STATE OF IDENTITY SECURITY Permiso has released the 2024 Survey Report

[GET THE REPORT]
Illustration Cloud

Password spray enters the Okta-gon

Identity Providers (IDPs), like Okta have always been a juicy target for threat actors of all skill levels. Attackers often still find success with low sophistication techniques like password spraying. Permiso identified a large Okta password spraying campaign that took place in late August.

💡 All Permiso clients affected by this campaign have already been notified.

From August 27 - 31, a threat actor from the IP Address 185.241.208.110 with a user-agent of python-requests/2.28.1 attempted password spraying against about 50% of Okta clients that Permiso monitors. In this campaign, the threat actor successfully guessed passwords in multiple organizations, and in at least one case even passed an MFA check. Permiso did not observe any post-exploitation activity associated with this campaign.

While password spraying is not a new technique, the scale and success of this campaign makes it unique. Permiso recommends organizations that leverage Okta, to review all user.session.start events with a client.ipAddress of 185.241.208.110 . If the outcome.result is SUCCESS the threat actor successfully authenticated to the environment. Searching for the IP on its own will show all the attempts.

In order for the attacker to run this campaign, they needed to have usernames to attempt. Often times these are enumerated by LinkedIn scraping, but there are various ways this can be done. In this campaign the attacker did not bother to disguise their user-agent. While it can be somewhat noisy in some environments, reviewing for python-requests and python-urllib can be a decent signal.

Compromised credentials are involved in almost every breach. Monitoring your IDP is an important step to staying protected.

Illustration Cloud

Related Articles

How Adversaries Abuse Serverless Services to Harvest Sensitive Data from Environment Variables

Introduction In cloud computing, the evolution of serverless technology has significantly transformed how developers build and run applications. Over the years, the adoption of serverless computing has grown rapidly, with developers and

INTRODUCING CAPICHE DETECTION FRAMEWORK: AN OPEN-SOURCE TOOL TO SIMPLIFY CLOUD API-BASED HUNTING

Intro Attacks on cloud infrastructure have been steadily increasing in quantity, sophistication and scope. Common cryptomining attacks still exists, but the proliferation of BEC (Business Email Compromise) and SMS spamming along with full-bore

BucketShield: Track Log Flow, Secure Buckets, Simulate Threats – All in One Open-Source Tool

Introduction In today’s cloud-powered world, keeping your logs secure and intact is more important than ever. AWS CloudTrail serves as the backbone for tracking all activities across your cloud environment, but simply enabling it isn't enough.

View more posts