HQ/EMEAFind out how we can help your business
Okta has recently seen a surge in credential-stuffing assaults against online services, thanks to the widespread availability of residential proxy services, lists of previously compromised credentials, and automation tools.
According to an Okta advisory, there has been an increase in credential stuffing assaults against online services in the last month, assisted by the widespread availability of residential proxy services, lists of previously stolen credentials, and scripting tools.
Between March 18, 2024, and April 16, 2024, Duo Security and Cisco Talos detected widespread brute-force assaults on various targets, including VPN services, web application authentication interfaces, and SSH servers.
The following services that have been impacted include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Miktrotik, Draytek, and Ubiquiti.
The Okta discovery came earlier this month.
Between April 19, 2024, and April 26, 2024, the Okta Identity Threat Research team observed a significant spike in credential stuffing activity against user accounts from what looks to be comparable infrastructure.
A credential-stuffing assault is when hackers exploit massive username and password combinations acquired from previous data breaches, phishing campaigns, or info-stealer infections to gain unauthorised access to user accounts on numerous online sites. These attacks target the prevalent practice of using the same login credentials for various internet accounts. Attackers automate testing these credentials on many websites until they find a match, gaining illegal access to compromised accounts, which increases the danger of disclosing sensitive data or facilitating fraudulent activity.
Okta has seen current assaults that route requests through anonymising services like TOR and residential proxies like NSOCKS, Luminati, and DataImpulse. Experts have observed millions of requests being routed through these services.
Residential proxies (RESIPs) are networks of genuine consumer devices that route traffic for paying users, usually without their awareness. Threat actors employ RESIPs to evade detection. Users may actively download “proxyware” for cash or other benefits, or their devices may be inadvertently infected with malware, making them part of a botnet.
According to the advice, the majority of the traffic in these credential-stuffing assaults appears to come from regular users’ mobile devices and browsers rather than from VPS providers’ IP addresses. For further information about residential proxy services, the advice suggests reading an insightful summary of CERT Orange Cyberdefense and Sekoia.
The alert offers tips for reducing the danger of credential stuffing assaults causing account takeovers and tactics, methods, and procedures (TTPs) utilised in recent campaigns.
