Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies

Okta warned of a spike in credential stuffing attacks using anonymizing services.

Exploited vulnerability

Okta over the weekend warned of a spike in credential stuffing attacks that use various anonymizing services, such as The Onion Router (Tor) network.

In credential stuffing attacks, usernames and passwords obtained from previous data breaches at third-parties, phishing, and other types of attacks are used to compromise valid accounts at the targeted organizations.

“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials, and scripting tools,” Okta says.

In addition to Tor, these attacks were also seen leveraging a series of residential proxies.

According to Okta, the spike in credential stuffing activity could be linked to a mass brute-force campaign that Cisco warned about roughly two weeks ago.

The brute-force attacks, which also used Tor and other anonymizing services, targeted multiple VPN services, web application authentication interfaces, and SSH services with generic usernames and valid usernames for specific organizations.

Cisco observed a global increase in such attacks starting March 18, but said that the campaign did not appear to target a specific geography or industry vertical.

According to Okta, starting April 19, similar anonymizing infrastructure has been increasingly used in credential stuffing attacks, with most of the observed traffic originating from residential proxies, such as end-user mobile devices and browsers, rather than from the IP space of virtual private server (VPS) providers.

Advertisement. Scroll to continue reading.

Residential proxy networks consist of legitimate devices that route traffic on behalf of paid subscribers. Some providers of such services, however, are not transparent about now they enroll devices, and may build their networks using ‘proxyware’ and even malware.

More recently, Okta points out, numerous mobile devices have been enrolled in residential proxy networks through mobile applications built using specific SDKs, without device owners’ knowledge.

To mitigate the risk of these attacks, Okta recommends blocking requests from anonymizing services, blocking requests from IPs involved in such activity, implementing good password hygiene, implementing multi-factor authentication (MFA), adopting passwordless authentication, and monitoring and responding to anomalous behavior.

*names of potentially abused residential proxies have been removed by Okta and they have also been removed from this article.

Related: Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks

Related: 340,000 Jason’s Deli Customers Potentially Impacted by Credential Stuffing Attack

Related: Sisense Data Breach Triggers CISA Alert and Urgent Calls for Credential Resets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights