OKTA is warning its customers to look out for unprecedented spikes in credential stuffing attacks on its identity managements systems, having said that OKTA confirms that some of its customers are breached by these attacks.

Threat actors are using compromised credentials probably bought from cybercriminals and then replaying them on OKTA’s identity management systems through robotics means and while doing that they are using TOR networks in other words anonymized networks.

There are 2 major things we got to understand here ..

1. What is credentials stuffing attack.

2. What are TOR networks and why attackers are using them.

Let’s dive deep..

Credential stuffing attack is a very common attack hackers use to get past the authentication. Attacker will acquire a pile of credentials from dark web or cyber criminals who stolen this data from enterprises data stores by breaching in to there network or via social engineering. These credentials are then sold to attackers who intend to breach into customers accounts and carry out there attacks further into these businesses. Here is an image showing attacker carrying out account take over or credential stuffing attacks via a network of Bots.

Figure1 : Attacker carrying out Credential stuffing attacks using Bots.

Thing to note here..Credentials stuffing is not same as Brute force attacks where attackers uses compute to guess the password and then try it out. Credential stuffing is carried out with known or valid credentials.

Moving on to TOR networks - TOR networks are specialized networks which works on the concept of Anonymizing proxies where finding the origination of the request is almost impossible as TOR uses nodes in between client and server, these nodes are called entry, middle and exit nodes. TOR client or in other words TOR browser sends the request to entry node, entry node will know the IP address of browser but from here the request will get encrypted and move on to middle node with in TOR network and from here on the IP address of originator will not be visible.. Lets look at this picture. User sends the request to Entry node and from here onwards, the origin of request will be hidden making it hard for server to know the IP address of the user.

Figure2: TOR network anonymizing the request making it hard for server to know the client.

No wonder attackers uses the TOR network to send there nefarious requests, as it makes hard for victim to know who is the attacker.

This is what happened in OKTA breach, Attackers use the TOR networks to send there automated credential stuffing requests to take over the customers accounts..

Impacts and Observation

Okta says the observed attacks were particularly successful against organizations running on the Okta Classic Engine with ThreatInsight configured in Audit-only mode rather than Log and Enforce mode.

Likewise, organizations that do not deny access from anonymizing proxies also saw a higher attack success rate. The attacks were successful for a small percentage of customers Okta said.

The company provides a set of actions that can block these attacks at the edge of the network:

• enable ThreatInsight in Log and Enforce Mode to block IP addresses known for involvement in credential stuffing proactively before they can even attempt authentication.

• deny access from anonymizing proxies to proactively block requests that come through shady anonymizing services.

Okta also provides in its advisory a list of more generic recommendations that can help mitigate the risk of account takover. These include passwordless authentication, enforcing multi-factor authentication, using strong passwords, denying requests outside the company's locations, blocking IP addresses of ill repute, monitor and respond to anomalous sign-ins.

That was it for this article, Thanks for reading.. And don’t forget to share this in your network.. Leave me a comment.