How to Improve Your API Security Posture

 

APIs, more formally known as application programming interfaces, empower apps and microservices to communicate and share data. However, this level of connectivity doesn't come without major risks. Hackers can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data or even take control of the entire system. Therefore, it's essential to have a robust API security posture to protect your organization from potential threats.

What is API posture management?#

API posture management refers to the process of monitoring and managing the security posture of your APIs. It involves identifying potential vulnerabilities and misconfigurations that could be exploited by attackers, and taking the necessary steps to remediate them. Posture management also helps organizations classify sensitive data and ensure that it's compliant with the leading data compliance regulations such as GDPR, HIPAA, and PCI DSS.

As mentioned above, APIs are a popular target for attackers because they often provide direct access to sensitive data and systems. By implementing an API posture management tool, organizations can proactively identify and remediate potential security issues before they're exploited.

You can download a free copy of the Definitive Guide to API Posture Management to learn more.

How does API posture management work?#

API posture management involves several key steps:

1. Discovery: The first step is to identify all APIs in use within an organization. This can be done using automated tools or through manual inventory.
2. Assessment: Once APIs have been identified, they need to be assessed for potential vulnerabilities and misconfigurations. This can be done using tools that scan APIs for known vulnerabilities or by conducting manual penetration testing.
3. Remediation: Any vulnerabilities or misconfigurations that are identified need to be remediated. This may involve applying patches, reconfiguring APIs, or implementing additional security controls.
4. Monitoring: Finally, APIs need to be continuously monitored to ensure that they remain secure. This may involve implementing intrusion detection systems, log analysis, or other monitoring tools.

How to improve your API security posture#

Here are some best practices that can help improve your API security posture:

1. Use Secure Authentication and Authorization Mechanisms#

Authentication and authorization mechanisms are essential components of API security. They help ensure that only authorized users can access the API and perform specific actions. It is essential to use secure authentication and authorization mechanisms, such as OAuth 2.0 or OpenID Connect, to protect your APIs from unauthorized access.

2. Implement Role-Based Access Control#

Role-based access control (RBAC) is a security model that restricts access to resources based on the user's role. RBAC can help prevent unauthorized access to sensitive data by limiting access to only those users who need it to perform their job functions.

3. Use SSL/TLS Encryption#

SSL/TLS encryption is a security protocol that encrypts data transmitted between the client and the server. It helps prevent eavesdropping and ensures that data is transmitted securely. It is essential to use SSL/TLS encryption to protect your APIs from man-in-the-middle attacks.

4. Implement Rate Limiting#

Rate limiting is a technique that restricts the number of API requests that can be made within a specific time frame. It can help prevent API abuse and ensure that the API is available to all users. Implementing rate limiting can also help protect your APIs from denial-of-service (DoS) attacks.

5. Monitor and Log API Activity#

Monitoring and logging API activity can help detect suspicious activity and potential security breaches. It is essential to monitor API activity in real-time and log all API requests and responses. This can help identify security incidents and enable you to take appropriate action.

6. Conduct Regular API Security Audits#

Regular API security audits can help identify vulnerabilities and misconfigurations that may have been missed during the initial implementation. It is essential to conduct regular security audits to ensure that your APIs are secure and compliant with industry standards.

Conclusion#

APIs are a critical component of modern software development. However, with the increasing use of APIs, the risk of security breaches has also increased. Implementing API posture management can help improve your API security posture and protect your organization from potential threats. By following the best practices outlined in this article, you can reduce the risk of security breaches and ensure that your APIs are secure and compliant with industry standards.

This Definitive Guide focuses on the key requirements for API Security Posture Management — click here to download now

Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants

 

Banking and financial services organizations are the targets of a new multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attack, Microsoft has revealed.

"The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations," the tech giant disclosed in a Thursday report.

Microsoft, which is tracking the cluster under its emerging moniker Storm-1167, called out the group's use of indirect proxy to pull off the attack.

This enabled the attackers to flexibly tailor the phishing pages to their targets and carry out session cookie theft, underscoring the continued sophistication of AitM attacks.

The modus operandi is unlike other AitM campaigns where the decoy pages act as a reverse proxy to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims.

"The attacker presented targets with a website that mimicked the sign-in page of the targeted application, as in traditional phishing attacks, hosted on a cloud service," Microsoft said.

"The said sign-in page contained resources loaded from an attacker-controlled server, which initiated an authentication session with the authentication provider of the target application using the victim's credentials."

The attack chains commence with a phishing email that points to a link, which, when clicked, redirects a victim into visiting a spoofed Microsoft sign-in page and entering their credentials and TOTPs.

