[Webinar] What Insider Threats Actually Look Like - A Lesson From the Rippling Lawsuit 

[WATCH NOW]

Announcing Permiso Discover - A free identity inventory & visibility for human, non-human and AI

[Join the Waitlist]
Hamburger
Close Icon
Linkedin
Linkedin
Illustration Cloud

Déjà Vu or New View: Latest Okta Credential Stuffing Campaign

Summary

On April 26, 2024 Okta reported observing a large scale credential stuffing attack that shares infrastructure with a campaign previously reported by Cisco Talos. The campaign that Cisco observed started on March 18 and continued until April 16, 2024, mostly targeting VPN devices. On April 19’th Okta observed the infrastructure start to instead perform password spraying against Okta clients. They observed the majority of these password spraying attempts coming from ASNs typically associated with residential proxies, and TOR.

 

P0 Perspective 

Untitled (7)

Across Permiso telemetry, the earliest we see evidence of this campaign starting was on April 9, 2024, and the most recent attempt was on April 26, 2024.

This campaign is not very different than previous campaigns we have reported on and like most password spraying campaigns like this, there was very little success. The following is a list of indicators that you can can check against your own environments:

 All Permiso clients affected by this campaign have already been notified.

To understand if this recent campaign was successful at your organization, Permiso recommends reviewing all user.session.start events that include the indicators listed below. If the outcome.result is SUCCESS then the threat actor successfully authenticated to the environment.

# Indicators

## User Agent
Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0

## AS Orgs
F3 Netze e.V.
Aeza International Ltd
MICROTRONIX-ESOLUTIONS
QUINTEX
NL-811-40021
1984 ehf
Orange Romania Communication S.A
Bahnhof AB
Scaleway S.a.s.
1337 Services GmbH
Orange Polska Spolka Akcyjna
OVH SAS
HVC-AS
TerraHost AS
TAMPA-COLO-ASN-PRIMARY
Kanade
Virtual Systems LLC
Contabo GmbH
Verdina Ltd.
PONYNET
Pfcloud UG
SNAJU
UAB Host Baltic
IncogNET LLC
ASN-CXA-ALL-CCI-22773-RDC
The Infrastructure Group B.V.
SURF B.V.
GOOGLE-CLOUD-PLATFORM
BrainStorm Network, Inc
Stiftung Erneuerbare Freiheit
MULTA-ASN1
ZEN-ECN
Nextly SASU
SOLLUTIUM EU Sp z.o.o.
ColocationX Ltd.
PT Cloud Hosting Indonesia
netcup GmbH
MilkyWan Association
FlokiNET ehf
MIT-PUBWIFI
CALYX-AS
Enjoyvc Cloud Group Limited.

## IP Addresses
185.220.100.241
185.220.100.240
185.220.100.243
185.220.100.242
23.155.24.6
185.220.100.247
185.220.100.251
185.220.100.250
204.8.96.87
77.91.86.95
77.221.159.184
31.220.98.139
77.91.87.79
77.91.85.147
89.147.110.200
82.153.138.119
77.105.146.42
98.128.173.33
77.221.159.192
51.15.116.168
83.26.9.159
57.129.20.162
77.221.159.189
69.46.9.122
77.221.159.75
91.217.219.253
23.152.24.77
77.221.159.193
185.181.61.115
45.134.173.197
31.220.87.46
193.233.133.109
185.241.208.212
82.118.242.36
45.141.215.170
23.26.133.239
209.141.39.104
141.98.10.14
23.137.253.109
72.211.49.235
35.240.241.135
185.181.61.18
94.103.124.104
5.255.100.224
94.103.124.121
5.255.114.171
109.104.153.22
121.78.28.175
142.171.211.123
94.103.124.91
185.220.101.133
94.103.124.101
94.103.124.107
103.106.228.81
192.42.116.178
195.160.220.104
94.103.124.46
2.58.95.31
107.189.1.198
107.189.5.18
204.8.96.187
94.103.124.90
204.8.96.112
204.8.96.113
103.193.179.233
94.103.124.98
204.8.96.148
185.220.101.62
192.42.116.179
192.42.116.177
51.89.153.112
2.58.56.220
209.141.55.26
192.42.116.212
78.142.18.219
204.8.96.143
2.58.95.35
23.137.253.110
192.42.116.213
204.8.96.82
202.94.246.210
107.189.7.47
204.8.96.114
5.45.98.162
107.189.5.121
107.189.7.161
84.54.51.69
45.138.16.203
107.189.2.108
185.220.101.173
192.42.116.13
45.61.184.47
5.255.100.26
80.67.167.81
185.246.188.74
103.251.167.20
107.189.8.181
38.97.116.244
162.247.74.213
204.8.96.154
192.42.116.27
193.35.18.77
204.8.96.85
107.189.7.114
192.42.116.211

 

Illustration Cloud

Related Articles

CloudTrail Logging Evasion: Where Policy Size Matters

At Permiso Security, we’ve always believed that curiosity fuels innovation. What started as a routine investigation into the reliability of AWS CloudTrail logs for monitoring IAM policy changes quickly turned into something far more significant.

Azure's Apex Permissions: Elevate Access & The Logs Security Teams Overlook

Azure's "Elevate Access" feature is a critical security control point that deserves more comprehensive technical coverage than it typically receives. At Permiso, our P0 Labs team brings diverse cloud security expertise, including deep knowledge of

RansomWhen??? I Never Even Noticed It…

A successful ransomware attack is the culmination of numerous steps performed by a determined attacker: gaining initial access to the victim’s environment, enumerating privileges to identify sensitive data, escalating privileges to gain access to

View more posts