Okta says it is facing unprecented levels of attacks

Celebrity Gig

Identity and access management company Okta says it is facing an “unprecedented” scale of credential stuffing attacks, looking to breach user accounts of its online services. 

Credential stuffing is a type of cyberattack in which threat actors use a previously obtained username/password list and “stuff” them into different services, to see if they can gain access. 

It’s basically just trying out different combinations, but by using automation the process is incredibly fast and the attackers can try hundreds of combinations in minutes. The login credentials are usually purchased off the black market in advance.

READ ALSO:  Okta warns users to be aware of damaging cyberattacks targeting customers

Mitigations at the edge

Okta suspects that whoever is behind this campaign has also done the same against Cisco’s VPN services earlier this year, as the same infrastructure was used. In all of the attacks, the requests came from the TOR anonymization network as well as different residential proxies.

While only a “small percentage” of customers had these requests proceed to authentication, they all shared similar configurations, the company confirmed. These firms were almost always running on Okta Classic Engine, with ThreatInsight configured in Audit-only mode, as opposed to Log and Enforce mode. What’s more, Authentication policies permitted requests from anonymizing proxies.

READ ALSO:  Samsung's Galaxy Watch 7 could warn users if they're at risk of heart attacks, strokes, and more

In the blog post, Okta provided a set of mitigations for the attacks at the network edge, including going passwordless (Require Okta FastPass and FIDO2 WebAuthn, for example), forcing users into generating stronger passwords, enforcing multi-factor authentication (MFA) on sign-in, denying requests from locations where the organization does not operate, denying authentication requests from IPs with poor reputation, and monitoring for, and responding to, anomalous sign-in behavior.

READ ALSO:  Biden FCC nominee Gigi Sohn withdraws, citing 'cruel attacks'

The blog also announced a new feature for Workforce Identity Cloud and Customer Identity Solution users – the ability to block access requests originating from residential proxies prior to authentication. Residential proxies are IP addresses assigned to real residential locations, often by Internet Service Providers (ISPs).They act as intermediaries between the user and the internet, masking the user’s real IP address and providing anonymity online.

More from TechRadar Pro

Categories

Share This Article
Leave a comment