April 27, 2024

How to Block Anonymizing Services using Okta

Moussa Diallo and Brett Winterford

Summary: Every customer using the Workforce Identity Cloud and Customer Identity Solution can now block access requests originating from anonymizing services prior to authentication.

Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools.

From March 18, 2024 through to April 16, 2024, Duo Security and Cisco Talos observed large-scale brute force attacks on multiple models of VPN devices.
From April 19, 2024 through to April 26, 2024, Okta’s Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.

In credential stuffing attacks, adversaries attempt to sign-in to online services using large lists of usernames and passwords obtained from previous data breaches of unrelated entities, or from phishing or malware campaigns.

All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR. Millions of the requests were also routed through a variety of residential proxies.

What is the Tor Network?

Tor (The Onion Router) provides its users a method of sending requests to web sites in which the originating source IP address of the request is obscured. Tor relies on the relay of messages across an overlay network of “onion routers”, each of which can only observe the IP of the preceding node and the next node in the communication. While Tor has legitimate uses, it is routinely used to conceal the real IP address of attackers.

What are Residential Proxies?

Residential Proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber. Providers of residential proxies effectively rent access to route authentication requests through the computer, smartphone or router of a real user, and proxy traffic through the IP of these devices to anonymize the source of the traffic.

Residential Proxy providers don’t tend to advertise how they build these networks of real user devices. Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” into their device in exchange for payment or something else of value. At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet. More recently, we have observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network.

The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers. For more information on residential proxy services, we recommend this informative summary by CERT Orange Cyberdefense and Sekoia.

Block it at the Edge

One of the key tenets of the Okta Secure Identity Commitment is to champion customer security best practices. We are committed to raising the bar for default security features in our platforms.

In February 2024, Okta released a well-timed capability into the Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) that detects and blocks requests from anonymizing services.

This Early Access feature can be turned on at Settings > Features in the Okta Admin Console.

Organizations that wish to deny access from specific anonymizers, and allowlist others, must be licensed to use Dynamic Zones (part of Adaptive MFA). Expect enhancements to this feature over the weeks ahead.

Customers using the Customer Identity Cloud (Auth0) should consider the Attack Protection Suite, and consider the other recommendations in the table below.

Modern Defenses, Built into the Identity Platform

The unprecedented scale of these attacks has provided clear insights into the controls most effective against credential stuffing.

ThreatInsight, Okta’s built-in control against high volume attacks, blocks requests from IPs involved in large scale credential based attacks prior to authentication.

The small percentage of customers where these suspicious requests proceeded to authentication shared similar configurations: The Org was nearly always running on the Okta Classic Engine, ThreatInsight was configured in Audit-only mode (not Log and Enforce mode), and Authentication policies permitted requests from anonymizing proxies.

Customers using Okta Identity Engine that (a) enabled ThreatInsight in log and enforce mode and (b) deny access requests from anonymizing proxies were protected from these opportunistic accounts. These basic features are available in all Okta SKUs. Upgrading to Okta Identity Engine is free, often highly automated, and provides access to a range of features including CAPTCHA challenges for risky sign-ins and passwordless authentication using Okta FastPass.

Broader Recommendations

We recommend Okta customers practice defense in depth to mitigate the risk of account takeovers from credential stuffing attacks.

	Recommendation	Workforce Identity Cloud (Okta)	Customer Identity Cloud (Auth0)
1.	Embrace Passwordless	Require Okta FastPass and FIDO2 WebAuthn	Support PassKeys as a preferred sign-in method
2.	Prevent users from making poor password choices	Require 12 chars and no parts of username in Password Policy. Block passwords found in common password list	Enable Breached Password Protection or Credential Guard to prevent use of passwords known to have been breached in 3P sites
3.	Enforce MFA on sign-in	Require MFA in Global Session Policies	Require MFA for Password Authentication flows
4.	Deny requests from locations where your organization does not operate	Use Network Zones to block requests prior to authentication	Deny access by location using a WAF or via the Country-based Access Control Action
5.	Deny authentication requests from IPs with poor reputation	Deny requests made via anonymizing services (Early Access) or via Dynamic Network Zones Configure ThreatInsight in log and enforce mode to deny attempts based on the volume and velocity of failed requests from an IP Require CAPTCHA challenges on high risk logins	Use Suspicious IP Throttling to slow down login attempts from suspicious IPs Use Bot Protection to present CAPTCHA challenges to requests from suspicious IPs Use 3P Auth0 Actions integrations to check if an IP is associated with an anonymizing proxies
6.	Monitor for and respond to anomalous sign-in behavior	Enforce per-user Account Lockout. Exempt requests from devices that have successfully authenticated Monitor for ThreatInsight events and rate limit violations	Use Brute-force Protection to block and lockout accounts subject to persistent failed authentication requests Monitor for sign-in events using invalid usernames/non-existent users and/or previously breached passwords

TTPs used in Recent Attacks

Top 20 ASNs

Autonomous System Number	Network Provider
53667	FranTech Solutions
62744	Quintex Alliance Consulting
60729	Stiftung Erneuerbare Freiheit
1101	SURF B.V.
210558	1337 Services GmbH
197540	netcup GmbH
16276	OVH SAS
60404	Liteserver
210644	AEZA INTERNATIONAL LTD
399532	Universal Layer LLC
200651	FlokiNET ehf
44925	1984 ehf
51396	Pfcloud UG
4224	The Calyx Institute
51852	Private Layer INC
56655	TerraHost AS
36352	HostPapa
208323	Foundation for Applied Privacy
63949	Akamai Connected Cloud
41281	KeFF Networks Ltd

User Agent

Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0

Relevant System Log Queries: Workforce Identity Cloud

Event	System Log Query
ThreatInsight has Detected Access Requests from IPs Associated with Suspicious Behavior	eventType eq "security.threat.detected"
Suspected Brute Force Attack (T1110.001)	eventType eq "security.threat.detected" AND outcome.reason eq "Login failures"
Suspected Credential Stuffing Attack (T1110.004)	eventType eq "security.threat.detected" AND outcome.reason co "Login failures with high unknown users count"
Suspected Password Spray Attack (T1110.003)	eventType eq "security.threat.detected" AND outcome.reason co "Password Spray"
Targeted Brute Force Attack against a Specific Org	eventType eq "security.attack.start"

Relevant System Log Queries: Customer Identity Cloud (Auth0)

Event	Log Query
Failed login request	f
Failed login: Invalid username/email address	fu
Failed login: Invalid password	fp
Login attempt from a known leaked password	pwd_leak
Signup (registration) attempt from a leaked password	signup_pwd_leak
IP address blocked: excessive failed login or registration requests without a successful login	limit_mu
User account lockout: excessive failed login requests per time period from the same IP address	limit_sul
IP address blocked: excessive failed login attempts to a single user account	limit_wc

Brett Winterford is the regional Chief Security Officer for Okta in the Asia Pacific and Japan.
He advises business and technology leaders on evolving threats and helps them harness advances in identity technology to drive business outcomes and mitigate risk.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank.
Brett is also an award-winning journalist, having long ago been the editor-in-chief of iTnews Australia and a contributor to ZDNet, the Australian Financial Review and the Sydney Morning Herald. Most recently, he was the founding editor of the Srsly Risky Biz newsletter, a companion to the Risky Business podcast, providing the cybersecurity, policy, defense and intelligence communities with a weekly brief of the news that shapes cyber policy.