Okta warns users to be aware of damaging cyberattacks targeting customers

Celebrity Gig

Identity and access management giant Okta has warned customers of an ongoing credential stuffing attack against one of its tools and suggested users either disable it, or apply a set of mitigations to remain secure.

An announcement from the company noted how hackers have been abusing the cross-origin authentication feature in Customer Identity Cloud (CIC) to mount credential stuffing attacks for several weeks now.

“Okta has determined that the feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks,” the announcement read. “As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers.”

READ ALSO:  Instagram got an update that gives users more control over their feeds

Stuffing the login page

Okta Customer Identity Cloud is a comprehensive identity and access management (IAM) platform designed to manage and secure customer identities. Cross-origin resource sharing (CORS), being abused, is a security mechanism that allows web applications running at one origin (domain) to request resources from a server at a different origin. 

Finally, credential stuffing attack is when hackers “stuff” an online login page with countless credentials obtained elsewhere, in an attempt to break into different accounts. 

READ ALSO:  Okta hack wipes out more than $2 billion in market cap

With CORS, customers add JavaScript to their websites and applications, which sends authentication calls to the Okta API hosted, BleepingComputer explains. However, the feature only works when customers grant access to the URLs from which cross-origin requests can be created. 

Hence, if these URLs are not being actively used, they should be disabled, Okta said.

Those interested to see if their infrastructure was targeted already should check their logs for “fcoa”, “scoa”, and “pwd_leak” events, which are evidence of cross-origin authentication and login attempts. If the tenant doesn’t use cross-origin authentication but the logs show fcoa and scoa events, then a credential stuffing attempt has been made. 

More from TechRadar Pro

Categories

Share This Article
Leave a comment