On 28 May 2024, Okta disclosed that the cross-origin authentication feature in Customer Identity Cloud (CIC) is being targeted by credential-stuffing attacks. These attacks involve threat actors using large lists of stolen usernames and passwords to gain unauthorised access to online services. Suspicious activity has been observed starting from 15 April prompting Okta to notify affected customers and provide guidance to mitigate the issue.
Okta presents an appealing target for threat actors due to the extensive access they could attain upon compromise, combined with its widespread use in enterprise environments worldwide. Additionally, in this activity observed, threat actors can execute high-volume credential-stuffing attacks easily due to its simplicity. In 2023, MGM Resorts International suffered a $100 million loss in a ransomware attack orchestrated by the ALPHV/BlackCat group, who infiltrated their Okta Agent Servers.
Recommendation
Implement Okta Provided Recommendations
Arctic Wolf strongly recommends following the recommendations provided by Okta to mitigate this malicious activity.
Immediate Actions:
- Rotate user credentials if compromised.
- For tenants not using cross-origin authentication, this endpoint can be disabled in the Auth0 Management Console.
Additional Mitigations:
- Restrict permitted origins for necessary cross-origin authentication.
- Enable breached password detection or Credential Guard.
- Enforce strong password policies, requiring a minimum of 12 characters and blocking common passwords.
- Implement multi-factor authentication (MFA).
- Transition to passwordless, phishing-resistant authentication using passkeys.
References
