[Webinar] What Insider Threats Actually Look Like - A Lesson From the Rippling Lawsuit 

[WATCH NOW]

Announcing Permiso Discover - A free identity inventory & visibility for human, non-human and AI

[Join the Waitlist]
Hamburger
Close Icon
Linkedin
Linkedin
Illustration Cloud

Password spray enters the Okta-gon

Identity Providers (IDPs), like Okta have always been a juicy target for threat actors of all skill levels. Attackers often still find success with low sophistication techniques like password spraying. Permiso identified a large Okta password spraying campaign that took place in late August.

💡 All Permiso clients affected by this campaign have already been notified.

From August 27 - 31, a threat actor from the IP Address 185.241.208.110 with a user-agent of python-requests/2.28.1 attempted password spraying against about 50% of Okta clients that Permiso monitors. In this campaign, the threat actor successfully guessed passwords in multiple organizations, and in at least one case even passed an MFA check. Permiso did not observe any post-exploitation activity associated with this campaign.

While password spraying is not a new technique, the scale and success of this campaign makes it unique. Permiso recommends organizations that leverage Okta, to review all user.session.start events with a client.ipAddress of 185.241.208.110 . If the outcome.result is SUCCESS the threat actor successfully authenticated to the environment. Searching for the IP on its own will show all the attempts.

In order for the attacker to run this campaign, they needed to have usernames to attempt. Often times these are enumerated by LinkedIn scraping, but there are various ways this can be done. In this campaign the attacker did not bother to disguise their user-agent. While it can be somewhat noisy in some environments, reviewing for python-requests and python-urllib can be a decent signal.

Compromised credentials are involved in almost every breach. Monitoring your IDP is an important step to staying protected.

Illustration Cloud

Related Articles

CloudTrail Logging Evasion: Where Policy Size Matters

At Permiso Security, we’ve always believed that curiosity fuels innovation. What started as a routine investigation into the reliability of AWS CloudTrail logs for monitoring IAM policy changes quickly turned into something far more significant.

Azure's Apex Permissions: Elevate Access & The Logs Security Teams Overlook

Azure's "Elevate Access" feature is a critical security control point that deserves more comprehensive technical coverage than it typically receives. At Permiso, our P0 Labs team brings diverse cloud security expertise, including deep knowledge of

RansomWhen??? I Never Even Noticed It…

A successful ransomware attack is the culmination of numerous steps performed by a determined attacker: gaining initial access to the victim’s environment, enumerating privileges to identify sensitive data, escalating privileges to gain access to

View more posts