Okta Issues Warning on Surge in Credential Stuffing Attacks

Okta has issued a warning about a sharp increase in the number and scale of credential stuffing attacks targeting online services. According to Okta, these attacks have become more prevalent due to the widespread use of residential proxy services, lists of previously stolen credentials, and scripting tools.

These findings are supported by a recent alert from Cisco, which highlights a global rise in brute-force attacks on various devices, including VPN services, web application authentication interfaces, and SSH services. Cisco reports that the sources of these attacks are exit nodes from the TOR network and other anonymizing tunnels and proxies.

The main targets of these attacks include VPN devices from Cisco, Check Point, Fortinet, and SonicWall, as well as routers from Draytek, MikroTik, and Ubiquiti.

How the Attacks Work

Okta’s research team observed an increase in credential stuffing activity between April 19 and April 26, 2024, likely using similar infrastructure. These types of attacks use credentials obtained from data breaches on one service to attempt logins on other, unrelated services.

Okta notes that most of the recent attack requests were routed through TOR and various residential proxies, including NSOCKS, Luminati, and DataImpulse. Residential proxies (RESIP) use networks of legitimate user devices to disguise malicious traffic without the users’ consent, effectively turning them into part of a botnet that is then rented out to clients for anonymizing outgoing traffic.

Okta’s Recommendations for Organizations

• Ensure the use of strong, complex passwords.
• Enable two-factor authentication (2FA) wherever possible.
• Block login attempts from geographic regions unrelated to your organization’s operations.
• Reject requests from IP addresses with a poor reputation.