Search This Blog

Showing posts with label API. Show all posts

Globally, Over 4 Million Shopify Users Are at Risk

 


In a report published on Friday by CloudSEK's BeVigil, a security search engine for mobile apps, it has been found that over four million users of e-commerce apps around the world are exposed to the risk of hardcoded Shopify tokens.   

As an e-commerce platform, Shopify allows anyone to create a store that enables them to sell their products online and allows businesses to do the same. Shopify is expected to be used by more than 4.4 million websites by the end of 2023 and is located in more than 175 countries. 
 
Researchers are claiming that there is a risk that crooks will gain access to sensitive data belonging to millions of Android users with e-commerce apps. 

It was recently revealed in a CloudSEK BeVigil report that researchers discovered 21 e-commerce apps that had 22 hardcoded Shopify API keys and that these keys/tokens could potentially expose the personally identifiable information (PII) of roughly four million users to the possibility of identity theft. 

A hardcoded API key becomes visible to anyone with access to the code, including attackers and unauthorized users, as soon as the key is hardcoded in the code. An attacker can access sensitive data and perform actions on behalf of the program if they can access the hardcoded key. They can then use it to access sensitive data. The company said in a press release that even if they do not have the authorization to do so, they could still do it of their own volition. 

Information About Credit Cards

It is estimated that at least 18 of the 22 hardcoded keys allow attackers to use them to view sensitive data that belongs to customers. The researchers explained that this is based on their findings further in their report. A second report provided by the researchers states that seven API keys enable users to view and modify gift cards. In addition, six API keys allow a threat actor to steal information about payment accounts.  

As part of the sensitive data, collect name, email address, website address, country, address complete, phone number, and other information related to the shop owner is collected. The site also enables customers to access information regarding their past orders and their preferences for receiving emails.  

Regarding information on payment accounts, threat actors may be able to access details about banking transactions, like credit or debit cards used by customers to make purchases. These can be obtained by obtaining the BIN numbers of credit cards, the ending numbers of the cards, the name of the company that issued the cards, the IP addresses of browsers, the names on the cards, expiration dates, and other sensitive information. 

According to the researchers, one of the exposed API keys used by the shop provided shop details on authentication, hoping to show their point. 

Researchers have also pointed out that this is not a Shopify employee error but rather a widespread issue with app developers leaking API keys and tokens to third parties.   

An e-commerce platform such as Shopify enables businesses of all sizes to easily create an online store and, in turn, sell their products online. It is estimated that there are more than four million websites with Shopify integration today, enabling both physical and digital purchases from their online shoppers.   

CloudSEK notified Shopify about their findings however, no response has yet been received from Shopify in response.   

Can Twitter Fix its Bot Crisis with an API Paywall?

 


A newly updated Twitter policy relating to the application programming interface (API) has just been implemented, according to researchers - and the changes will have a profound impact on social media bots, both positive (RSS integration, for example) and negative (political influencer campaigns), respectively. 

A tweet from the Twitter development team announced that starting February 9, the API would no longer be accessible for free. It was Elon Musk's personal amendment. Upon hearing some negative publicity, Elon Musk stepped in personally to amend the original terms of service - Twitter is to continue to provide its bots with a light, write-only API that allows them to produce high-quality content for free. 

In a computer program, APIs are used to enable different parts of the program to communicate with each other. An API provides an interface for two software programs to interact with one another. This is the same way that your computer provides an interface so that you can easily interact with all of its many complex functions. Enterprises, educational institutions, or bot developers who want to develop applications on Twitter are most likely to need the API for management and analytics. 

Whether you choose a limited or subscription model, we are at risk of displacing smaller, less well-funded developers and academics who have utilized free access to develop bots, applications, and research that provide real value for users. 

It is also pertinent to note that Twitter has been targeted by malicious bots since the start of time. The use of these social media platforms is on the increase by hackers spreading scams and by evil regimes spreading fake news, and that's without mentioning the smaller-scale factors that affect influencer culture, marketing, and general trolling, which are widespread as well. 

What are the pros and cons of using a paid API to solve Twitter's influence campaigns and bot-driven problems? Several experts believe the new move is just a smokescreen to cover up the real problem. 

Bad bots on Twitter 


According to a report published by the National Bureau of Economic Research in Cambridge, Mass., in May 2018, social media bots play a significant role in shaping public opinion, particularly at the local level. It was found that Twitter bots had been greatly influenced by the US presidential election and the UK vote on leaving the European Union. This was during the 2016 elections. Based on the data, it appears that the aggressive use of Twitter bots, along with the fragmentation of social media and the influence of sentiment, may all be factors that contributed to the outcome of the votes. 

In the UK, the increase in automated pro-leave tweets may have resulted in 1.76 percentage points of the actual pro-leave vote share is explained by the increasing volume of automated tweets. While in the US, 3.23 percentage points of the actual vote could be explained by the influence of bots. 

During that election, three states were critical swing states - Pennsylvania, Wisconsin, and Michigan - with a combined number of electoral votes that could have made the difference between victory or defeat - won the election by a mere fraction of a percent.   

Often, bots are just helpful tools that can be used by hackers to commit cybercrime at scale without necessarily swaying world history - this can make them a useful tool for committing cybercrime at scale. The use of Twitter bots by cyber criminals has been observed in the distribution of spam and malicious links on Twitter. This is as well as the amplifying of their content and profiles on the site. 

David Maynor, director of the Cybrary Threat Intelligence Team and chief technology officer for Dark Reading, explains in an interview that bots are an incredibly huge problem for the Internet. Some random objects taunt people so much that victims would spend hours or days trying to prove that they were wrong. That would be the real world. Bots also give Astroturf efforts a veneer of legitimacy, they do not deserve. 

Astroturfing is a type of marketing strategy designed to create an impression that a product or service has been chosen by the general public in a way that appears to be an independent assessment without actually being so (hiding sponsorship information, for instance, or presenting "reviews" as objective third-party assessments). 

