Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events.
pwd_leak - Someone attempted to login with a leaked password
Technical Context
In this type of attack, adversaries attempt to sign-in to online services using large lists of usernames and passwords potentially obtained from previous data breaches or unrelated entities, or from phishing or malware campaigns.
Blind Spots and Assumptions
Assumes use of Customer Identity Cloud (CIC) feature and proper logging.
False Positives
If your tenant does use cross-origin authentication, there could be false positives for normal fcoa/scoa activity.
Validation
If your tenant does not use cross-origin authentication, but scoa or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack.
If your tenant does use cross-origin authentication and either saw a spike of scoa events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), then it is likely your tenant has been targeted in a credential stuffing attack.
Priority
High
Response
If a user password was compromised in a credential stuffing attack, the user’s credentials should be rotated immediately out of an abundance of caution.
Goal
Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events.
Categorization
https://attack.mitre.org/techniques/T1110/004/
Strategy Abstract
Log Events to Review:
fcoa - Failed cross-origin authentication
scoa - Successful cross-origin authentication
pwd_leak - Someone attempted to login with a leaked password
Technical Context
In this type of attack, adversaries attempt to sign-in to online services using large lists of usernames and passwords potentially obtained from previous data breaches or unrelated entities, or from phishing or malware campaigns.
Blind Spots and Assumptions
Assumes use of Customer Identity Cloud (CIC) feature and proper logging.
False Positives
If your tenant does use cross-origin authentication, there could be false positives for normal fcoa/scoa activity.
Validation
If your tenant does not use cross-origin authentication, but scoa or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack.
If your tenant does use cross-origin authentication and either saw a spike of scoa events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), then it is likely your tenant has been targeted in a credential stuffing attack.
Priority
High
Response
If a user password was compromised in a credential stuffing attack, the user’s credentials should be rotated immediately out of an abundance of caution.
Additional Resources
https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks
https://auth0.com/docs/authenticate/login/cross-origin-authentication
https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes