Identity and access management (IAM) service provider Okta has warned that the “frequency and scale” of credential stuffing attacks targeting online services is surging.
These unprecedented attacks, observed over the past month, were facilitated by “the widespread availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools.” , the company said in a warning released Saturday. .
The findings reflect a global surge in brute force attacks targeting a variety of devices, including virtual private network (VPN) services, web application authentication interfaces, and SSH services since at least March 18, 2024. Based on Cisco's recent advisory warning. .
“All of these attacks appear to be originating from TOR exit nodes and various other anonymizing tunnels and proxies,” Talos said at the time, adding that the attacks targeted Cisco, Check Point, Fortinet, and SonicWall. It added that it includes a VPN appliance. Routers from Draytek, MikroTik, and Ubiquiti.
Okta said its identity threat research detected an increase in credential stuffing activity against user accounts from April 19, 2024 to April 26, 2024, likely from similar infrastructure.
Credential stuffing is a type of cyberattack that uses credentials obtained from a data breach in one service to attempt to sign in to another, unrelated service.
Alternatively, such credentials can be extracted through phishing attacks that redirect victims to credential harvesting pages or malware campaigns that install information-stealing programs on compromised systems.
“The recent attacks we have observed all have one thing in common: they rely on requests being routed through an anonymization service such as TOR,” Okta said. Masu.
“Millions of requests were also routed through various residential proxies such as NSOCKS, Luminati, and DataImpulse.”
A residential proxy (RESIP) refers to a network of legitimate user devices that is exploited to route traffic without the knowledge or consent of paying subscribers. This allows threat actors to hide their malicious traffic.
This is typically accomplished by installing proxyware tools on computers, mobile phones, or routers, effectively registering them with a botnet and renting them out to customers of the service who wish to anonymize the source of their traffic.
“A user's device may become registered with a proxy network because the user consciously chooses to download 'proxyware' onto their device in exchange for payment or other value,” Okta said. explained.
“Also, a user's device can be infected with malware and enrolled in what is commonly referred to as a botnet without the user's knowledge.”
Last month, HUMAN's Satori Threat Intelligence team uncovered more than 20 malicious Android VPN apps that use embedded software development kits (SDKs) containing proxyware functionality to turn mobile devices into RESIPs.
“The sum total of this activity is that most of the credential stuffing attack traffic appears to originate from everyday users' mobile devices and browsers, rather than from the VPS provider's IP space,” Okta said. Masu.
To reduce the risk of account takeover, the company is asking organizations to force users to switch to strong passwords, enable two-factor authentication (2FA), and connect users from non-operating locations or from disreputable IP addresses. We recommend that you deny the request. Add passkey support.
