byShweta Sharma
Senior Writer
News
May 31, 20244 mins
Identity and Access ManagementVulnerabilities
Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature.
Credit: Michael Vi 1488607697 | Shutterstock
A cross-origin authentication feature in Okta’s customer identity cloud (CIC) is open to credential-stuffing attacks, the identity and access management company said in a security advisory.
The company said it observed several attempts by threat actors to exploit the vulnerable endpoints and sign in to online services using previously compromised credentials.
“We observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers,” Okta said in the advisory. “We have proactively notified the customers we identified that have this feature enabled, and provided additional guidance in a customer email.”
Cross-origin authentication refers to a situation where a user’s credentials are sent to a domain that differs from the one that serves up the application the authentication request is being made for.
Suspicious log events
Okta said it observed malicious attempts starting in mid-April and has advised customers to review a few suspicious log events that include failed cross-origin authentication, successful cross-origin authentication, and pwd_leak (when someone attempts to log in with a leaked password).
“We have observed suspicious activity that started on April 15,” Okta said. “Please note that this may not be continuous for every tenant, we recommend reviewing suspicious activity from that date forward.”
In a credential-stuffing attack, adversaries try to log into online services using extensive lists of usernames and passwords, which they may have acquired from past data breaches, unrelated sources, phishing schemes, or malware campaigns, according to the company.
“Organizations are highly encouraged to strongly harden IAM against multiple tactics of abuse, especially credential stuffing, to ensure multiple layers of proactive controls to lower risk against attack from multiple threat actors eager to intrude and exploit,” said Ken Dunham, cyber threat director at Qualys Threat Research Unit. “Don’t let threat actors be your IAM auditor, move beyond complex password basics to harden your authentication of users and accounts to ensure you’re not the next breach victim in the news.”
A few of the high-profile data breaches this month include breaches that affected a Europol website, Dell Technologies, and a Zscaler “test environment.” However, the attempting credentials, as used by the threat actors, used on a vulnerable Okta feature could have come from a much older data breach.
Use password rotation, or go password-less
Okta is advising customers to go passwordless to protect against credential-stuffing attacks. “Enroll users in passwordless, phishing-resistant authentication,” the company said. “We recommend the use of passkeys as the most secure option. Passkeys are included on all Auth0 plans from our free plan through Enterprise.”
Additionally, rotating passwords regularly, avoiding weaker passwords and those listed in the common password list, and using a password with a minimum of 12 characters and no parts of the username, can be helpful too.
As short-term fixes to these attacks, Okta has recommended disabling the vulnerable endpoint within the Auth0 Management Console in case the tenant isn’t using cross-origin authentication. Restricting permitted origins is also advised if using cross-origin authentication is required.
“Organizations must scrutinize tenant logs for unusual login patterns and promptly rotate credentials while considering disabling the vulnerable feature,” said Jason Soroko, senior vice president of product at Sectigo. “The reporting on this incident does seem to mirror a more reactive, rather than proactive, cybersecurity measure. Security teams must treat this with the urgency it deserves.” The company is also pushing additional defensive features like Breached Password Detection and Credential Guard through a number of subscription plans.
Related content
- newsBug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model.ByShweta SharmaMay 31, 20243 minsGenerative AIVulnerabilities
- newsOpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said.ByGyana SwainMay 31, 20244 minsGenerative AI
- feature3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies.ByAriella BrownMay 31, 20245 minsData BreachRisk Management
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