Are Twitter's motives hidden? 


According to some people, Twitter's real motive behind placing its API behind a paywall has nothing to do with security, and instead, it could be something else entirely. The question is then, would a basic subscription plan be strong enough to guard against a cybercrime group, or indeed a lone scammer, who might be targeting your account? One of the most active operators of social media influence campaigns in the world is certainly not the Russian government. 

There are many mobile app security platforms and cloud-based solutions that can be used to eliminate bot traffic from mobile apps easily, and Elon Musk is well aware of these technologies. Ted Miracco, CEO at Approov, says: Bot traffic could be largely eliminated overnight if the proper technologies are implemented. 

Several methods and tools exist to help social media sites (and site owners and administrators of all types of websites) snuff out botnets, and they can be used by all our social media users. It is imperative to keep in mind that bots tend to respond predictably. They, for example, post regularly and only in certain ways. There are specialized tools that can help you identify entire networks of bots. By identifying just a few suspect accounts, these tools can help reveal what are a few suspect accounts. 

There is a theory that naming and shaming may well be critically significant in diagnosing malicious automated tweets along with detecting malicious automated tweets: This might not be popular, but it is the only way to stop bots and information operations. People and organizations must be tied to real-life accounts and organizations. 

In this regard, Livnek adds, Whilst this raises concerns about privacy and misuse of data, remember that these platforms are already mining all of the available data on the platforms to increase user engagement. Tying accounts to real-world identities wouldn't affect the platforms' data harvesting, but would instead enable them to stamp out bots and [astroturfing]. 

It seems a bit extreme to remove free API access before we have exhausted all feasible security measures that might have been available to us. 

As Miracco argues, the reason for this is an open secret in Silicon Valley - it is basically the elephant in the room. According to Miracco, social media companies are increasingly liking their bots in terms of generating revenue for them. 

Twitter makes money by selling advertisements and this is the basis of its business model. As a result, bots are viewed by advertisers as users, i.e. they generate revenue in the same way as users do. There is more money to be made when there are more bots. 

Tesla CEO Elon Musk threatened to pull out of his plan to buy Twitter in January, reportedly as a result of the revelation that a large portion of Twitter's alleged users is actually bots or other automated programming. As he transitioned from being an interested party to becoming the outright owner of the company, his mood may have changed. The Miracco Group's CEO predicts that "revealing the problem now will result in a precipitous fall in traffic, so revenue must be discovered along the way to maintain the company's relevance along the path to reduced traffic, which was the motivation behind the API paywall. His explanation is straightforward: the paywall is ostensibly used to stop bots, but the truth is that it is being used to drive revenue. 

There has just been the implementation of a paywall. Whether it will be able to solve Twitter's bot problem by itself or if it will only be a matter of Musk's pockets being lined, only time will tell. 

Despite a request from reporters for comment, Twitter did not respond immediately to the query.   

Mimic Attacks: Ransomware Hijacking Windows ‘Everything’ Search Tool


Trend Micro has recently revealed details of the new type of ransomware, apparently targeting the APIs ‘Everything’ search tool to attack English and Russian-speaking Windows users. 

The malware was discovered by the security firm researchers in June 2022 and was named ‘Mimic.’ According to the researchers, the malware has been “deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted.” 

The researchers also found that some of the code in Mimic shared similarities with the infamous Conti ransomware, which was leaked in early 2022 following a number of high-profile incidents. 

Mimic Attacks 

Mimic ransomware attack begin with targeted victims receiving executable, most likely via an email, that retrieves four files from the target system, including the main payload, ancillary files, and tools to disable Windows Defender. 

The researchers’ findings reveal that the ransomware attack largely constituted legitimate files, of which one file contains the malicious payloads. Mimic is a sophisticated strain of ransomware that may use command-line options to target specific files and multiple processor threads to encrypt data more rapidly. 

According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enable it to operate with minimum resource consumption, leading to a more effective execution and attack. 

What Could be the Solution? 

One of the best measures advised to the companies is by implementing a multilayered approach, which will provide the most efficient security, including data protection, backup and recovery measures. 

Utilizing a range of software that are designed to prevent, mitigate and combat the attacks on personal and business computers will add another layer of protection to the systems. 

Moreover, conducting regular vulnerability assessment and patching those vulnerabilities in the systems as soon as security updates become available will additionally aid in combating potential ransomware attack.  

37 Million Accounts' Data were Stolen from T-Mobile in a Data Breach Involving APIs

 

T-Mobile, a wireless provider in the United States, reported earlier this week that an unidentified malicious intruder broke into its network in late November and stole information on 37 million customers, including addresses, phone numbers, and dates of birth. 

The breach was found Jan. 5, according to T-Mobile, which disclosed this in a filing with the U.S. Securities and Exchange Commission. According to the company's investigation to date, the stolen data didn't include passwords or PINs, bank account or credit card information, Social Security numbers, or other official identifications. 

The malicious activity "appears to be fully contained at this time, but our investigation is still ongoing," T-Mobile said, adding that the data was first accessed on or around Nov. 25.

In recent years, the company has experienced numerous hacks. In its filing, T-Mobile stated that it did not anticipate the most recent breach to materially affect its business.

However, Neil Mack, a senior analyst at Moody's Investors Service, stated in a statement that the breach raises concerns about management's cyber governance, may alienate customers, and may draw the attention of the Federal Communications Commission and other regulators. 

The frequency of these cybersecurity incidents at T-Mobile is alarmingly high compared to that of its telecom competitors, Mack said, even though they may not be systemic in nature. 

T-Mobile announced in August 2021 that personal information including Social Security numbers and driver's licence information had been stolen. As a result, the company agreed to pay $350 million to customers who brought a class action lawsuit. There were almost 80 million affected Americans. 

Additionally, it announced at the time that it would invest $150 million in other technologies and data security through 2023. Prior to the August 2021 intrusion, the company disclosed breaches in which customer information was accessed in January 2021, November 2019 and August 2018. 

After acquiring rival Sprint in 2020, Bellevue, Washington-based T-Mobile rose to prominence as one of the nation's major providers of mobile services. After the merger, it claimed to have more than 102 million clients.

Twitter: Five Changes to the Platform for Users by Elon Musk

 

Three months have passed since Elon Musk stormed into Twitter's San Francisco headquarters, and the company has barely escaped the spotlight. We've talked a lot about his thoughts on the social network and some of his more controversial business decisions, such as laying off 50% of the workforce, but less about how the platform's 237 million monthly active users use it on a daily basis.

1. Restricting alternative Twitter viewing methods

Twitter appears to have suspended access to its API, which is used by other platforms to communicate with it. So, if you use a social media manager to access your account rather than the Twitter app or website, you may discover that Twitter is not currently working with it. It's unclear whether the move was intentional, but many experts believe it was.

"My guess is that this is because those third-party apps do not show ads and they allow the user to manage their feed as they see fit, which is at odds with Musk's plans to put more ads in front of users' eyeballs and prioritize the tweets of people who have paid for Twitter Blue," said tech commentator Kate Bevan.

Although Twitter has not made an official announcement, popular apps that appear to be struggling include Tweetbot, Fenix, and Twitterific.

2. Maintenance

The order in which tweets appear on people's timelines is perhaps the most noticeable change. A new tab allows you to select between the most recent tweets from people you follow and those recommended by Twitter.

If you're using an iPhone, you'll see two columns at the top, "for you" and "following"; if you're using an Android device, you'll see a star icon on the top right-hand side of the screen. The problem is that many users did not notice or were unaware that the app occasionally reverted to Twitter's curated "for you" feed. There have been complaints that this feed is mostly made up of Twitter recommendations and interactions between people you follow and people you don't know, rather than the content you chose to follow in the first place.

Others, on the other hand, don't mind: "Some days I want to go to a restaurant with just my friends, some days I'll pitch up at the pub and see who's in...can be fun," one Twitter user explained.

3. Reintroduction of contentious accounts

Mr Musk began with some high-profile accounts that had previously been banned for violating Twitter's rules. They included Ye (rapper Kanye West), who was barred from sharing anti-Semitic posts, influencer Andrew Tate (who is currently being held in Romania on charges of people trafficking), and former US President Donald Trump, whose tweets were accused of inciting the Capitol Hill riots in January 2021.

4. Twitter's Blue

Twitter's subscription service, Twitter Blue, launched at the end of November after a few false starts. The $8/$11 (£6.50/£9) monthly fee guarantees access to extra features such as an edit button, increased visibility, and fewer ads. Anecdotally, it appears to have attracted a reasonable number of subscribers, but not a large number - though, as usual, no official news about its success has been released thus far.

5. Ticks of silver and gold

Twitter's "blue tick," which is now a sign of a subscriber, was previously a symbol of a verified account. It was given to the accounts of hand-picked celebrities, journalists, and brands by Twitter to indicate that they were not fakes.

Those who acquired a blue tick under the old regime still have them, along with a message explaining that it is a "legacy" and "may or may not be notable". As a result, seeing a blue tick next to an account does not automatically confer authority on that account.

It has been replaced by a gold or silver tick for brands and government figures, so Coca-Cola is now gold, with an explanation that it is an "official business," and Rishi Sunak, the UK Prime Minister, now has a silver badge.

'Spin Master

Twitter had to change whether Mr. Musk was there or not. Its user base and ad revenue had been stagnant for a long time, while rival social networks had sprung up and experienced explosive growth. Twitter is known for being a small but influential platform, but this was not translating into profits.

Mr. Musk is "a master of PR and spin and innovation and creativity", said social media expert Matt Navarra. He is not afraid of causing a stir or tearing up the rulebook. But will his revolutionary tactics turn around the fortunes of this floundering company, which he claims was losing $4 million per day when he took over?

It's difficult to say because Twitter is secretive about its metrics. It is now a privately owned company, as it should be. However, new advertisers do not appear to be flocking to the site, users are complaining about changes to the way their accounts are displayed, and a recent API change has irritated developers, a community that Twitter needs to help it grow.

Mr. Navarra of his own user experience of engaging with 150,000 followers said, "The vibe seems to have shifted and it doesn't seem to be quite what it was before. I don't see any signs of green shoots for a new Twitter."

 CircleCI Breach: Encryption Keys & User Data Seized

A software company CircleCi has acknowledged that a data breach that occurred last month resulted in the theft of customers' personal information. 

After an engineer contracted data-stealing malware that made use of CircleCi's 2FA-backed SSO session cookies to get access to the company's internal systems, hackers broke into the company in December. CircleCi reminded consumers to change their credentials and passwords earlier this month after disclosing a security breach.

The company accepted responsibility for the breach and criticized a system failure, noting that its antivirus program missed the token-stealing malware on the employee's laptop. Using session tokens, users can maintain their login status without constantly typing their password or re-authorizing using two-factor authentication. However, without the account holder's password or two-factor code, an attacker can access the same resources as them by using a stolen session token. As a result, it may be challenging to distinguish between a session token belonging to the account owner and one stolen by a hacker.

According to CircleCi, the theft of the session token enabled the hackers to assume the identity of the employee and obtain access to a few of the business systems, which store client data. CircleCi states they rotated all customer-related tokens, including Project API Tokens, Personal API Tokens, and GitHub OAuth tokens, in retaliation to the hack. Additionally, the business collaborated with Atlassian and AWS to alert clients of potentially hacked AWS and Bitbucket tokens.

CircleCi claims that in order to further fortify its infrastructure, they have increased the number of detections for the actions taken by the information-stealing malware in its antivirus and mobile device management (MDM) programs.

