April 28, 2024 at 10:30AM
Okta has reported a significant increase in credential stuffing attacks, facilitated by residential proxy services and stolen credentials. Cisco also cautioned of a surge in brute-force attacks targeting various devices. These attacks appear to originate from TOR exit nodes and anonymizing services. Okta recommends enforcing strong passwords, enabling two-factor authentication, and denying requests from suspicious locations.
The meeting notes from April 28, 2024 revolve around the growing threat of credential stuffing attacks on online services. Okta, an identity and access management services provider, has detected a significant increase in the frequency and scale of these attacks. The attacks are facilitated by the broad availability of residential proxy services, lists of previously stolen credentials, and scripting tools.
Cisco has also issued a warning about a global surge in brute-force attacks targeting various devices, including VPN services, web application authentication interfaces, and SSH services. These attacks are originating from TOR exit nodes and other anonymizing tunnels and proxies. Targets of the attacks include VPN appliances and routers from various manufacturers.
Okta’s Identity Threat Research observed an uptick in credential stuffing activity from April 19 to April 26, 2024, indicating that the attacks are exploiting similar infrastructure. Credential stuffing involves using credentials obtained from a data breach to try to sign in to unrelated services. Alternatively, attackers may use phishing attacks or malware campaigns to obtain credentials.
The attacks observed by Okta all rely on requests being routed through anonymizing services such as TOR and residential proxies, including NSOCKS, Luminati, and DataImpulse. Residential proxies refer to networks of legitimate user devices that are misused to route traffic on behalf of paying subscribers without their knowledge or consent.
The meeting notes highlight that most of the traffic in these credential stuffing attacks originates from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers. Okta recommends that organizations enforce strong passwords, enable two-factor authentication, deny requests from unauthorized locations and IP addresses with poor reputation, and add support for passkeys to mitigate the risk of account takeovers.
If you have any further questions or need additional information, feel free to ask.