Okta has issued a warning about a significant increase in both the number and size of attacks targeting account data for online services. The attacks have become more prevalent due to the widespread availability of proxy services, lists of previously compromised account data, and automated tools.
This alert aligns with a recent warning from Cisco which highlights a global uptick in the Buborsat threat targeting a variety of devices, including VPN services, authentication interfaces, and SSH services. Cisco identifies the sources of these attacks as exit nodes for Tor and other anonymous tunnels and proxies. The attackers are specifically targeting VPN devices from major companies such as Cisco, Check Point, Fortinet, Sonicwall, and routers from Draytek, Mikrotik, and Ubiquiti.
Research conducted by OKTA indicates a surge in account data harvesting activity between April 19 and 26, 2024, likely using similar infrastructure for these attacks. These attacks involve using stolen account data from one service to gain unauthorized access to another unrelated service.
Most of the recent attacks tracked by OKTA have utilized Tor and various resident proxies like NSOCKS, Luminati, and Dataimpulse. Resident proxies leverage networks of unwitting legitimate user devices to mask malicious traffic, effectively turning these users into unwitting participants in a botnet that is then rented out to customers for anonymous traffic.
To mitigate the risk of account takeovers, OKTA advises organizations to enforce the use of strong, complex passwords, implement two-factor authentication (2FA), block requests from suspicious geographical regions, and prevent access from IP addresses with a poor reputation.