The harvested passwords and session cookies are then used to impersonate the user and gain unauthorized access to the email inbox by means of a replay attack. The access is then abused to get hold of sensitive emails and orchestrate a BEC attack.

What's more, a new SMS-based two-factor authentication method is added to the target account in order to sign in using the pilfered credentials sans attracting any attention.

In the incident analyzed by Microsoft, the attacker is said to have initiated a mass spam campaign, sending more than 16,000 emails to the compromised user's contacts, both within and outside of the organization, as well as distribution lists.

The adversary has also been observed taking steps to minimize detection and establish persistence by responding to incoming emails and subsequently taking steps to delete them from the mailbox.

Ultimately, the recipients of the phishing emails are targeted by a second AitM attack to steal their credentials and trigger yet another phishing campaign from the email inbox of one of the users whose account was hacked as a result of the AitM attack.

"This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud," the company added.

The development comes less than a month after Microsoft warned of a surge in BEC attacks and the evolving tactics employed by cybercriminals, including the use of platforms, like BulletProftLink, for creating industrial-scale malicious mail campaigns.

Another tactic entails the use of residential internet protocol (IP) addresses to make attack campaigns appear locally generated, the tech giant said.

"BEC threat actors then purchase IP addresses from residential IP services matching the victim's location creating residential IP proxies which empower cybercriminals to mask their origin," Redmond explained.

"Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent 'impossible travel' flags, and open a gateway to conduct further attacks."

Guardz Launches AI-Powered Multilayered Phishing Protection To Secure SMEs

27

SHARES

ShareTwee[TEL AVIV, Israel, June 8, 2023] – Guardz, the cybersecurity company securing and insuring SMEs, today announced a new AI-powered Multilayered Phishing Protection solution to help small and medium-sized enterprises (SMEs) and managed service providers (MSPs) prevent phishing attacks before their security is compromised. The hassle-free and cost effective solution uses AI to provide small businesses and the MSPs that support them with automatic detection and remediation capabilities to protect against phishing attacks – the number one threat they face. By combining email security, web browsing protection, perimeter posture, and awareness culture in one native solution, businesses can now efficiently safeguard against phishing threats, bolstering resilience and future-proofing their systNinety percent of all cyber attacks are initiated with phishing, which relies on social engineering to prey on human nature. Cybercriminals attempt to obtain sensitive information such as usernames, passwords, and credit card details by tricking recipients clicking on malicious links or providing personal information, which can then be used for identity theft, ransomware attacks, or other malicious activities. These attacks can result in data breaches, financial loss, and reputational damage to small businesses and even compromise the security of a business’s entire network, leading to the exposure of further confidential information.

Guardz’s new Multilayered Phishing Protection: continuously scans for all inbound traffic with its advanced anti-phishing email protection solution; initiates detection through AI-powered anti-phishing and anti-malware engines; removes risky emails from users’ inboxes and automatically sends them to quarantine; monitors internet browsing to detect potential phishing attempts and delivers real-time alerts to system admins to enable timely responses; and  provides ongoing, active cyber awareness training and tailored phishing simulations for employees, fostering a culture of caution and vigilance. Perhaps most importantly when dealing with phishing, the Guardz solution empowers every employee to behave in ways that support and strengthen the business’s cybersecurity posture.

“The proliferation of phishing attack as a service (AaaS) tools sold on the dark web is putting the SME ecosystem increasingly at risk. Our new AI-powered phishing protection solution provides SMEs and MSPs with a holistic and accessible solution to prevent the success of phishing attacks,” said Dor Eisner, CEO and Co-Founder of Guardz. “This is a significant addition to Guardz’s holistic cyber security offering for small businesses, ensuring that they can react to cyber risks in real time with swift remediations, but also be protected by cyber insurance for complete peace of mind – a true secure and insure approach.”

The Multilayered Phishing Protection enables MSPs to provide their SME customers complete protection across all potential phishing attack vectors. It does so by automatically scanning the perimeter posture, inbound email traffic and internet browsing, and by providing ongoing, tailored cyber awareness training and simulation for employees. The platform automatically verifies emails for authentication protocols including Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and checks for malicious forwarding rules.

Fake Android Apps Ran Adware Campaign For Months

 

Researchers caught a sneaky adware campaign targeting Android users for months. This campaign used several fake Android apps mimicking different utilities like pdf readers, weather apps, VPNs, game cracks, streaming services such as Netflix and YouTube, etc.

Fake Android Apps Deployed Adware

According to a recent report from Bitdefender, they detected 60,000 fake Android apps stealthily running adware campaign since (at least) October 2022.

