Okta警告称代理驱动的凭证填充攻击激增

Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services.

网络身份和访问管理（IAM）服务提供商Okta警告称，针对在线服务的凭证填充攻击的"频率和规模"有所增加。

These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the company said in an alert published Saturday.

这些空前的攻击是在过去一个月内观察到的，据公司在周六发布的警报中称，这些攻击得以实施是因为"住宅代理服务的广泛可用性，以及之前被盗的凭证列表（'组合列表'）和脚本工具"。

The findings build on a recent advisory from Cisco, which cautioned of a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.

这些发现基于思科最近发布的一份警报，该警报警告称自2024年3月18日以来，各种设备都受到了暴力袭击，包括虚拟专用网络（VPN）服务、Web应用程序认证界面以及SSH服务。

"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos noted at the time, adding targets of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet, SonicWall, as well as routers from Draytek, MikroTik, and Ubiquiti.

塔洛斯当时指出，这些攻击似乎都起源于TOR出口节点和一系列其他匿名化隧道和代理，攻击目标包括思科、Check Point、Fortinet、SonicWall等公司的VPN设备，以及Draytek、MikroTik、Ubiquiti等公司的路由器。

Okta said its Identity Threat Research detected an uptick in credential stuffing activity against user accounts from April 19 to April 26, 2024, from likely similar infrastructure.

Okta表示，其身份威胁研究发现了2024年4月19日至4月26日期间对用户账户进行凭证填充活动的增加，这些活动可能来自相似的基础设施。

Credential stuffing is a type of cyber attack in which credentials obtained from a data breach on one service are used to attempt to sign in to another unrelated service.

凭证填充是一种网络攻击类型，即从一项服务的数据泄露中获得的凭证被用于尝试登录到另一个无关的服务。

Alternatively, such credentials could be extracted via phishing attacks that redirect victims to credential harvesting pages or through malware campaigns that install information stealers on compromised systems.

或者，这些凭证可能是通过钓鱼攻击提取的，该攻击会将受害者重定向到凭证窃取页面，也可能是通过安装信息窃取者的恶意软件活动而被提取到被攻陷的系统中。

"All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR," Okta said.

Okta表示:"我们观察到的所有最近的攻击都有一个共同点：它们依赖于请求被路由通过TOR等匿名化服务。"

"Millions of the requests were also routed through a variety of residential proxies including NSOCKS, Luminati, and DataImpulse."

"数百万请求还通过各种住宅代理（包括NSOCKS、Luminati和DataImpulse）进行路由。"

Residential proxies (RESIPs) refer to networks of legitimate user devices that are misused to route traffic on behalf of paying subscribers without their knowledge or consent, thereby allowing threat actors to conceal their malicious traffic.

住宅代理（RESIPs）指的是被滥用为代表付费订户路由流量的合法用户设备网络，而这些用户并不知情或同意，使得威胁行为者能够隐藏其恶意流量。

This is typically achieved by installing proxyware tools on computers, mobile phones, or routers, effectively enrolling them into a botnet that's then rented to customers of the service who desire to anonymize the source of their traffic.

这通常通过在计算机、手机或路由器上安装代理工具来实现，有效地将它们纳入一个租用给服务的客户的僵尸网络，这些客户希望匿名化其流量来源。

"Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download 'proxyware' into their device in exchange for payment or something else of value," Okta explained.

Okta解释说:"有时用户设备之所以会加入代理网络，是因为用户有意选择下载'代理软件'到他们的设备以换取付款或其他有价值的东西。"

"At other times, a user device is infected with malware without the user's knowledge and becomes enrolled in what we would typically describe as a botnet."

"在其他时候，用户设备可能会被恶意软件感染而没有用户的知识，并成为我们通常描述的僵尸网络的一部分。"

Last month, HUMAN's Satori Threat Intelligence team revealed over two dozen malicious Android VPN apps that turn mobile devices into RESIPs by means of an embedded software development kit (SDK) that included the proxyware functionality.

上个月，HUMAN的Satori Threat Intelligence团队揭示了超过两打恶意安卓VPN应用程序，通过内嵌的软件开发工具包（SDK）将移动设备转变为RESIPs，其中包括代理软件功能。

"The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers," Okta said.

"这些凭证填充攻击中的大部分流量似乎源于普通用户的移动设备和浏览器，而不是来自VPS提供商的IP空间。"

To mitigate the risk of account takeovers, the company is recommending that organizations enforce users to switch to strong passwords, enable two-factor authentication (2FA), deny requests originating from locations where they don't operate and IP addresses with poor reputation, and add support for passkeys.

为了降低账户被接管的风险，公司建议组织强制用户切换到强密码，启用双因素认证（2FA），拒绝来自他们不经营的地点和声誉差的IP地址的请求，并支持密钥。

参考资料

[1]https://thehackernews.com/2024/04/okta-warns-of-unprecedented-surge-in.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：Okta警告称代理驱动的凭证填充攻击激增