Mar 19, 2024The Hacker NewsAPI Security / Vulnerability

Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively. The State of API Security in 2024 Report from Imperva, a Thales company, found that the majority of internet traffic (71%) in 2023 was API calls. What’s more, a typical enterprise site saw an average of 1.5 billion API calls in 2023.

The expansive volume of internet traffic that passes through APIs should be concerning for every security professional. Despite best efforts to adopt shift-left frameworks and SDLC processes, APIs are often still pushed into production before they’re cataloged, authenticated, or audited. On average, organizations have 613 API endpoints in production, but that number is rapidly expanding as pressure grows to deliver digital services to customers more quickly and efficiently. Over time, these APIs can become risky, vulnerable endpoints.

In their report, Imperva concludes that APIs are now a common attack vector for cybercriminals because they’re a direct pathway to access sensitive data. As a matter of fact, a study from the Marsh McLennan Cyber Risk Analytics Center finds that API-related security incidents cost global businesses as much as $75 billion annually.

More API Calls, More Problems

Banking and online retail reported the highest volumes of API calls compared to any other industry in 2023. Both industries rely on large API ecosystems to deliver digital services to their customers. Therefore, it’s no surprise that financial services, which include banking, were the leading target of API-related attacks in 2023.

Cybercriminals use a variety of methods to attack API endpoints, but one common attack vector is Account takeover (ATO). This attack occurs when cybercriminals exploit vulnerabilities in an API’s authentication processes to gain unauthorized access to accounts. In 2023, nearly half (45.8%) of all ATO attacks targeted API endpoints. These attempts are often carried out by automation in the form of bad bots, software agents that run automated tasks with malicious intent. When successful, these attacks can lock customers out of their accounts, provide criminals with sensitive data, contribute to revenue loss, and increase the risk of non-compliance. Considering the value of the data that banks and other financial institutions manage for their customers, ATO is a concerning business risk.

Why Mismanaged APIs are a Security Threat

Mitigating API security risk is a unique challenge that frustrates even the most sophisticated security teams. The issue stems from the fast pace of software development and the lack of mature tools and processes to help developers and security teams work more collaboratively. As a result, nearly one out of every 10 APIs is vulnerable to attack because it wasn’t deprecated correctly, isn’t monitored, or lacks sufficient authentication controls.

In their report, Imperva identified three common types of mismanaged API endpoints that create security risks for organizations: shadow, deprecated, and unauthenticated APIs.

• Shadow APIs: Also known as undocumented or undiscovered APIs, these are APIs that are unsupervised, forgotten about, and/or outside of the security team’s visibility. Imperva estimates that shadow APIs make up 4.7% of every organization’s collection of active APIs. These endpoints are introduced for a variety of reasons—from the purpose of software testing to use as a connector to a third-party service. Issues arise when these API endpoints are not cataloged or managed properly. Businesses should be concerned about shadow APIs because they typically have access to sensitive information, but nobody knows where they exist or what they’re connected to. A single shadow API can lead to a compliance violation and regulatory fine, or worse, a motivated cybercriminal will abuse it to access an organization’s sensitive data.

• Deprecated APIs: Deprecating an API endpoint is a natural progression in the software lifecycle. As a result, the presence of deprecated APIs is not uncommon, as software is updated at a rapid, continuous pace. In fact, Imperva estimates that deprecated APIs, on average, make up 2.6% of an organization’s collection of active APIs. When the endpoint is deprecated, services supporting such endpoints are updated and a request to the deprecated endpoint should fail. However, if services are not updated and the API isn’t removed, the endpoint becomes vulnerable because it lacks the necessary patching and software update.

• Unauthenticated APIs: Often, unauthenticated APIs are introduced as a result of misconfiguration, oversight from a rushed release process, or the relaxation of a rigid authentication process to accommodate older versions of software. These APIs make up, on average, 3.4% of an organization’s collection of active APIs. The existence of unauthenticated APIs poses a significant risk to organizations as it can expose sensitive data or functionality to unauthorized users and lead to data breaches or system manipulation.

To mitigate the various security risks introduced by mismanaged APIs, conducting regular audits to identify unmonitored or unauthenticated API endpoints is recommended. Continuous monitoring can help detect any attempts to exploit vulnerabilities associated with these endpoints. In addition, developers should regularly update and upgrade APIs to ensure that deprecated endpoints are replaced with more secure alternatives.

