Surge in Credential Stuffing Attacks Raises Alarm for Online Services
In a recent advisory, Okta, a prominent identity and access management (IAM) service provider, has reported a significant increase in the frequency and scale of credential stuffing attacks targeting online services. These aggressive attempts are reportedly leveraging easily accessible residential proxy services, alongside lists of previously stolen credentials known as "combo lists," and various scripting tools. The sharp rise in such attacks has been recorded over the past month, as highlighted in Okta’s alert published on Saturday.
This troubling trend reflects a pattern already noted by Cisco in a prior warning, which indicated a global escalation in brute-force attacks aimed at an array of devices and services, including Virtual Private Networks (VPNs), web application authentication interfaces, and SSH services since at least mid-March 2024. Cisco’s cybersecurity unit, Talos, pointed out that many of these attacks appear to originate from TOR exit nodes and other anonymizing mechanisms, targeting well-known VPN appliances from Cisco, Check Point, and Fortinet, among others.
Okta’s Identity Threat Research team detected heightened credential stuffing activity against user accounts specifically between April 19 and April 26, 2024, indicating that these attacks are likely arising from similar infrastructure as those previously identified by Cisco. Credential stuffing allows attackers to exploit user credentials obtained from breaches in one service to gain unauthorized access to unrelated services, creating a cascading effect that endangers a multitude of accounts.
These compromised credentials may also be harvested through phishing schemes that redirect victims to malicious credential harvesting pages or through malware designed to extract sensitive information from infected systems. A commonality shared across the recent attacks is their reliance on anonymizing services such as TOR, which helps attackers obscure their identity and facilitate malicious activities under the radar.
Okta details the mechanics of these attacks, noting that millions of requests have been funneled through numerous residential proxies—specifically NSOCKS and DataImpulse. Residential proxies, or RESIPs, consist of networks of legitimate user devices that unwittingly route traffic for paying subscribers, thus masking the true source of the malicious activities. This systematic exploitation frequently occurs when individuals install proxyware tools—either knowingly to receive compensation or inadvertently through malware infections—effectively enrolling their devices into a botnet.
In an alarming revelation last month, the Satori Threat Intelligence team from HUMAN disclosed the existence of numerous malicious Android VPN applications that covertly convert devices into RESIPs through an integrated software development kit (SDK) that includes proxyware functionalities. Consequently, the surge in credential stuffing activities appears predominantly to stem from the mobile devices and web browsers of uninformed users rather than traditional hosting providers.
As these attacks intensify, Okta urges organizations to bolster their defenses against potential account takeovers. Recommendations include enforcing robust password policies, implementing two-factor authentication (2FA), denying access requests from unfamiliar locations and poorly rated IP addresses, and incorporating passkey support to enhance overall security.
In conclusion, these findings serve as a vital reminder of the evolving threat landscape regarding credential stuffing attacks, which could invoke specific MITRE ATT&CK tactics such as initial access, credential dumping, and exploitation of public-facing applications. As organizations navigate these cybersecurity challenges, maintaining vigilance and adapting security measures will be essential in safeguarding against such pervasive threats.