"While client data was encrypted, the cybercriminals also gained the encryption keys able to decrypt consumer data," claimed Rob Zuber, the company's chief technology officer. To avoid illegal access to third-party systems and stores, researchers urge customers who have not already taken steps to do so. The company additionally tightened the security of its 2FA solution and further limited access to its production settings to a smaller group of users.

Twitter Data Breach Indicates How APIs Are a Goldmine for PII and Social Engineering


A Twitter API vulnerability that was detected in June 2021, and was later patched, has apparently been haunting the organization yet again. 

In December 2022, a hacker claimed to have access to the personal data of 400 million Twitter users for sale on the dark web markets. And only yesterday, the attacker published the account details and email addresses of 235 million users. 

The breached data revealed by the hacker includes account names, handle creation data, follower count, and email addresses of victims. Moreover, the threat actors can as well design social engineering campaigns to dupe people into providing them their personal data. 

Twitter: A Social Engineering Goldmine 

Social media giants provide threat actors with a gold mine of user data and personal information that they can utilize in order to perform social engineering scams. 

Getting a hold of just a user name, email address, and contextual information of a user’s profile, available to the public, a hacker may conduct reconnaissance on their targeted user and create phishing and scam campaigns that are specifically designed to dupe them into providing personal information. 

In this case, while the exposed information was limited to users’ information available publicly, the immense volume of accounts exposed in a single location (Twitter) has in fact provided a “goldmine of information” to the threat actors. 

The Link Between Social Engineering and API Attacks 

Unsecured APIs allow cybercriminals direct access to users’ Personally Identifiable Information (PII), such as username and password, which is captured when the user connects to any third-party service API. API attack thus provides threat actors with a window to collect large amounts of personal information for scams. 

An instance of this happened just a month ago when a threat actor leveraged an API flaw to gather the data of 80,000 executives throughout the private sector and sell it on the dark web. The threat actor had applied successfully to the FBI's InfraGard intelligence sharing service. 

The data collected during the incident included usernames, email addresses, Social Security numbers, and dates of birth of victims. This highly valuable information was utilized by the threat actors for developing social engineering dupes and spear phishing attacks. 

How to Protect APIs and PII? 

One of the main challenges faced while combating API breaches is how modern enterprises need to detect and secure a large number of APIs. A single vulnerability can put user data at risk of exfiltration, therefore there is little room for error. 

“Protecting organizations from API attacks requires consistent, diligent oversight of vendor management, and specifically ensuring that every API is fit for use […] It’s a lot for organizations to manage, but the risk is too great not to,” says Chris Bowen, CISO at ClearDATA.  “In healthcare, for example, where patient data is at stake, every API should address several components like identity management, access management, authentication, authorization, data transport, exchange security, and trusted connectivity.”

It has also been advised to the security team to not rely solely on simple authentication options like username and password in order to secure their APIs. 

“In today’s environment, basic usernames and passwords are no longer enough […] It’s now vital to use standards such as two-factor authentication (2FA) and/or secure authentication with OAuth,” says Will Au, senior director for DevOps, operations, and site reliability at Jitterbit. 

Moreover, measures such as utilizing a Web Application Firewall (WAF), and monitoring API traffic in real time can aid in detecting malicious activities, ultimately minimizing the risk of compromise.  

How to Migrate to the Cloud Securely

 


Increasingly, organizations and business units are migrating mission-critical data and systems to the cloud. 

Migration to and between all kinds of cloud services is indeed associated with security challenges; however, migration between public cloud services is the most challenging and has the potential to have grave consequences.   

How Secure are Cloud Migrations?   

Approximately half of all study respondents' workloads and data reside in a public cloud, according to the Flexera State of the Cloud Report 2022. The growth of cloud adoption has subsequently led to a growing number of concerns about the security of data during migration to the cloud. 

Here is a list of some of the security concerns that have been raised.

Vulnerabilities Associated With APIs 

Getting applications, data, and infrastructure working in harmony through application programming interfaces can pose a major risk to the security of cloud data. This is due to the way they transmit data back and forth. There may be a lack of sandbox protection for APIs, a lack of authentication and authorization controls, and excessive privileges granted to APIs. Whenever organizations migrate data to the cloud, they should take into consideration the vulnerabilities associated with such migrations. 

Blind Spots in Security 

A cloud infrastructure that does not have the necessary security features can also put cloud data at risk due to security blind spots. There are some challenges associated with cloud computing environments, such as the use of software-as-a-service applications to store sensitive data and the creation of shadow IT networks. Cloud migration can result in these potential vulnerabilities being exposed, and organizations should take precautions to mitigate the risks when migrating to the cloud.

Loss of Data is a Serious Issue

A final concern is the risk of data loss when migrating data to the cloud. There is also the possibility that this may happen if the cloud provider does not have robust security and data recovery measures in place. This is in case there is an incident related to data security. 

The Most Effective Ways to Secure Data in a Cloud Migration

In addition to the many potential security issues that can arise during a cloud migration, there are also several steps that your team can take to make sure that your data and applications are protected as well. During a cloud migration, there are seven tips you can use to ensure that your company's data is protected. 

Make Sure Your APIs are Secure

Whenever data is moved to the cloud, it is crucial to ensure that the APIs that control access to and between cloud applications and infrastructure are secured. This will ensure data continuity. A simple way to enhance API security is by using strong authentication and authorization controls. These controls protect APIs against malicious or automated attacks. In addition, they remove excessive privileges granted to users for connecting to APIs.

During the migration to the cloud, limit access to data. For businesses seeking to migrate their data to the cloud in a secure manner, they must restrict access to data, during the transfer process. To ensure that only authorized users will be able to access the data, you need to take multiple steps to ensure this happens. Steps that should be taken to achieve this goal include: 
  • Ensuring authentication and authorization rules at the user level are implemented and enforced 
  • A robust two-factor authentication process should be established 
  • The cloud provider provides built-in security policies 
  • Enabling encryption of all data before the transfer 

Financial Service API and Web Application Attacks are up by 257%

 



Various cyber security networks are publishing reports and providing data on various ongoing issues and every day there is a new addition of cyber threat and consequently to the security arsenal. However, managing the attack surface (vulnerabilities, attack vectors, etc) is the biggest challenge that modern society is witnessing. 

