Protect yourself against future threats.
===========================================================================
AUSCERT Security Bulletin
ASB-2024.0098
Credential stuffing attacks targeting Okta customers
29 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Okta Identity and Access Management Solutions
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Mitigation
OVERVIEW
Okta has warned its customers about credential stuffing attacks
targeting its identity and access management solutions [1][2].
Okta believes that the attacks appear to come from the same
infrastructure that was used in the brute-force and password-
spraying attacks previously identified by Cisco Talos [1][2][3].
IMPACT
Okta has reported that the attacks were notably successful against
organizations using the Okta Classic Engine with ThreatInsight set
to Audit-only mode instead of Log and Enforce mode [1][2].
Additionally, organizations that did not block access from
anonymizing proxies experienced a higher rate of attack success
[1][2].
Okta also mentioned that the attacks were successful for a small
percentage of customers [1][2].
MITIGATION
Okta has provided the following guidance to block these attacks at
the edge of the network [1][2]:
*Enable ThreatInsight in Log and Enforce Mode to block IP addresses
known for involvement in credential stuffing proactively before
they can even attempt authentication.
*Deny access from anonymizing proxies to proactively block requests
that come through shady anonymizing services.
*Switching to Okta Identity Engine, which offers more robust
security features, including CAPTCHA challenges for risky sign-ins
and passwordless authentication options like Okta FastPass.
*Implement Dynamic Zones which enables organizations to
specifically block or allow certain IPs and manage access based on
geolocation and other criteria.
Okta also has provided other recommendations that help mitigate the
Account Takeover risk [2].
REFERENCES
[1] Okta warns of "unprecedented" credential stuffing attacks on
customers
https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-credential-stuffing-attacks-on-customers/
[2] How to Block Residential Proxies using Okta
https://sec.okta.com/blockanonymizers
[3] Large-scale brute-force activity targeting VPNs, SSH services
with commonly used login credentials
https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================