How to Protect Your APIs

Imperva offers several recommendations to help organizations improve their API Security posture:

1. Discover, classify, and inventory all APIs, endpoints, parameters, and payloads. Use continuous discovery to maintain an always up-to-date API inventory and disclose exposure of sensitive data.
2. Identify and protect sensitive and high-risk APIs. Perform risk assessments specifically targeting API endpoints vulnerable to Broken Authorization and Authentication as well as Excessive Data Exposure.
3. Establish a robust monitoring system for API endpoints to detect and analyze suspicious behaviors and access patterns actively.
4. Adopt an API Security approach that integrates Web Application Firewall (WAF), API Protection, Distributed Denial of Service (DDoS) prevention, and Bot Protection. A comprehensive range of mitigation options offers flexibility and advanced protection against increasingly sophisticated API threats—such as business logic attacks, which are particularly challenging to defend against as they are unique to each API.

Jan 18, 2024NewsroomServer Security / Cryptocurrency

Vulnerable Docker services are being targeted by a novel campaign in which the threat actors are deploying XMRig cryptocurrency miner as well as the 9Hits Viewer software as part of a multi-pronged monetization strategy.

“This is the first documented case of malware deploying the 9Hits application as a payload,” cloud security firm Cado said, adding the development is a sign that adversaries are always on the lookout for diversifying their strategies to make money off compromised hosts.

9Hits advertises itself as a “unique web traffic solution” and an “automatic traffic exchange” that allows members of the service to drive traffic to their sites in exchange for purchasing credits.

This is accomplished by means of a software called 9Hits Viewer, which runs a headless Chrome browser instance to visit websites requested by other members, for which they earn credits to pay for generating traffic to their sites.

The exact method used to spread the malware to vulnerable Docker hosts is currently unclear, but it’s suspected to involve the use of search engines like Shodan to scan for prospective targets.

The servers are then breached to deploy two malicious containers via the Docker API and fetch off-the-shelf images from the Docker Hub library for the 9Hits and XMRig software.

“This is a common attack vector for campaigns targeting Docker, where instead of fetching a bespoke image for their purposes they pull a generic image off Dockerhub (which will almost always be accessible) and leverage it for their needs,” security researcher Nate Bill said.

The 9Hits container is then used to execute code to generate credits for the attacker by authenticating with 9Hits using their session token and extracting the list of sites to visit.

The threat actors have also configured the scheme to allow visiting adult sites or sites that show popups, but prevent it from visiting cryptocurrency-related sites.

The other container is used to run an XMRig miner that connects to a private mining pool, making it impossible to determine the campaign’s scale and profitability.

“The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left,” Bill said.

“The result of this is that legitimate workloads on infected servers will be unable to perform as expected. In addition, the campaign could be updated to leave a remote shell on the system, potentially causing a more serious breach.”

Jan 05, 2024NewsroomNetwork Security / Malware

Mobile network operator Orange Spain suffered an internet outage for several hours on January 3 after a threat actor used administrator credentials captured by means of stealer malware to hijack the border gateway protocol (BGP) traffic.

“The Orange account in the IP network coordination center (RIPE) has suffered improper access that has affected the browsing of some of our customers,” the company said in a message posted on X (formerly Twitter).

However, the company emphasized no personal data was compromised and that the incident only affected some browsing services.

The threat actor, who goes by the name Ms_Snow_OwO on X, claimed to have gained access to Orange Spain’s RIPE account. RIPE is a regional Internet registry (RIR) that oversees the allocation and registration of IP addresses and autonomous system (AS) numbers in Europe, Central Asia, Russia, and West Asia.

“Using the stolen account, the threat actor modified the AS number belonging to Orange’s IP address, resulting in major disruptions to Orange and a 50% loss in traffic,” cybersecurity firm Hudson Rock said.

Further analysis has revealed that the email address of the admin account is associated with the computer of an Orange Spain employee who was infiltrated by Raccoon Stealer malware on September 4, 2023.

It’s currently not known how the stealer found its way to the employee’s system, but such malware families are typically propagated via malvertising or phishing scams.

“Among the corporate credentials identified on the machine, the employee had specific credentials to ‘https://access.ripe.net’ using the email address which was revealed by the threat actor (adminripe-ipnt@orange.es),” the company added.

Even worse, the password used to secure Orange’s RIPE administrator account was “ripeadmin,” which is both weak and easily predictable.

Security researcher Kevin Beaumont further noted that RIPE neither mandates two-factor authentication (2FA) nor enforces a strong password policy for its accounts, making it ripe for abuse.

“Currently, infostealer marketplaces are selling thousands of credentials to access.ripe.net — effectively allowing you to repeat this at organizations and ISPs across Europe,” Beaumont said.

RIPE, which is currently investigating to see if any other accounts have been affected in a similar manner, said it will directly reach out to affected account holders. It has also urged RIPE NCC Access account users to update their passwords and enable multi-factor authentication for their accounts.

“In the long term, we’re expediting the 2FA implementation to make it mandatory for all RIPE NCC Access accounts as soon as possible and to introduce a variety of verification mechanisms,” it added.

The incident serves to highlight the consequences of infostealer infections, necessitating that organizations take steps to secure their networks from known initial attack vectors.