Accounts

Wordfence Threat Intelligence team identified a significant security breach involving multiple WordPress plugins. The initial...

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles