APIs and Ransomware: The Path Attackers are Using to Infect Organizations
Cyber defense in depth remains critical to thwarting attacks. Understanding your API exposure should be part of your cyber hygiene.
September 6, 2022
Ransomware is arguably one of the top threats in cybersecurity right now. Its effects can be crippling. And it appears to be indiscriminate in its targets, impacting entire nations, the largest enterprises, hospitals, and everything and everyone in between.
Cybercriminals are doubling down and employing additional tactics on their victims. We’ve now seen multi-extortion techniques designed to heighten the cost and immediacy of the threat. These criminals are well aware of how lucrative these attacks can be and have made notable investments over the past few years to optimize their approach. This includes developing technical support operations to help victims get back online once they pay their ransoms.
The question is, what is the path attackers are using to infect organizations? One piece of research from Coveware seems to indicate that it depends on what type of organization we are talking about. Smaller organizations are being targeted via unsecured RDP connections, while larger organizations are still mostly targeted via email phishing. The payment also varies greatly depending on an organization's size. Palo Alto Networks' Unit 42 says the average ransom demand on cases worked by their consultants climbed 144% to $2.2 million last year. The average payment rose 78% percent to $541,010 during the same period.
In a more recent piece by Coveware, the data points to some shifts in attack vectors, including the rise of social engineering and direct compromising of insiders. The social engineering attacks differ from phishing in that they are highly targeted and typically involve some priming or grooming of a target employee. Then the employee is ultimately coaxed into allowing an attacker to gain a foothold into the network.
Where do APIs come into play?
Firstly, let's think about public clouds and how threat actors are aiming to infect hosts and encrypt files. The reality is they will target cloud APIs to access and encrypt said data. In an ideal world, APIs are intended to streamline cloud computing processes. But when left unsecured, APIs can open lines of communication that allow individuals to exploit private data.
Secondly, and this is perhaps less obvious, the path of least resistance involves finding credentials or other access methods to target the systems they are trying to encrypt. Research from North Carolina State University (NCSU) found that over 100,000 GitHub repos have leaked API or cryptographic keys. And that thousands of new API or cryptographic keys leak via GitHub projects every day. Or more recently, the Salesforce-owned subsidiary, Heroku, acknowledged the theft of GitHub integration OAuth tokens used to download data from dozens of organizations, including NPM.
Another proof point is the work by Microsoft on the Log4j vulnerabilities. They pointed out that suspected China-based cybercriminals are targeting the Log4j 'Log4Shell' flaw in VMware's Horizon product. Their goal is to install NightSky, a new ransomware strain that emerged on 27th December of last year.
APIs act as an intermediary between multiple applications and systems, and Log4Shell creates two significant issues with APIs. The first is that API servers that are vulnerable to Log4Shell now expose a new attack surface for attackers. Most organizations have limited visibility into their API inventory and the behavior of their APIs, making APIs a preferred target for threat actors.
Second, if an attacker exploits the Log4Shell vulnerability to gain access to a system, APIs are capable of extending the attacker’s reach and the damage they can inflict. For example, many businesses have trusted third-party APIs that may be exposed to the Log4Shell vulnerability. Even if a business itself doesn’t use the Log4j framework for logging, third-party APIs could increase risk exposure.
Businesses must have more granular visibility and observability of their APIs to understand their risk exposure. An additional insight would be through tracking outbound connectivity. Businesses should have network insights related to the outgoing traffic within their cloud to help them track their outbound data.
It’s clear ransomware actors are becoming more sophisticated and are finding innovative ways to steal or leverage credentials and go after your data. And as APIs continue their inevitable rise in all organizations, it is becoming paramount to understand how this interconnectedness can be misused. Defense in depth remains critical to thwarting attacks, and understanding your API exposure should be part of your cyber hygiene.
Filip Verloy is Technical Evangelist EMEA at Noname Security.
Related articles:
Read more about:
APIsAbout the Author
You May Also Like