Okta Warns of Unprecedented Surge in Credential Stuffing Attacks

Okta, a leading identity and access management solutions provider, has recently issued a warning about a significant increase in credential stuffing attacks targeting its systems. Read on to learn more.  

Tell me more about the Okta credential-stuffing attacks

These attacks, described as unprecedented in both frequency and scale, involve cybercriminals using automated scripts to test stolen username and password combinations across various user accounts. This method, known as credential stuffing, leverages large databases of previously compromised credentials to gain unauthorized access to accounts. 

The recent surge in these attacks has been linked to infrastructure, which was also noted in earlier reports by Cisco’s Talos, describing similar patterns in brute-force attacks. The attackers predominantly utilized the TOR network and various residential proxies to mask their activities, making the attacks more difficult to trace and block. 

Organizations using the Okta Classic Engine, particularly those with ThreatInsight configured in Audit-only mode, were found to be more vulnerable. In these settings, the system logs suspicious activities but does not actively block them, which attackers have exploited to successfully breach accounts. 

What is Nuspire doing?

In response to these threats, Nuspire has taken proactive measures to safeguard client environments. This includes the immediate application of security patches following vendor recommendations and conducting active threat hunting to detect any signs of compromise within client systems. These steps are crucial in identifying and stopping threats before they can cause significant damage. 

What should I do?

To mitigate the risk of account takeover, use passwordless authentication, enforce multi-factor authentication, use strong passwords, deny requests outside the company’s locations, block malicious IP addresses, and monitor and respond to anomalous sign-ins. 

Okta also outlined broader recommendations for adding layers to the defenses against account takeover attempts and has shared the tactics, techniques and procedures (TTPs) used in these most recent attacks. 

1. Enable ThreatInsight in Log and Enforce Mode: This setting allows Okta to proactively block IP addresses associated with credential stuffing. By enabling this feature, organizations can prevent attackers from even attempting to authenticate using stolen credentials. 
2. Deny Access from Anonymizing Proxies: Implementing this measure blocks requests that originate from services designed to anonymize user activity. This is crucial as attackers often use these services to hide their geographical location and evade detection. 
3. Switch to Okta Identity Engine: The Okta Identity Engine offers enhanced security features compared to the Classic Engine. These include CAPTCHA challenges for risky sign-ins and advanced passwordless authentication options like Okta FastPass, which significantly reduce the risk of credential stuffing. 
4. Implement Dynamic Zones: This feature allows access management based on geolocation and other criteria. By setting up Dynamic Zones, organizations can block or allow specific IP addresses, adding an additional layer of security tailored to their specific needs. 
5. Use Strong Passwords and Multi-Factor Authentication (MFA): Encouraging the use of strong, unique passwords and enabling MFA wherever possible adds critical layers of security. These measures make it significantly harder for attackers to gain unauthorized access, even if they have one set of credentials. 
6. Monitor and Respond to Anomalous Sign-Ins: Continuous monitoring of sign-in activities allows organizations to quickly detect and respond to unusual access patterns that may indicate an attempted attack. This rapid response can thwart attackers before they can do significant damage. 
7. Leverage Managed Services: Security solutions like managed detection and response (MDR) and dark web monitoring can also significantly boost defenses against these types of attacks.