惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
L
Lohrmann on Cybersecurity
aimingoo的专栏
aimingoo的专栏
V
V2EX
S
Security Affairs
T
Threatpost
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
J
Java Code Geeks
The Register - Security
The Register - Security
U
Unit 42
C
CERT Recently Published Vulnerability Notes
月光博客
月光博客
A
About on SuperTechFans
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
The Blog of Author Tim Ferriss
Cisco Talos Blog
Cisco Talos Blog
Project Zero
Project Zero
S
Schneier on Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
D
DataBreaches.Net
博客园 - 司徒正美
V
Vulnerabilities – Threatpost
T
Tor Project blog
Security Latest
Security Latest
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
Scott Helme
Scott Helme
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
小众软件
小众软件
L
LangChain Blog
Attack and Defense Labs
Attack and Defense Labs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
P
Palo Alto Networks Blog
A
Arctic Wolf
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 叶小钗
D
Darknet – Hacking Tools, Hacker News & Cyber Security
L
LINUX DO - 最新话题
MongoDB | Blog
MongoDB | Blog
Webroot Blog
Webroot Blog
H
Hacker News: Front Page
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
Engineering at Meta
Engineering at Meta

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
Detecting Cross-Origin Authentication Credential Stuffing Attacks
Okta · 2024-05-28 · via Okta Security RSS Feed

Summary

Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers. In this case, we have proactively notified the customers we identified that have this feature enabled, and provided additional guidance in a customer email.

For context, we observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers. In this type of attack, adversaries attempt to sign-in to online services using large lists of usernames and passwords potentially obtained from previous data breaches or unrelated entities, or from phishing or malware campaigns.

This post will assist you with investigating credential-stuffing attacks, as well as provide guidance in the “Recommended Actions” below.

Suspicious Activity Period

We have observed suspicious activity that started on April 15. Please note that this may not be continuous for every tenant, we recommend reviewing suspicious activity from that date forward.

Log Events to Review:

  • fcoa - Failed cross-origin authentication

  • scoa - Successful cross-origin authentication

  • pwd_leak - Someone attempted to login with a leaked password

Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. Refer to the Log Event Type Codes for more information.

If your tenant does not use cross-origin authentication, but `scoa` or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack.

If your tenant does use cross-origin authentication and either saw a spike of `scoa` events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), then it is likely your tenant has been targeted in a credential stuffing attack.

If a user password was compromised in a credential stuffing attack, the user’s credentials should be rotated immediately out of an abundance of caution.

Protecting your Tenant from Credential Stuffing Activity

Below are our recommendations on how to best protect your users from credential-stuffing attacks.

Longer-term solution:

Enroll users in passwordless, phishing resistant authentication. We recommend the use of passkeys as the most secure option. Passkeys are included on all Auth0 plans from our free plan through Enterprise.

Medium-term mitigations:

Prevent users from choosing weak passwords. Require a minimum of 12 characters and no parts of the user name. Block passwords found in the Common Password List. This can be done in the password policy.

Require -Factor Authentication. Auth0 offers a variety of MFA options available on our B2C Professional, B2B Essentials, B2B Professional, Startup, and Enterprise plans.

Short-term mitigations:

  • For any tenant that does not use cross-origin authentication, that endpoint can be disabled in the Auth0 Management Console to eliminate this attack vector. Refer to Configure Cross-Origin Resource Sharing for more information.

  • Restrict permitted origins if cross-origin authentication is required.

  • Enable breached password detection for your tenant, or ideally Credential Guard if it is supported in your current plan.

    • Breached password detection is available on our B2C Professional, B2B Professional, Startup, and Enterprise plans.

    • Credential Guard is available as an add-on through an Enterprise plan.

If you have an account with support available and need more information, you can reach out to Customer Support, and if you are on a free plan you can reach us via the Community. For details on features and availability per plan, please visit our pricing page.