Protect yourself against future threats.
=========================================================================== AUSCERT Security Bulletin ASB-2024.0098 Credential stuffing attacks targeting Okta customers 29 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Okta Identity and Access Management Solutions Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Mitigation OVERVIEW Okta has warned its customers about credential stuffing attacks targeting its identity and access management solutions [1][2]. Okta believes that the attacks appear to come from the same infrastructure that was used in the brute-force and password- spraying attacks previously identified by Cisco Talos [1][2][3]. IMPACT Okta has reported that the attacks were notably successful against organizations using the Okta Classic Engine with ThreatInsight set to Audit-only mode instead of Log and Enforce mode [1][2]. Additionally, organizations that did not block access from anonymizing proxies experienced a higher rate of attack success [1][2]. Okta also mentioned that the attacks were successful for a small percentage of customers [1][2]. MITIGATION Okta has provided the following guidance to block these attacks at the edge of the network [1][2]: *Enable ThreatInsight in Log and Enforce Mode to block IP addresses known for involvement in credential stuffing proactively before they can even attempt authentication. *Deny access from anonymizing proxies to proactively block requests that come through shady anonymizing services. *Switching to Okta Identity Engine, which offers more robust security features, including CAPTCHA challenges for risky sign-ins and passwordless authentication options like Okta FastPass. *Implement Dynamic Zones which enables organizations to specifically block or allow certain IPs and manage access based on geolocation and other criteria. Okta also has provided other recommendations that help mitigate the Account Takeover risk [2]. REFERENCES [1] Okta warns of "unprecedented" credential stuffing attacks on customers https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-credential-stuffing-attacks-on-customers/ [2] How to Block Residential Proxies using Okta https://sec.okta.com/blockanonymizers [3] Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================