icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Okta Warns of Credential Stuffing Attacks Targeting Its CORS Feature

Summary:
Identity and Access Management company Okta warns that its cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential-stuffing attacks. “Okta's Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API hosted. For this feature to work, customers must grant access to the URLs from which cross-origin requests can originate. Okta states these URLs are targeted in credential stuffing attacks and should be disabled if they are not in use” (Bleeping Computer, 2024).

Credential stuffing attacks entail actors brute-forcing their way into online accounts using a list of usernames and passwords that are potentially acquired in previous data breaches or from phishing and malware campaigns. Okta says that a number of its customers have been the target of such attacks since April 15. While the exact number of impacted customers has not been disclosed, Okta has notified customers who have the CORS feature enabled and has provided additional guidance over email.

Analyst Comment:
Okta recommends reviewing logs for the following events for signs of potential login attempts:

  • fcoa - Failed cross-origin authentication
  • scoa - Successful cross-origin authentication
  • pwd_leak - Someone attempted to login with a leaked password

According to Okta, If your tenant does not use cross-origin authentication, but ‘scoa’ or ‘fcoa’ events are present in event logs, then it is likely that your tenant has been targeted in a credential stuffing attack. If cross-origin authentication is used then customers have been advised to look for abnormal spikes in 'fcoa' and 'scoa' events.

Suggested Corrections:
In addition to checking logs, Okta recommends:

  • Rotating compromised user credentials immediately (instructions available here)
  • Implementing passwordless, phishing-resistant authentication, with passkeys being the recommended option.
  • Enforcing strong password policies and implementing multi-factor authentication (MFA).
  • Disabling cross-origin authentication if not used.
  • Removing permitted cross-origin devices that are not in use.
  • Restricting permitted origins for cross-origin authentication if necessary.
  • Enabling breached password detection or Credential Guard, depending on the plan.

Link(s):
https://www.bleepingcomputer.com/ne...-stuffing-attacks-targeting-its-cors-feature/
https://sec.okta.com/articles/2024/...in-authentication-credential-stuffing-attacks

Contact Us for Threat Assistance
Back to Current Threats