Pierluigi Paganini April 28, 2024

Identity and access management services provider Okta warned of a spike in credential stuffing attacks aimed at online services.

In recent weeks, Okta observed a surge in credential stuffing attacks against online services, aided by the widespread availability of residential proxy services, lists of previously compromised credentials (“combo lists”), and automation tools.

“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools.” reads the advisory published by Okta.

From March 18, 2024, to April 16, 2024, Duo Security and Cisco Talos observed large-scale brute-force attacks against a variety of targets, including VPN services, web application authentication interfaces and SSH services. 

Below is a list of known affected services: 

• Cisco Secure Firewall VPN 
• Checkpoint VPN  
• Fortinet VPN  
• SonicWall VPN  
• RD Web Services 
• Miktrotik 
• Draytek 
• Ubiquiti 

From April 19, 2024 through to April 26, 2024, the Okta Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.

A credential stuffing attack is a type of cyber attack where hackers use large sets of username and password combinations, typically obtained from previous data breaches, phishing campaigns, or info-stealer infections, to gain unauthorized access to user accounts on various online services. Credential stuffing attacks exploit the widespread practice of using the same login credentials across multiple online accounts. Attackers automate the process of trying these credentials on various websites until they find a match, granting them unauthorized access to compromised accounts. This method poses a risk of exposing sensitive data or enabling fraudulent activities.

The attacks recently observed by Okta route requests through anonymizing services like TOR and residential proxies such as NSOCKS, Luminati, and DataImpulse. The experts noticed that millions of requests have been routed through these services.

Residential proxies (RESIPs) are networks of legitimate user devices used to route traffic for paying subscribers, often without their knowledge. Threat actors use these RESIPs to evade detection. Users may consciously download “proxyware” for payment or other benefits, or their devices may be infected with malware unknowingly, turning them into part of a botnet.

“The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers. For more information on residential proxy services, we recommend this informative summary by CERT Orange Cyberdefense and Sekoia.” continues the advisory.

The advisory includes recommendations to mitigate the risk of account takeovers from credential stuffing attacks along with TTPs used in recent campaigns.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, credential stuffing)