In today’s hybrid and multi-cloud environments, apps and APIs are potential targets that cyberhackers can and will exploit. Recently, CDN provider Akamai Technologies, Inc., has released new research in which they have disclosed that year-over-year 257% growth has been seen in web application and API attacks on financial service institutions. 

The report indicates a growing risk to the financial services sector and a shift to more advanced and sophisticated cyberattacks. The report also revealed that DDoS attacks on financial services institutions have grown by 22%. 

Furthermore, the study shows that cybercriminals are using techniques in their phishing campaigns to bypass two-factor authentication solutions. 

It is alarming that various institutions are collecting data on recent cybercrime, as we mentioned in the beginning. In this regard, Enemy at the Gates, published a report that revealed that roughly 80 percent of threat attackers aim their efforts at customers of financial services in an attempt to find paths of least resistance for monetary gain. 

“Companies have moved key infrastructure over to APIs, so the criminals are following the revenue. But on top of that, APIs are newer and, in many cases, don’t have the same level of maturity in security processes and controls, so are more vulnerable,” Steve Winterfeld, advisory CISO at Akamai said. 

Along with this, the company recommended a number of steps that enterprises can take to prevent API-driven threats. 
  • Institutions should invest in technologies to automatically discover, validate and catalog APIs, at the same time developing a security strategy that incorporates API security testing and API access control. 
  • Increasing transparency over what internal and third-party APIs are used for as it ensures that enterprises are in a position to start mitigating potential threats across the attack surface. 
  • Updating phishing defenses to counter the latest MFA attacks with FIDO2-compliant capabilities should be the priority for the institutions. 
“Finally, they are easier to automate attacks against as they are designed for automation. These factors combine to make APIs a smart place for attackers to focus. This is also why CISOs need to focus on them,” Winterfeld added.

APIs are Everywhere, but the Security is Lacking



With the gradual increase in the number of APIs (Application Programming Interface), spreading across the corporate infrastructure, API is also emerging as the largest attack surface in applications and a big target for threat actors and cyber attackers. 

According to industry experts, the increase in integrated web and mobile offerings that requires data exchange between products of multiple organizations and the reliability of mobile apps on APIs, has eventually led to growth, making API security a huge challenge for CIOs today.

A 2022 survey by 451 Research found that 41% of organizations surveyed had an API security incident in the last 12 months; 63% of respondents said the incident involved a data breach or loss. 

Consequently, cybersecurity startup Wib is looking to zero in on API security. Wib further announced a $16 million investment led by Koch Disruptive Technologies (KDT), the growth and venture arm of Koch Industries, Inc, with participation from Kmehin Ventures, Venture Israel, Techstars, and existing investors. 

Blocking API attacks in the network: 

According to a report by GigaOm research, API security products were developed before API use expanded to the extent seen today and “were based upon the idea that it is asking for failure to insist developers secure the code they write. The report added that “most developers do not knowingly create insecure code,” if they inadvertently develop code with vulnerabilities, most likely because they are unaware of what vulnerabilities an API might suffer from. 

“Once API security was in use, though,” the report said, “IT quickly discovered a new reason to use a security product: Some vulnerabilities are far easier blocked in the network than in each and every application.” 

The report inferred that the idea that it is more effective in blocking some attacks in the network, including data centers, cloud vendors, and SaaS providers — before access to the API occurs, has spurred demand for products that can do this. 

According to Wib, its API security platform aims at providing visibility across the entire API landscape, right from code to production. This would help unify software developers, cyber defenders, and CIOs around a single holistic view of their complete API domain. 

The platform could leverage real-time inspection, management, and control at every stage of the API lifecycle to automate inventory and API change management, according to the company. Wib was created to identify rogue, zombie, and shadow APIs and analyze business risk and impact, helping organizations reduce and harden their API attack surface. 

According to Gil Don, CEO, and co-founder of Wib, API has moved into the spotlight in the past years. “Organizations are using them as the basis of a new generation of complex applications, underpinning their move to competitive and agile digital business models,’’ says Don. 

A Whole New Category of Cyber Threat

Don explains that APIs account for 91% of all web traffic and they fit with the trend towards microservices architectures and the need to respond dynamically to rapidly changing market conditions. But APIs have given rise “to a whole new category of cybersecurity threats that explicitly targets them as a primary attack vector. Web API traffic and attacks are growing in volume and severity.” 

Over half of APIs are invisible to business IT and security teams. “These unknown, unmanaged, and unsecured APIs are creating massive blind spots for CIOs that expose critical business logic vulnerabilities and increase risk,’’ Don continues. 

On the other hand, GigaOm report called out Wib for its API source code scanning and analysis “with an eye toward API weaknesses.” Wib’s platform “provides automatic API documentation to create up-to-date documentation, as well as snapshots of changes to APIs and their risks every time they see a commit to code,” the report further read. 

As its operations grow across the Americas, UK, and EMEA, Wib says the investments will be used in order to improve its comprehensive API security platform and accelerate international growth.  

Must Follow Guidelines for API Security

An online store can collect payments via the PayPal API, for instance, rather than developing their own payment gateway. APIs serve the required function while sparing business time and effort, which is why it is evident they are useful. 

Protecting these APIs from security risks and breaches entails securing them together with all linked apps and users. 

APIs are used by businesses to link services and move data. Major data breaches are caused by compromised, broken, or exposed APIs. They make private and delicate financial, medical, and personal information available to the public. However, not all data is created equal, and not all data should be safeguarded in the same way. The type of data being exchanged will determine how you should approach API security. 

In the last 12 months, 95% of firms encountered an API security issue, according to the most recent Salt Labs State of API Security report. Additionally, during the past year, a variety of businesses—including Facebook, Experian, Starbucks, and Peloton—have experienced public API problems. Clearly, APIs need more protection against intrusions than the present crop of application security approaches can provide.

Security leaders need to carefully examine the way they are currently approaching API security to fix the issue. Understanding how a third-party application is sending data back to the internet is important if user API connects to one. 

Strategies for API Security

  1.  Put a secure authentication and authorization protocol into action: The first stage in an API security approach is authenticating and authorizing the appropriate users.
  2. Implement the "Least Privilege" Principle: The attack surface is decreased by restricting access to only essential tasks, which helps reduce the exposure to security breaches.
  3.  Constrain Data Sharing: To find weak spots, keep track of the data shared between apps, APIs, and users, and then secure them by restricting the shared data.
  4. Not utilize HTTPS: In order to communicate data securely, APIs employ HTTP connections and require Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
  5.  Implement a policy of zero trust: We can leave out the zero-trust policy when discussing API security advice. It operates under the premise that no user, device, or server should be trusted until proven otherwise.
  6. Implement data logging: Logs provide admins with a wealth of information that can be utilized to enhance API security and assist with manual inspection and monitoring.
Security requires ongoing work in the age of technology and the internet. Unfortunately, security problems would not disappear, and as IoT technology grows more widespread, the dangers and vulnerabilities will only become worse. Beware of such ineffective strategies for API security. The security strategy must broaden to keep up with attackers' growing skill sets. 

Being proactive is vital, which means keeping an eye on current technology, patching up any flaws, and implementing cutting-edge cybersecurity measures.

Countering Financial Data Leak in the Era of Digital Payments

 

Over the past five years, there has been a huge surge in the usage of financial services technologies and with that, the risk of a financial data breach has also increased. Multiple financial services technologies use screen scraping to access the private banking data of consumers.

 Screen scraping is a technology by which a customer provides its banking app login credentials to a third-party provider (TTP). The TTP then sends a software robot to the bank’s app or website to log in on behalf of the user and access data.

“The way consumers traditionally connect to their bank accounts is facilitated through screen scraping, where providers require internet banking login information,” explained Joe Pettersson, Chief Technology Officer at Banked. 

One safer alternative to screen scraping is APIs, which let two systems work together. Here are the three benefits of using API: 

Easier for developers 

APIs come with inbuilt documentation, which helps developers code between two systems with a common language. So, they don’t have to learn the details of a full fraud prevention engine’s code, they only need to look at the documentation to understand exactly how quickly they can access certain functions. Once again, this saves time and effort for the whole IT team and helps in making the fraud system more cost-effective. 

Good for Scaling

 Regardless of how efficient a person is, there’s simply no way to review all the user data manually. This is where APIs play an important role by offering fast queries and responses for hundreds of thousands of user logins, transactions, or signups. 

Automates everything 

Because APIs are linked to web apps, there’s no need to regularly tweak them or wait for IT updates. All the fixes and improvements are made from the server side, so individuals can focus on their business instead. It’s not only cheaper in terms of IT resources, but also much more efficient and faster.

Conclusion 

To mitigate fraud risk, propagating knowledge and awareness of new payment technologies, channels, and products, and the risks involved — to both customers and employees — is a crucial part of a fraud prevention strategy. Embedding the fraud management process into overall customer engagement and experience should be the first step forward.

Data Breach Targets Fast Company News

Fast Company's Apple News website currently displays a statement from the business confirming that it was hacked on Sunday afternoon, followed by another intrusion on Tuesday night that let threat actors to send bigoted notifications to smartphones via Apple News.

In a press release issued last night, the company claimed that "the statements are repulsive and are not by the contents and culture of Fast Company.  We have suspended FastCompany.com while we look into the matter and will not reopen it until it is resolved."

As soon as individuals on Twitter noticed the offensive Apple News notifications, the company disabled the Fast Company channel on the news network.

Data breach tactics

The website's webpage started to load up with articles headlined "Hacked by Vinny  Troia. [redacted] tongue my [redacted]. Thrax was here. " on Sunday afternoon, which was the first indication that Fast Company had been compromised.

In their ongoing dispute with security analyst Vinny Troia, members of the breached hacking group and the now-defunct RaidForums regularly deface websites and carry out attacks that they attribute to the researcher. Fast Company took the website offline for a while to address the defacement, but on Tuesday at around 8 PM EST, another attack occurred.

Hackers claim that after discovering that Fast Company was using WordPress for their website, they were able to compromise the company. The HTTP basic authentication which was supposed to have protected this WordPress installation was disregarded. The threat actor goes on to claim that they were able to enter the WordPress content management system by utilizing a relatively simple default password used on dozens of users.

Fast Company, according to the post, had a 'ridiculously easy' default password that was used on numerous accounts, including an admin account. The compromised account would have then been utilized by the threat actors to gain access to, among other things, authentication tokens and Apple News API credentials.

They assert that by using these tokens, they were able to set up administrator accounts on the CMS platforms, which were then used to send notifications to Apple News.

Threat actors gained access to an undefined number of customer names, birthdates, contact numbers, email, physical addresses, and personal documents, including license and passport numbers, through this same forum, which was at the center of the previous Optus breach. The hacker in question claims to have made 10,200 records available thus far. It's uncertain whether or when Apple News would reactivate the Fast Company channel.



Optus Data Breach: Australia’s Telco Giant Confirms Data of Millions of Users Compromised

 

Australia’s second largest Telecom Company, Optus has recently become a victim of a cyberattack that attack apparently led to the exposure of personal data of its current as well as former customers. According to Trevor Long, a Sydney-based tech analyst, the attack is the biggest breach of personal data from any Australian firm. 

The firm states that as soon as the attack was detected, it worked towards containing the attack, subsequently shutting it down before customers could suffer any harm. The company believes that one of the networks was still exposed to the test network with internet access. 

The data breach notification read, “Following a cyberattack, Optus is investigating the possible unauthorized access of current and former customer [..] Upon discovering this, Optus immediately shut down the attack.” 

