Analysis Summary

Okta has recently alerted users that multiple clients have been the target of credential stuffing attacks targeting a Customer Identity Cloud (CIC) function since April.

Leading identity and access management provider Okta offers cloud-based solutions for safe device, website, and app access. It provides lifecycle management, universal directory, multi-factor authentication (MFA), single sign-on (SSO), and API access control. According to the company, it discovered credential stuffing attacks that began on April 15, 2024 and were directed at endpoints using the cross-origin authentication capability of Customer Identity Cloud.

Credential stuffing attacks occur when malicious actors compile extensive lists of usernames and passwords that have been obtained through software that steals information, or from data breaches, intending to break into online accounts.

Okta’s notification reads, “As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers.”

Customers can add JavaScript to their websites and applications to submit authentication calls to the Okta API hosted by Okta through the Cross-Origin Resource Sharing (CORS) functionality. Customers must allow access to the URLs that cross-origin requests may originate from for this feature to function.

According to Okta, if these URLs are not being used, they should be blocked because they are the focus of credential-stuffing attacks. The company has sent remediation instructions on account security to clients who were targeted in these attacks. It is noteworthy that late last month, Okta alerted its clients to unprecedented credential stuffing attacks, which were coming from the same threat actors that have been attacking Cisco Talos products since March 2024.

The 'fcoa', 'scoa', and 'pwd_leak' events in logs show cross-origin authentication and attempts to log in using compromised credentials. Okta advises administrators to look for these occurrences. If 'fcoa' and 'scoa' are present but the tenant is not using cross-origin authentication, this suggests that you are being targeted by credential stuffing attacks. If cross-origin authentication is utilized, the 'fcoa' and 'scoa' events should be monitored for unusual spikes.

Since the suspicious behavior began on April 15, Okta advises clients to examine their logs going back to that date. Apart from the examinations, Okta recommends rotating the credentials of the compromised user right away, using passkeys to enable passwordless and phishing-resistant authentication, adopting multi-factor authentication (MFA) and enforcing regulations about strong passwords, disabling cross-origin authentication when not in use, taking away any unused cross-origin devices that are allowed, limit the origins that are allowed for cross-origin authentication, and enable Credential Guard or compromised password detection.

Impact

• Credential Theft
• Unauthorized Access
• Exposure of Sensitive Data

Remediation

• Implement multi-factor authentication to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Prohibit password sharing and do not use the same password for multiple platforms, servers, or networks.
• Restrict installation of untrusted 3rd party applications.