The provider of identity and access management (IAM) services, Okta, has issued a warning regarding a notable increase in both the “frequency and magnitude” of credential stuffing assaults aimed at online services.
These unparalleled onslaughts, witnessed during the preceding month, are purportedly fueled by “the widespread availability of residential proxy services, compilations of previously pilfered credentials (‘combo lists’), and scripting utilities,” as articulated in a cautionary notification disseminated by the corporation last Saturday.
The revelations build upon a recent cautionary communication from Cisco, highlighting a worldwide upsurge in brute-force attacks targeting diverse devices, encompassing Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, commencing no later than March 18, 2024.
Talos observed at the time, “These assaults all seem to originate from TOR exit nodes and a spectrum of other anonymizing passages and proxies,” further indicating that the targets of the attacks encompass VPN appliances from Cisco, Check Point, Fortinet, SonicWall, alongside routers from Draytek, MikroTik, and Ubiquiti.
Okta reported that its Identity Threat Research detected a rise in credential stuffing activity against user accounts spanning from April 19 to April 26, 2024, presumably from analogous infrastructure.
Credential stuffing denotes a form of cyber assault wherein credentials procured from a data breach on one service are utilized to endeavor signing into another unrelated service.
Alternatively, such credentials could be acquired via phishing assaults that redirect victims to credential harvesting pages or through malware campaigns installing information expropriators on compromised systems.
“All recent assaults we’ve observed share a common feature: they hinge on requests being routed through anonymizing services such as TOR,” asserted Okta.
“Millions of the requests were also channeled through an array of residential proxies including NSOCKS, Luminati, and DataImpulse.”
Residential proxies (RESIPs) pertain to networks of bona fide user devices exploited to route traffic on behalf of remunerating subscribers sans their cognizance or consent, thereby affording threat actors the means to obscure their malevolent traffic.
This is customarily achieved by deploying proxyware tools on computers, mobile phones, or routers, thereby enlisting them into a botnet subsequently leased to clients of the service seeking to obfuscate the origin of their traffic.
“On occasion, a user device is integrated into a proxy network as the user consciously opts to download ‘proxyware’ onto their device in exchange for remuneration or another form of recompense,” explicated Okta.
“Alternatively, a user device may be infected with malware unbeknownst to the user, thereby becoming integrated into what we would commonly characterize as a botnet.”
Last month, HUMAN’s Satori Threat Intelligence team exposed over two dozen malevolent Android VPN applications that convert mobile devices into RESIPs via an embedded software development kit (SDK) encompassing proxyware functionality.
“The cumulative result of this activity is that a majority of the traffic in these credential stuffing assaults seem to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers,” elucidated Okta.
To alleviate the risk of account takeovers, the company advocates for organizations to mandate users to adopt robust passwords, activate two-factor authentication (2FA), reject requests emanating from locations where they lack a presence, scrutinize IP addresses with dubious reputations, and integrate support for passkeys.
