Okta warns {that a} Buyer Id Cloud (CIC) characteristic is being focused in credential stuffing assaults, stating that quite a few prospects have been focused since April.
Okta is a number one identification and entry administration firm offering cloud-based options for safe entry to apps, web sites, and units. It presents single sign-on (SSO), multi-factor authentication (MFA), common listing, API entry administration, and lifecycle administration.
A credential stuffing assault is when risk actors create massive lists of usernames and passwords stolen in knowledge breaches or by information-stealing malware after which use them to try to breach on-line accounts.
Okta says it recognized credential stuffing assaults beginning on April 15, 2024, which focused endpoints using Buyer Id Cloud’s cross-origin authentication characteristic.
“Okta has determined that the feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks,” reads Okta’s announcement.
“As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers.”
Okta’s Cross-Origin Useful resource Sharing (CORS) characteristic permits prospects so as to add JavaScript to their web sites and purposes to ship authentication calls to the Okta API hosted. For this characteristic to work, prospects should grant entry to the URLs from which cross-origin requests can originate.
Okta states these URLs are focused in credential stuffing assaults and ought to be disabled if they aren’t in use.
The corporate has notified prospects focused in these assaults with remediation steering on securing their accounts.
It is value noting that Okta warned its buyer base about “unprecedented” credential stuffing assaults late final month, originating from the identical risk actors who’ve been concentrating on Cisco Talos merchandise since March 2024.
BleepingComputer contacted Okta to ask what number of prospects have been impacted by the credential stuffing assaults.
Detecting assaults
Okta recommends that admins test logs for ‘fcoa,’ ‘scoa,’ and ‘pwd_leak’ occasions that point out cross-origin authentication and login makes an attempt utilizing leaked credentials.
If cross-origin authentication is not used on the tenant however ‘fcoa’ and ‘scoa’ are current, this means you are focused by credential stuffing assaults. If cross-origin authentication is used, search for irregular spikes in ‘fcoa’ and ‘scoa’ occasions.
Because the suspicious exercise began on April 15, Okta recommends that prospects evaluate logs from that time limit.
Along with the checks, Okta suggests the next mitigations:
- Rotate compromised consumer credentials instantly (directions obtainable right here)
- Implement passwordless, phishing-resistant authentication, with passkeys being the really helpful possibility.
- Implement sturdy password insurance policies and implement multi-factor authentication (MFA).
- Disable cross-origin authentication if not used.
- Take away permitted cross-origin units that aren’t in use.
- Limit permitted origins for cross-origin authentication if obligatory.
- Allow breached password detection or Credential Guard, relying on the plan.
Prospects needing additional help can attain out to Okta’s Buyer Help or its group boards.
