Latest research, product updates and best practices on staying secure in the cloud | Permiso

Déjà Vu or New View: Latest Okta Credential Stuffing Campaign

Written by Ian Ahl | May 2, 2024 4:25:24 PM

Summary

On April 26, 2024 Okta reported observing a large scale credential stuffing attack that shares infrastructure with a campaign previously reported by Cisco Talos. The campaign that Cisco observed started on March 18 and continued until April 16, 2024, mostly targeting VPN devices. On April 19’th Okta observed the infrastructure start to instead perform password spraying against Okta clients. They observed the majority of these password spraying attempts coming from ASNs typically associated with residential proxies, and TOR.

 

P0 Perspective 

Across Permiso telemetry, the earliest we see evidence of this campaign starting was on April 9, 2024, and the most recent attempt was on April 26, 2024.

This campaign is not very different than previous campaigns we have reported on and like most password spraying campaigns like this, there was very little success. The following is a list of indicators that you can can check against your own environments:

 All Permiso clients affected by this campaign have already been notified.

To understand if this recent campaign was successful at your organization, Permiso recommends reviewing all user.session.start events that include the indicators listed below. If the outcome.result is SUCCESS then the threat actor successfully authenticated to the environment.

# Indicators

## User Agent
Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0

## AS Orgs
F3 Netze e.V.
Aeza International Ltd
MICROTRONIX-ESOLUTIONS
QUINTEX
NL-811-40021
1984 ehf
Orange Romania Communication S.A
Bahnhof AB
Scaleway S.a.s.
1337 Services GmbH
Orange Polska Spolka Akcyjna
OVH SAS
HVC-AS
TerraHost AS
TAMPA-COLO-ASN-PRIMARY
Kanade
Virtual Systems LLC
Contabo GmbH
Verdina Ltd.
PONYNET
Pfcloud UG
SNAJU
UAB Host Baltic
IncogNET LLC
ASN-CXA-ALL-CCI-22773-RDC
The Infrastructure Group B.V.
SURF B.V.
GOOGLE-CLOUD-PLATFORM
BrainStorm Network, Inc
Stiftung Erneuerbare Freiheit
MULTA-ASN1
ZEN-ECN
Nextly SASU
SOLLUTIUM EU Sp z.o.o.
ColocationX Ltd.
PT Cloud Hosting Indonesia
netcup GmbH
MilkyWan Association
FlokiNET ehf
MIT-PUBWIFI
CALYX-AS
Enjoyvc Cloud Group Limited.

## IP Addresses
185.220.100.241
185.220.100.240
185.220.100.243
185.220.100.242
23.155.24.6
185.220.100.247
185.220.100.251
185.220.100.250
204.8.96.87
77.91.86.95
77.221.159.184
31.220.98.139
77.91.87.79
77.91.85.147
89.147.110.200
82.153.138.119
77.105.146.42
98.128.173.33
77.221.159.192
51.15.116.168
83.26.9.159
57.129.20.162
77.221.159.189
69.46.9.122
77.221.159.75
91.217.219.253
23.152.24.77
77.221.159.193
185.181.61.115
45.134.173.197
31.220.87.46
193.233.133.109
185.241.208.212
82.118.242.36
45.141.215.170
23.26.133.239
209.141.39.104
141.98.10.14
23.137.253.109
72.211.49.235
35.240.241.135
185.181.61.18
94.103.124.104
5.255.100.224
94.103.124.121
5.255.114.171
109.104.153.22
121.78.28.175
142.171.211.123
94.103.124.91
185.220.101.133
94.103.124.101
94.103.124.107
103.106.228.81
192.42.116.178
195.160.220.104
94.103.124.46
2.58.95.31
107.189.1.198
107.189.5.18
204.8.96.187
94.103.124.90
204.8.96.112
204.8.96.113
103.193.179.233
94.103.124.98
204.8.96.148
185.220.101.62
192.42.116.179
192.42.116.177
51.89.153.112
2.58.56.220
209.141.55.26
192.42.116.212
78.142.18.219
204.8.96.143
2.58.95.35
23.137.253.110
192.42.116.213
204.8.96.82
202.94.246.210
107.189.7.47
204.8.96.114
5.45.98.162
107.189.5.121
107.189.7.161
84.54.51.69
45.138.16.203
107.189.2.108
185.220.101.173
192.42.116.13
45.61.184.47
5.255.100.26
80.67.167.81
185.246.188.74
103.251.167.20
107.189.8.181
38.97.116.244
162.247.74.213
204.8.96.154
192.42.116.27
193.35.18.77
204.8.96.85
107.189.7.114
192.42.116.211