STATE OF IDENTITY SECURITY Permiso has released the 2024 Survey Report

[GET THE REPORT]
Illustration Cloud

Déjà Vu or New View: Latest Okta Credential Stuffing Campaign

Summary

On April 26, 2024 Okta reported observing a large scale credential stuffing attack that shares infrastructure with a campaign previously reported by Cisco Talos. The campaign that Cisco observed started on March 18 and continued until April 16, 2024, mostly targeting VPN devices. On April 19’th Okta observed the infrastructure start to instead perform password spraying against Okta clients. They observed the majority of these password spraying attempts coming from ASNs typically associated with residential proxies, and TOR.

 

P0 Perspective 

Untitled (7)

Across Permiso telemetry, the earliest we see evidence of this campaign starting was on April 9, 2024, and the most recent attempt was on April 26, 2024.

This campaign is not very different than previous campaigns we have reported on and like most password spraying campaigns like this, there was very little success. The following is a list of indicators that you can can check against your own environments:

 All Permiso clients affected by this campaign have already been notified.

To understand if this recent campaign was successful at your organization, Permiso recommends reviewing all user.session.start events that include the indicators listed below. If the outcome.result is SUCCESS then the threat actor successfully authenticated to the environment.

# Indicators

## User Agent
Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0

## AS Orgs
F3 Netze e.V.
Aeza International Ltd
MICROTRONIX-ESOLUTIONS
QUINTEX
NL-811-40021
1984 ehf
Orange Romania Communication S.A
Bahnhof AB
Scaleway S.a.s.
1337 Services GmbH
Orange Polska Spolka Akcyjna
OVH SAS
HVC-AS
TerraHost AS
TAMPA-COLO-ASN-PRIMARY
Kanade
Virtual Systems LLC
Contabo GmbH
Verdina Ltd.
PONYNET
Pfcloud UG
SNAJU
UAB Host Baltic
IncogNET LLC
ASN-CXA-ALL-CCI-22773-RDC
The Infrastructure Group B.V.
SURF B.V.
GOOGLE-CLOUD-PLATFORM
BrainStorm Network, Inc
Stiftung Erneuerbare Freiheit
MULTA-ASN1
ZEN-ECN
Nextly SASU
SOLLUTIUM EU Sp z.o.o.
ColocationX Ltd.
PT Cloud Hosting Indonesia
netcup GmbH
MilkyWan Association
FlokiNET ehf
MIT-PUBWIFI
CALYX-AS
Enjoyvc Cloud Group Limited.

## IP Addresses
185.220.100.241
185.220.100.240
185.220.100.243
185.220.100.242
23.155.24.6
185.220.100.247
185.220.100.251
185.220.100.250
204.8.96.87
77.91.86.95
77.221.159.184
31.220.98.139
77.91.87.79
77.91.85.147
89.147.110.200
82.153.138.119
77.105.146.42
98.128.173.33
77.221.159.192
51.15.116.168
83.26.9.159
57.129.20.162
77.221.159.189
69.46.9.122
77.221.159.75
91.217.219.253
23.152.24.77
77.221.159.193
185.181.61.115
45.134.173.197
31.220.87.46
193.233.133.109
185.241.208.212
82.118.242.36
45.141.215.170
23.26.133.239
209.141.39.104
141.98.10.14
23.137.253.109
72.211.49.235
35.240.241.135
185.181.61.18
94.103.124.104
5.255.100.224
94.103.124.121
5.255.114.171
109.104.153.22
121.78.28.175
142.171.211.123
94.103.124.91
185.220.101.133
94.103.124.101
94.103.124.107
103.106.228.81
192.42.116.178
195.160.220.104
94.103.124.46
2.58.95.31
107.189.1.198
107.189.5.18
204.8.96.187
94.103.124.90
204.8.96.112
204.8.96.113
103.193.179.233
94.103.124.98
204.8.96.148
185.220.101.62
192.42.116.179
192.42.116.177
51.89.153.112
2.58.56.220
209.141.55.26
192.42.116.212
78.142.18.219
204.8.96.143
2.58.95.35
23.137.253.110
192.42.116.213
204.8.96.82
202.94.246.210
107.189.7.47
204.8.96.114
5.45.98.162
107.189.5.121
107.189.7.161
84.54.51.69
45.138.16.203
107.189.2.108
185.220.101.173
192.42.116.13
45.61.184.47
5.255.100.26
80.67.167.81
185.246.188.74
103.251.167.20
107.189.8.181
38.97.116.244
162.247.74.213
204.8.96.154
192.42.116.27
193.35.18.77
204.8.96.85
107.189.7.114
192.42.116.211

 

Illustration Cloud

Related Articles

INTRODUCING CAPICHE DETECTION FRAMEWORK: AN OPEN-SOURCE TOOL TO SIMPLIFY CLOUD API-BASED HUNTING

Intro Attacks on cloud infrastructure have been steadily increasing in quantity, sophistication and scope. Common cryptomining attacks still exists, but the proliferation of BEC (Business Email Compromise) and SMS spamming along with full-bore

BucketShield: Track Log Flow, Secure Buckets, Simulate Threats – All in One Open-Source Tool

Introduction In today’s cloud-powered world, keeping your logs secure and intact is more important than ever. AWS CloudTrail serves as the backbone for tracking all activities across your cloud environment, but simply enabling it isn't enough.

Breaking free from the chains of fate - Bypassing AWSCompromisedKeyQuarantineV2 Policy

Intro AWSCompromisedKeyQuarantineV2 (v3 was released during the creation of this article) is an AWS policy that attaches to identities whose credentials are leaked. It denies access to certain actions, applied by the AWS team in the event that an

View more posts