Pierluigi Paganini May 30, 2024

Identity and access management firm Okta warns of credential stuffing attacks targeting the Customer Identity Cloud (CIC) feature.

Okta warns of credential stuffing attacks targeting its Customer Identity Cloud (CIC) feature since April.

A credential stuffing attack is a type of cyber attack where hackers use large sets of username and password combinations, typically obtained from previous data breaches, phishing campaigns, or info-stealer infections, to gain unauthorized access to user accounts on various online services. Credential stuffing attacks exploit the widespread practice of using the same login credentials across multiple online accounts. Attackers automate the process of trying these credentials on various websites until they find a match, granting them unauthorized access to compromised accounts. This method poses a risk of exposing sensitive data or enabling fraudulent activities.

The identity and access management firm observed suspicious activity that started on April 15. 

The advisory published by the company states that the attacks targeted the endpoints supporting the cross-origin authentication feature, the attacks hit several customers.

“Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks.” reads advisory. “For context, we observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers.”

Cross-Origin Resource Sharing (CORS) (opens new window)is a mechanism that allows a web page to make an AJAX call using XMLHttpRequest (XHR) (opens new window). Use XHR to call a domain that is different than the domain where the script was loaded. Such cross-domain requests would otherwise be forbidden by web browsers as indicated by the same origin security policy (opens new window). CORS defines a standardized (opens new window)way in which the browser and the server can interact to determine whether to allow the cross-origin request.

The company notified the targeted customers that have this feature enabled, it also recommends disabling targeted URLs if they are not in use.

Okta recommends reviewing suspicious activity from April 15 forward, it suggests reviewing the following log events:

• fcoa – Failed cross-origin authentication
• scoa – Successful cross-origin authentication
• pwd_leak – Someone attempted to login with a leaked password

At the end of April, Okta observed a surge in credential stuffing attacks against online services, aided by the widespread availability of residential proxy services, lists of previously compromised credentials (“combo lists”), and automation tools.

From April 19, 2024 through to April 26, 2024, the Okta Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.

The latest advisory includes recommendations to mitigate these attacks.

The company also shared recommendations on how to best protect customers from credential-stuffing attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Okta)