Protecting Your Business from Recent Credential Stuffing Attacks - Cyber and Fraud Centre

Credential stuffing attacks have recently targeted Okta’s Customer Identity Cloud (CIC) feature, posing a significant risk to businesses using this service.

Understanding Credential Stuffing Attacks

Credential stuffing is a type of cyber attack where threat actors use lists of stolen usernames and passwords, often obtained from previous data breaches, to gain unauthorised access to user accounts. These attacks exploit the common practice of password reuse across multiple sites, making them particularly effective.

The Okta Incident

On April 15, 2024, Okta detected a wave of credential stuffing attacks targeting its CIC feature. This feature, specifically the Cross-Origin Resource Sharing (CORS) functionality, allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API. To function properly, customers must grant access to specific URLs from which cross-origin requests can originate. However, these URLs became the focal point of the credential stuffing attacks.

Attack Methodology

In these attacks, cyber criminals targeted endpoints utilising Okta’s cross-origin authentication feature. By orchestrating credential stuffing attempts, they aimed to exploit the CORS feature to gain unauthorised access. Okta’s investigation revealed that these attacks were part of a larger campaign also targeting Cisco Talos products since March 2024.

Detection and Response

Okta promptly notified affected customers and provided detailed remediation guidance. Admins were advised to review logs for specific events such as fcoa (Failed Cross-Origin Authentication), scoa (Successful Cross-Origin Authentication), and pwd_leak (Login Attempt with Leaked Password). These events can indicate credential stuffing attempts, especially if there are spikes or unusual patterns.

Preventive Measures

To protect against credential stuffing attacks, Okta recommends several measures:

Rotate Compromised Credentials: Immediately change any compromised user credentials.
Implement Passwordless Authentication: Use passkeys or other passwordless, phishing-resistant authentication methods.
Enforce Strong Password Policies: Require passwords to be at least 12 characters long and avoid common passwords.
Enable Multi-Factor Authentication (MFA): This adds an extra layer of security, making it harder for attackers to gain access.
Disable Unused Features: If cross-origin authentication is not needed, disable it to reduce attack vectors.
Restrict Permitted Origins: Only allow necessary cross-origin requests to minimise exposure.
Enable Breached Password Detection: Utilise tools like Credential Guard to detect and mitigate the use of compromised passwords.

What to Do if You’re a Victim

If you suspect that your business has been targeted by a credential stuffing attack, take the following steps immediately:

Audit and Review Logs: Check for unusual fcoa, scoa, and pwd_leak events starting from April 15, 2024.
Change Affected Passwords: Rotate any credentials that may have been compromised.
Strengthen Security Measures: Implement the preventive measures outlined above.
Seek Professional Assistance: Contact Okta’s Customer Support or consult with cyber security experts to assess and enhance your security posture.

Conclusion

Credential stuffing attacks pose a significant threat to businesses, exploiting weaknesses in password management and authentication processes. By understanding the tactics, techniques, and procedures (TTP) used in these attacks, and by implementing robust security measures, businesses can defend against such threats and ensure the integrity of their systems.

For more detailed information, you can refer to Okta’s official announcements and guidelines on their security blog and BleepingComputer.

30.05.24

Threat Intelligence Alerts