Okta Warns of Credential Stuffing Attacks Targeting Its CORS Feature

Summary:
Identity and Access Management company Okta warns that its cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential-stuffing attacks. “Okta's Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API hosted. For this feature to work, customers must grant access to the URLs from which cross-origin requests can originate. Okta states these URLs are targeted in credential stuffing attacks and should be disabled if they are not in use” (Bleeping Computer, 2024).

Credential stuffing attacks entail actors brute-forcing their way into online accounts using a list of usernames and passwords that are potentially acquired in previous data breaches or from phishing and malware campaigns. Okta says that a number of its customers have been the target of such attacks since April 15. While the exact number of impacted customers has not been disclosed, Okta has notified customers who have the CORS feature enabled and has provided additional guidance over email.

Analyst Comment:
Okta recommends reviewing logs for the following events for signs of potential login attempts:

  • fcoa - Failed cross-origin authentication
  • scoa - Successful cross-origin authentication
  • pwd_leak - Someone attempted to login with a leaked password

According to Okta, If your tenant does not use cross-origin authentication, but ‘scoa’ or ‘fcoa’ events are present in event logs, then it is likely that your tenant has been targeted in a credential stuffing attack. If cross-origin authentication is used then customers have been advised to look for abnormal spikes in 'fcoa' and 'scoa' events.

Suggested Corrections:
In addition to checking logs, Okta recommends:

  • Rotating compromised user credentials immediately (instructions available here)
  • Implementing passwordless, phishing-resistant authentication, with passkeys being the recommended option.
  • Enforcing strong password policies and implementing multi-factor authentication (MFA).
  • Disabling cross-origin authentication if not used.
  • Removing permitted cross-origin devices that are not in use.
  • Restricting permitted origins for cross-origin authentication if necessary.
  • Enabling breached password detection or Credential Guard, depending on the plan.

Link(s):
https://www.bleepingcomputer.com/ne...-stuffing-attacks-targeting-its-cors-feature/
https://sec.okta.com/articles/2024/...in-authentication-credential-stuffing-attacks

Contact Us for Threat Assistance Back to Current Threats

Just Starting?



Contact LACyber for More Info



Current Active Cyber Threats