Okta Issues Alert on Rising Credential Stuffing Attacks Via Residential Proxies

An advisory from Okta alerts customers to a rise in credential stuffing attacks, with attackers increasingly using residential proxies to obscure their activities. According to the advisory, "From April 19, 2024, through to April 26, 2024, Okta’s Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure." This observation is supported by findings from Duo Security and Cisco Talos, which identified a pronounced increase in such attacks from March 18 to April 26, 2024, including "large-scale brute force attacks on multiple models of VPN devices." The attackers employ residential proxies—networks of legitimate user devices—to disguise their internet traffic. This technique not only anonymizes the source of the attacks but also misuses the trust typically associated with IP addresses from residential ISPs.

Okta references various defensive measures on its platform to defend against such attacks. Notably, an Early Access feature the Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) introduced in February 2024 preemptively blocks requests from recognized anonymizing services before they reach the authentication stage. Okta also encourages users to switch to the Okta Identity Engine, which includes enhanced security features like CAPTCHA challenges and options for passwordless authentication. Moreover, Okta encourages the adoption of passwordless authentication methods, such as biometrics or security keys, and the enforcement of strict password policies requiring a minimum of 12 characters without parts of the user’s username.

Additionally, Okta stresses the importance of multi-factor authentication (MFA) for all sign-ins to add an extra layer of security, essential for blocking unauthorized access even if credentials are compromised. It also recommends implementing geographic restrictions to deny authentication requests from areas outside operational zones, utilizing network zones or web application firewalls with country-based controls. To combat IPs with poor reputations, particularly those linked to anonymizing services, continuous monitoring for unusual sign-in behaviors and enforcing account lockout protocols are crucial. These strategies enhance security systems’ proactive and responsive capabilities against brute-force attacks and credential stuffing.