A cross-origin authentication feature in Okta’s customer identity cloud (CIC) is open to credential-stuffing attacks, the identity and access management company said in a security advisory.
The company said it observed several attempts by threat actors to exploit the vulnerable endpoints and sign in to online services using previously compromised credentials.
“We observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers,” Okta said in the advisory. “We have proactively notified the customers we identified that have this feature enabled, and provided additional guidance in a customer email.”
Cross-origin authentication refers to a situation where a user’s credentials are sent to a domain that differs from the one that serves up the application the authentication request is being made for.
Suspicious log events
Okta said it observed malicious attempts starting in mid-April and has advised customers to review a few suspicious log events that include failed cross-origin authentication, successful cross-origin authentication, and pwd_leak (when someone attempts to log in with a leaked password).
“We have observed suspicious activity that started on April 15,” Okta said. “Please note that this may not be continuous for every tenant, we recommend reviewing suspicious activity from that date forward.”
In a credential-stuffing attack, adversaries try to log into online services using extensive lists of usernames and passwords, which they may have acquired from past data breaches, unrelated sources, phishing schemes, or malware campaigns, according to the company.
“Organizations are highly encouraged to strongly harden IAM against multiple tactics of abuse, especially credential stuffing, to ensure multiple layers of proactive controls to lower risk against attack from multiple threat actors eager to intrude and exploit,” said Ken Dunham, cyber threat director at Qualys Threat Research Unit. “Don’t let threat actors be your IAM auditor, move beyond complex password basics to harden your authentication of users and accounts to ensure you’re not the next breach victim in the news.”
A few of the high-profile data breaches this month include breaches that affected a Europol website, Dell Technologies, and a Zscaler “test environment.” However, the attempting credentials, as used by the threat actors, used on a vulnerable Okta feature could have come from a much older data breach.
Use password rotation, or go password-less
Okta is advising customers to go passwordless to protect against credential-stuffing attacks. “Enroll users in passwordless, phishing-resistant authentication,” the company said. “We recommend the use of passkeys as the most secure option. Passkeys are included on all Auth0 plans from our free plan through Enterprise.”
Additionally, rotating passwords regularly, avoiding weaker passwords and those listed in the common password list, and using a password with a minimum of 12 characters and no parts of the username, can be helpful too.
As short-term fixes to these attacks, Okta has recommended disabling the vulnerable endpoint within the Auth0 Management Console in case the tenant isn’t using cross-origin authentication. Restricting permitted origins is also advised if using cross-origin authentication is required.
“Organizations must scrutinize tenant logs for unusual login patterns and promptly rotate credentials while considering disabling the vulnerable feature,” said Jason Soroko, senior vice president of product at Sectigo. “The reporting on this incident does seem to mirror a more reactive, rather than proactive, cybersecurity measure. Security teams must treat this with the urgency it deserves.” The company is also pushing additional defensive features like Breached Password Detection and Credential Guard through a number of subscription plans.