In the wake of the attack, the firm confirmed that its customers' private data could be compromised since the attackers had an access to the customer identity database and opened it to other systems via Application Programming Interface (API). The firm further told that its network was accessed from an external source.  

The exposed data, as per the firm’s statement in a press release included customers’ names, dates of birth, contact numbers, email addresses, residential addresses, and identity documents numbers such as passport and driving licenses. The company’s services on the other hand, including mobile and home internet, have not been compromised and the attackers were void of access to messages and phone calls. 

Is Human Error Responsible For The Breach? 

At a media briefing, when asked about the possibility of a human error being responsible for the breach, Optus CEO Kelly Bayers Rosemarin stated that “I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings and so will not be divulging details about that.” 

The company has denied any claims of a human error that could execute this data breach. The CEO also apologized to the firm’s customers, stating it was challenging to offer immediate advice unless the case investigation was complete. 

The CEO also mentioned the strong cyber defense softwares invested in Telco pertaining to the attacks. She further said that this attack should be a wake-up call for all organizations in order to avoid becoming a victim of a data breach. 

 Google Chrome Flaw Enables Sites to Copy text to Clipboard

A flaw in the Google Chrome browser and other Chromium-based browsers could enable malicious websites to automatically rewrite the contents of the clipboard without asking the user's permission or requiring any user involvement.

Developer Jeff Johnson claims that the clipboard poisoning exploit was unintentionally added to Chrome version 104.  Web pages can also write to the system clipboard in Safari and Firefox, but both browsers have gesture-based security measures in place.

The flaw has been spotted by Chrome developers, but a patch has not yet been released, therefore it is still present in the most recent desktop and mobile versions of Chrome.

Security flaw

Operating systems have a temporary storage area called the system clipboard. It can contain sensitive information like passwords, banking account numbers, and cryptocurrency wallet strings and is frequently used for copying and pasting.

Users are at risk as they may end up being the targets of malware attacks if arbitrary content is written over this temporary storage space.

Users might be lured to visit websites that have been carefully built to look like reputable bitcoin services by hackers. The website might write the threat actor's address to the clipboard when the user attempts to make a payment and copy their wallet address to the clipboard.

On some websites, the user may be given the option to add more information to the clipboard when selecting text to copy from a website typically the page URL. However, in such cases, there is no obvious notification or user input before the clipboard overflows with random text.

All online browsers that support clipboard writing, have poor and insufficient security measures, according to a blog post on the subject.

When a user selects a piece of text and presses Control+C or chooses 'Copy' from the context menu, the web page is given permission to utilize the clipboard API.

Johnson explained, "Therefore, even a seemingly innocent action like clicking a link or using the arrow keys to scroll down the page allows the website to overwrite one's system clipboard." He conducted tests on Safari and Firefox and discovered that loading a web page allowed clipboard writing permission when the down arrow key was pressed or the mouse scroll wheel was used to navigate.

Fortunately, Johnson's testing showed that websites could not misuse this authorization to read clipboard contents, as it would be problematic for user privacy.

Atlassian Bitbucket: Vulnerability Spotted Inside Data Center

Bitbucket Server and Data Center users are being alerted by Atlassian about a major security vulnerability that may allow attackers to run arbitrary code on weak systems.

The most updated vulnerability that involves command injection affects several software product API endpoints and is identified as CVE-2022-36804. Given that it has a CVSS severity score of 9.9 out of a possible 10.0,  it can be concluded that the vulnerability is critical and needs to be fixed immediately.

According to an advisory from Atlassian, "A hacker with access to a public Bitbucket repository or with r permissions to a private one can execute arbitrary code by sending a malicious HTTP request."

Bitbucket is a Git-based code hosting service connected with Jira and a part of the business' DevOps solution. Bitbucket offers both free and paid options and supports an infinite number of private repositories.

All Bitbucket versions issued after 6.10.17 are impacted, thus "all instances that are operating any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," according to Atlassian, which also alleges that the flaw was introduced in version 7.0.0 of Bitbucket.

Atlassian advises disabling public repositories using 'feature.public.access=false' as a temporary solution in situations where the patches cannot be applied immediately to stop unauthorized users from taking advantage of the problem.

It warned that "this can not be regarded a complete mitigation as an attacker with a user account could still succeed,", implying that hackers who already have legitimate credentials obtained through other ways could take advantage of it. 

It is advised that users of the affected software versions update as soon as possible to the most recent version in order to reduce security risks.

Max Garrett, a security researcher, disclosed CVE-2022-36804 to Atlassian via the company's bug bounty program on Bugcrowd and was rewarded with $6,000 for his discovery.

The teenage researcher tweeted yesterday that he will publish a proof-of-concept (PoC) attack for the problem in 30 days, allowing system administrators plenty of time to implement the now available remedies.

There is no guarantee that the significant RCE weakness won't be actively exploited more frequently before the PoC is released, but it is inevitable. Reverse engineering Atlassian's patch, according to Garrett, shouldn't be too challenging for knowledgeable hackers.

The motivation is there because remote code execution is the most dangerous type of vulnerability, allowing attackers to cause significant harm while evading all security protocols.

As a result, users of Bitbucket Server and Data Center are urged to install any security updates or mitigations as soon as they become available.


Hackers Breached Accounts of Twilio Users

According to data provided by Twilio, hackers were able to obtain information from "a limited number" of customer accounts through a breach including data theft of employee credentials.

On August 4th, a hacker sent SMS messages to Twilio employees asking them to change their passwords or informing them of a change in their schedule. Each message contained a URL that contained phrases like "Twilio," "SSO" (single sign-on), and "Okta," the brand of user authentication service that is employed by numerous businesses. Employees who clicked on the link were taken to a fake Twilio sign-in page, where hackers were able to capture the data they entered.

