Okta over the weekend warned of a spike in credential stuffing attacks that use various anonymizing services, such as The Onion Router (Tor) network.
In credential stuffing attacks, usernames and passwords obtained from previous data breaches at third-parties, phishing, and other types of attacks are used to compromise valid accounts at the targeted organizations.
“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials, and scripting tools,” Okta says.
In addition to Tor, these attacks were also seen leveraging a series of residential proxies, including DataImpulse, Luminati, and NSocks.
According to Okta, the spike in credential stuffing activity could be linked to a mass brute-force campaign that Cisco warned about roughly two weeks ago.
The brute-force attacks, which also used Tor and other anonymizing services, targeted multiple VPN services, web application authentication interfaces, and SSH services with generic usernames and valid usernames for specific organizations.
Cisco observed a global increase in such attacks starting March 18, but said that the campaign did not appear to target a specific geography or industry vertical.
According to Okta, starting April 19, similar anonymizing infrastructure has been increasingly used in credential stuffing attacks, with most of the observed traffic originating from residential proxies, such as end-user mobile devices and browsers, rather than from the IP space of virtual private server (VPS) providers.
Residential proxy networks consist of legitimate devices that route traffic on behalf of paid subscribers. Some providers of such services, however, are not transparent about now they enroll devices, and may build their networks using ‘proxyware’ and even malware.
More recently, Okta points out, numerous mobile devices have been enrolled in residential proxy networks through mobile applications built using specific SDKs, without device owners’ knowledge.
To mitigate the risk of these attacks, Okta recommends blocking requests from anonymizing services, blocking requests from IPs involved in such activity, implementing good password hygiene, implementing multi-factor authentication (MFA), adopting passwordless authentication, and monitoring and responding to anomalous behavior.
Related: Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks
Related: 340,000 Jason’s Deli Customers Potentially Impacted by Credential Stuffing Attack
Related: Sisense Data Breach Triggers CISA Alert and Urgent Calls for Credential Resets
