byShweta Sharma
Senior Writer
News
May 31, 20244 mins
Identity and Access ManagementVulnerabilities
Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature.
Credit: Michael Vi 1488607697 | Shutterstock
A cross-origin authentication feature in Okta’s customer identity cloud (CIC) is open to credential-stuffing attacks, the identity and access management company said in a security advisory.
The company said it observed several attempts by threat actors to exploit the vulnerable endpoints and sign in to online services using previously compromised credentials.
“We observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers,” Okta said in the advisory. “We have proactively notified the customers we identified that have this feature enabled, and provided additional guidance in a customer email.”
Cross-origin authentication refers to a situation where a user’s credentials are sent to a domain that differs from the one that serves up the application the authentication request is being made for.
Suspicious log events
Okta said it observed malicious attempts starting in mid-April and has advised customers to review a few suspicious log events that include failed cross-origin authentication, successful cross-origin authentication, and pwd_leak (when someone attempts to log in with a leaked password).
“We have observed suspicious activity that started on April 15,” Okta said. “Please note that this may not be continuous for every tenant, we recommend reviewing suspicious activity from that date forward.”
In a credential-stuffing attack, adversaries try to log into online services using extensive lists of usernames and passwords, which they may have acquired from past data breaches, unrelated sources, phishing schemes, or malware campaigns, according to the company.
“Organizations are highly encouraged to strongly harden IAM against multiple tactics of abuse, especially credential stuffing, to ensure multiple layers of proactive controls to lower risk against attack from multiple threat actors eager to intrude and exploit,” said Ken Dunham, cyber threat director at Qualys Threat Research Unit. “Don’t let threat actors be your IAM auditor, move beyond complex password basics to harden your authentication of users and accounts to ensure you’re not the next breach victim in the news.”
A few of the high-profile data breaches this month include breaches that affected a Europol website, Dell Technologies, and a Zscaler “test environment.” However, the attempting credentials, as used by the threat actors, used on a vulnerable Okta feature could have come from a much older data breach.
Use password rotation, or go password-less
Okta is advising customers to go passwordless to protect against credential-stuffing attacks. “Enroll users in passwordless, phishing-resistant authentication,” the company said. “We recommend the use of passkeys as the most secure option. Passkeys are included on all Auth0 plans from our free plan through Enterprise.”
Additionally, rotating passwords regularly, avoiding weaker passwords and those listed in the common password list, and using a password with a minimum of 12 characters and no parts of the username, can be helpful too.
As short-term fixes to these attacks, Okta has recommended disabling the vulnerable endpoint within the Auth0 Management Console in case the tenant isn’t using cross-origin authentication. Restricting permitted origins is also advised if using cross-origin authentication is required.
“Organizations must scrutinize tenant logs for unusual login patterns and promptly rotate credentials while considering disabling the vulnerable feature,” said Jason Soroko, senior vice president of product at Sectigo. “The reporting on this incident does seem to mirror a more reactive, rather than proactive, cybersecurity measure. Security teams must treat this with the urgency it deserves.” The company is also pushing additional defensive features like Breached Password Detection and Credential Guard through a number of subscription plans.
Related content
- opinionReduce security risk with 3 edge-securing steps Not sure where you should start to approach risk reduction in your network? If you aren’t aware of any and all risks to your edge access, you’re not reducing risk. By Susan BradleyJul 01, 20246 minsIdentity and Access ManagementRisk Management
- newsTeamViewer targeted by APT29 hackers, containment measures in place TeamViewer says the attack targeted its corporate network, not customer data or product functionality.By gyana_swainJun 28, 20243 minsCyberattacksRemote Access Security
- featureTop 12 cloud security certifications Cloud security certifications can give your career a boost. Covering rapidly evolving technologies such as AI, market challengers such as Alibaba Cloud, and areas previously overlooked, these are your best bets.By Eric FrankJun 28, 202414 minsCertificationsIT SkillsCloud Security
- featureThe CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you.By CSO StaffJun 28, 202410 minsTechnology IndustryIT SkillsEvents
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
