Tuesday, November 12, 2024
Homecyber securityOkta Warns Credential Stuffing Attacks Targeting Customer Identity Cloud

Okta Warns Credential Stuffing Attacks Targeting Customer Identity Cloud

Published on

Malware protection

Okta, a leading identity and access management company, has warned about credential stuffing attacks targeting its Customer Identity Cloud (CIC).

The company has identified that threat actors are exploiting the cross-origin authentication feature within CIC.

As part of its Okta Secure Identity Commitment, the company routinely monitors and reviews potentially suspicious activities and proactively notifies customers of any threats.

- Advertisement - SIEM as a Service

Nature of the Attack

Credential stuffing is a type of cyberattack where adversaries attempt to gain unauthorized access to online services by using large lists of usernames and passwords.

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

These credentials are often obtained from previous data breaches, phishing campaigns, or malware attacks.

Okta observed that the endpoints supporting the cross-origin authentication feature were being targeted in such attacks for several customers.

Suspicious Activity Period

The suspicious activity was first observed on April 15.

Okta has advised customers to review their logs for any unusual activity from that date forward.

The company has provided specific log events to review, including:

  • fcoa: Failed cross-origin authentication
  • scoa: Successful cross-origin authentication
  • pwd_leak: Attempted login with a leaked password

Log Review

Customers are advised to review their tenant logs for unexpected fcoa, scoa, and pwd_leak events.

If a tenant does not use cross-origin authentication but has scoa or fcoa events in their logs, they have likely been targeted in a credential stuffing attack.

Similarly, if a tenant using cross-origin authentication saw a spike in scoa events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), they may have been targeted.

If a user’s password was compromised in a credential-stuffing attack, Okta recommends rotating the user’s credentials immediately as a precaution.

Protecting Your Tenant from Credential Stuffing

Okta has provided several recommendations to help protect users from credential-stuffing attacks:

Longer-term Solution

  • Passwordless, Phishing-Resistant Authentication: Enroll users in passwordless authentication, with passkeys being the most secure option.
  • Passkeys are included in all Auth0 plans, from the free plan to the Enterprise.

Medium-term Mitigations

  • Strong Password Policies: To prevent users from choosing weak passwords, require a minimum of 12 characters for passwords and block passwords found in the Common Password List.
  • Multi-Factor Authentication (MFA): Require MFA, which is available on various Auth0 plans, including B2C Professional, B2B Essentials, B2B Professional, Startup, and Enterprise plans.

Short-term Mitigations

  • Disable Unused Endpoints: Disable the endpoint in the Auth0 Management Console for tenants not using cross-origin authentication.
  • Restrict Permitted Origins: If cross-origin authentication is required, restrict permitted origins.
  • Enable Breached Password Detection: Enable breached password detection or Credential Guard if supported in the current plan.
  • Breached password detection is available on B2C Professional, B2B Professional, Startup, and Enterprise plans, while Credential Guard is available as an add-on through an Enterprise plan.

Okta’s proactive measures and detailed guidance aim to help customers mitigate the risks associated with credential-stuffing attacks.

By following the recommended actions and implementing the suggested protections, customers can better safeguard their identities and maintain the security of their online services.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...