When the breach was discovered, Twilio worked with US phone providers to shut down the SMS system and also requested that web hosting companies remove the fake sign-in sites. Twilio reports that hackers were still able to switch to different hosting companies and cell carriers in order to continue their assault.

Facebook and Uber are two of the more than 150,000 businesses that use Twilio.

Laurelle Remzi, an official for Twilio, declined to reveal how many customers were impacted or what data the hackers got. According to Twilio's privacy statement, the data it gathers includes addresses, payment information, IP addresses, and, in certain situations, identification documentation. 

The hackers are skilled enough to switch between telco carriers and hosting providers using social engineering lures, according to Twilio, a dominant player in the enterprise communication API market with 26 offices across 17 countries. Twilio classified the situation as ongoing.

The company didn't specify whether the social engineering attacks were successful or whether any MFA (multi-factor authentication) hurdles were encountered by the attacker.

According to Twilio, its security team has terminated access to the hacked employee accounts in order to reduce the effect of the attack and has contacted a third-party forensics company to assist in the investigation.


Here's How BlackMatter Ransomware is Linked With LockBit 3.0

 

LockBit 3.0, the most recent version of LockBit ransomware, and BlackMatter contain similarities discovered by cybersecurity researchers. 

In addition to introducing a brand-new leak site, the first ransomware bug bounty program, LockBit 3.0, was released in June 2022. Zcash was also made available as a cryptocurrency payment method.

"The encrypted filenames are appended with the extensions 'HLJkNskOq' or '19MqZqZ0s' by the ransomware, and its icon is replaced with a.ico file icon. The ransom note then appears, referencing 'Ilon Musk'and the General Data Protection Regulation of the European Union (GDPR)," researchers from Trend Micro stated.

The ransomware alters the machine's wallpaper when the infection process is finished to alert the user of the attack. Several LockBit 3.0's code snippets were found to be lifted from the BlackMatter ransomware by Trend Micro researchers when they were debugging the Lockbit 3.0 sample.

Identical ransomware threats

The researchers draw attention to the similarities between BlackMatter's privilege escalation and API harvesting techniques. By hashing a DLL's API names and comparing them to a list of the APIs the ransomware requires, LockBit 3.0 executes API harvesting. As the publically accessible script for renaming BlackMatter's APIs also functions for LockBit 3.0, this procedure is the same as that of BlackMatter.

The most recent version of LockBit also examines the UI language of the victim machine to prevent infection of machines that speak these languages in the Commonwealth of Independent States (CIS) member states.

Windows Management Instrumentation (WMI) via COM objects is used by Lockbit 3.0 and BlackMatter to delete shadow copies. Experts draw attention to the fact that LockBit 2.0 deletes using vssadmin.exe.

The findings coincide with LockBit attacks becoming the most active ransomware-as-a-service (RaaS) gangs in 2022, with the Italian Internal Revenue Service (L'Agenzia delle Entrate) being the most recent target.

The ransomware family contributed to 14% of intrusions, second only to Conti at 22%, according to Palo Alto Networks' 2022 Unit 42 Incident Response Report, which was released and is based on 600 instances handled between May 2021 and April 2022.


Prototype Bug in Blitz.js. Allows RCE on Node.js Servers

 

Blitz.js, a JavaScript web online framework, has issued a patch for a critical prototype pollution bug to prevent remote code execution (RCE) on Node.js servers. 

Prototype pollution is a specific kind of JavaScript vulnerability that allows hackers to manipulate the structure of the programming language and exploit it in multiple ways, Paul Gerste, security researcher at Sonar explained. It also allowed hackers to exploit the code in the Blitz.js app to design a reverse shell and run arbitrary commands on the server. 

Blitz is designed on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform. One of the popular components of Blitz.js is its ‘Zero-API’ layer, which allows the customer to employ specific functions to call server-side business logic without having to design API code. 

Additionally, it makes an RPC call to the server in the background and returns the response to the client function call. Gerste identified a chain of exploits that could be exploited via the prototype pollution bug and lead to RCE. 

The attackers target Node.js by sending a JSON request, a browser service that enables two-way data exchange with any JSON data server without exposing users’ data, to the server, which triggers the routing function of Blitz.js to load a JavaScript file with the polluted prototype. This allows the hacker to employ the malicious JavaScript object to implement arbitrary code. 

In an ideal scenario, the hacker would design and run a file on the server. But Blitz.js does not support upload functionality. However, it has a CLI wrapper script that uses JavaScript’s spawn() function to launch a new process. 

The attacker could use this function to launch a CLI process and run an arbitrary command on the server. The vulnerability can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.  

“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste explained. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.” 

In his blog post, the researcher mentioned some general recommendations to safeguard JavaScript apps against prototype pollution, including freezing 'object.prototype or using the --disable-proto=delete flag in Node.js

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste added. “I don’t see developers often use the patterns that we recommended in our article. With our blog posts, we try to help educate JavaScript developers and share this knowledge.”

A SQL Injection bug Hits the Django web Framework

 

A serious vulnerability has been addressed in the most recent versions of the open-source Django web framework. 

Updates decrease the risk of SQL Injection

Developers are advised to update or patch their Django instances as soon after the Django team issues versions Django 4.0.6 and Django 3.2.14 that fix a high-severity SQL injection vulnerability. 

Malicious actors may exploit the vulnerability, CVE-2022-34265, by passing particular inputs to the Trunc and Extract methods.

The issue, which can be leveraged if untrusted data was used as a kind/lookup name value, is said to be present in the Trunc() and Extract() database functions, according to the researchers. It is feasible to lessen the danger of being exploited by implementing input sanitization for these functions.

Bugfixes 

Django's main branch and the 4.1, 4.0, and 3.2 release branches have all received patches to fix the problem. 

"This security update eliminates the problem, but we've found enhancements to the Database API methods for date extract and truncate that should be added to Django 4.1 before its official release. Django 4.1 releases candidate 1 or newer third-party database backends will be affected by this until they can be updated to the new API. We apologize for the trouble," Django team stated.