Identity and access management (IAM) services provider Okta has warned of an increase in the "frequency and scale" of credential stuffing assaults directed at online businesses.
These extraordinary attacks, noticed over the last month, are believed to be enabled by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the business said in an alert published Saturday.
The findings expand on a recent statement from Cisco, which cautioned of a global spike in brute-force attacks targeting multiple devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos stated at the time, adding targets of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet, SonicWall, as well as routers from Draytek, MikroTik, and Ubiquiti.
Okta stated its Identity Threat Research noticed an upsurge in credential stuffing activities against user accounts from April 19 to April 26, 2024, from presumably comparable infrastructure.
Credential stuffing is a sort of cyber attack in which credentials obtained from a data breach on one service are used to attempt to sign in to another unrelated service.
Alternatively, such credentials could be extracted via phishing attacks that link victims to credential harvesting pages or by malware operations that install information stealers on infected systems.
"All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR," Okta stated.
"Millions of the requests were also routed through a variety of residential proxies including NSOCKS, Luminati, and DataImpulse."
Residential proxies (RESIPs) refer to networks of legitimate user devices that are misused to route traffic on behalf of paying customers without their knowledge or agreement, hence allowing threat actors to mask their malicious traffic.
This is often performed by installing proxyware programs on computers, mobile phones, or routers, thereby enrolling them into a botnet that's then rented to consumers of the service who seek to anonymize the source of their traffic.
"Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download 'proxyware' into their device in exchange for payment or something else of value," Okta added.
"At other times, a user device is infected with malware without the user's knowledge and becomes enrolled in what we would typically describe as a botnet."
Last month, HUMAN's Satori Threat Intelligence team identified over two dozen malicious Android VPN apps that turn mobile devices into RESIPs by use of an embedded software development kit (SDK) that incorporated the proxyware capabilities.
"The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers," Okta added.
To mitigate the risk of account takeovers, the company is recommending that organizations enforce users to switch to strong passwords, enable two-factor authentication (2FA), deny requests originating from locations where they don't operate and IP addresses with poor reputation, and add support for passkeys.
RollMid comes loaded with capabilities to set the stage for the attack and establish contact with a C2 server, which entails a three-step process of its own as follows -
Communicate with the first C2 server to get an HTML file providing the address of the second C2 server
Communicate with the second C2 server to get a PNG image that embeds a malicious component using a technique called steganography
Transmit data to the third C2 server using the address indicated in the concealed data within the image
Retrieve an additional Base64-encoded data blob from the third C2 server, which is the Kaolin RAT
The technical intricacy underlying the multi-stage procedure, while no doubt clever and intricate, borders on overkill, Avast opined, with the Kaolin RAT clearing the way for the distribution of the FudModule rootkit after setting up communications with the RAT's C2 server.
On top of that, the malware is equipped to enumerate files; carry out file operations; upload files to the C2 server; alter a file's last modified timestamp; enumerate, create, and terminate processes; execute commands using cmd.exe; download DLL files from the C2 server; and connect to an arbitrary host.
"The Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products," Camastra claimed.
"It is apparent that they committed enormous money in constructing such a complicated assault chain. What is known is that Lazarus has to develop regularly and dedicate tremendous resources to explore various areas of Windows mitigations and security products. Their ability to adapt and evolve poses a serious challenge to cybersecurity efforts."