The researchers caught the malware following the alerts from the anomaly detection technology in the Bitdefender Mobile Security.

Briefly, unlike most adware campaigns exhibiting intrusive behavior, this campaign spread organically. The malicious apps would appear to a target user upon searching for certain apps, such as mod games, free VPNs, etc. Then, owing to their apparent legitimacy, the app ads would lure users into downloading the malicious app.

After reaching the device, the malware relies on the default strategy for Android app installation, requiring user input. Then, once the user taps the “Open” button to launch the newly installed app, the malware executes in the background.

However, on the screen, an error message appears to trick the user into believing that the app failed to install. Yet, the lack of an app icon makes it difficult for the victim to uninstall it.

Upon gaining persistence on the device, the malware remains dormant for some time. Then, after receiving the relevant commands from its servers, the malware starts displaying ads on the device when the user unlocks the phone.

Bitdefender caught this campaign because the malware used the device’s browser to show the malicious ad, which their Mobile Security tool efficiently detected. Similarly, the malware also displays full-screen web view of ads.

The researchers have shared the following demonstration of the malware in action.

As always, to repel such threats, users must avoid interacting with apps or links from unknown sources. Likewise, equipping their devices with robust antimalware solutions is the key to preventing most malware attacks.

Let us know your thoughts in the comments.

North Africa Targeted by Stealth Soldier Backdoor in Espionage Attacks

 

Check Point Research has discovered a sequence of cyberespionage attacks using a previously undisclosed backdoor named Stealth Soldier targeting Libyan organizations. This advanced malicious software is a customized modular backdoor that possesses surveillance capabilities.

Libyan organizations as the target and the malware infrastructure indicate the potential return of a threat actor referred to as "The Eye on the Nile." which was seen in action in 2019.

Diving into details

The Command and Control (C&C) network of Stealth Soldier is a component of a broader infrastructure that has been used, at least partially, for spear-phishing attacks targeting government entities.

• The infection commences with the downloader, which initiates the attack chain. While the precise method of delivery used by the downloader remains undisclosed, social engineering is considered a likely possibility.
• The most recent version of the implant was reportedly compiled in February 2023.
• The malware's infection procedure encompasses the retrieval of numerous files from the C&C server, including the loader, watchdog, and payload.

Let’s discuss its versions

Security experts have identified three distinct infection chains involving three different versions of Stealth Soldier malware: 6, 8, and 9. 

• Different versions vary by factors such as filenames, mutex names, XOR keys, and directory names. 
• Moreover, there is a discrepancy in the values assigned to the SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key for persistence:
• "Cache" for Version 6
• "WinUpdate" for Version 8
• "DevUpdate" for Version 9

Nonetheless, the overall flow follows a similar pattern for different versions and exhibits the same underlying logic.

Attribution

• Check Point Research uncovered similarities between the present operation and the previously identified "Eye on the Nile" campaign, which Amnesty International and Check Point Research had associated with government-affiliated entities. 
• The presence of overlapping infrastructure implies a potential correlation between these two campaigns, highlighting the tenacity and flexibility of the threat actor responsible for their orchestration.

The bottom line

The recent Stealth Soldier malware campaign directed at Libyan organizations underscores the growing complexity of cyberespionage activities. The utilization of personalized backdoors and advanced surveillance functionalities presents substantial risks to the data security and privacy of the entities being targeted.

Protecting your Facebook account

Protecting your Facebook account from hackers involves implementing several security measures. Here are some essential steps you can take to enhance the security of your Facebook account:

1. Strong and Unique Password: Use a strong, unique password for your Facebook account. Include a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using common words or personal information that can be easily guessed.

2. Enable Two-Factor Authentication (2FA): Activate 2FA for your Facebook account. This adds an extra layer of security by requiring a second form of verification, usually a code sent to your mobile device, in addition to your password when logging in.

3. Be Cautious with Links and Downloads: Avoid clicking on suspicious links or downloading files from untrusted sources, as they can be used to install malware or phishing attacks. Be particularly cautious of messages or emails asking for your login credentials or personal information.

4. Keep Software and Antivirus Updated: Regularly update your operating system, web browser, and antivirus software to protect against the latest security vulnerabilities and threats.

5. Recognize and Avoid Phishing Attempts: Be wary of phishing attempts that try to trick you into revealing your login credentials or personal information. Double-check the URL of any login page and only enter your credentials on official Facebook websites.

6. Review App Permissions: Periodically review the permissions granted to third-party apps connected to your Facebook account. Remove any unnecessary or suspicious apps that may have access to your personal information.

7. Use a Secure Internet Connection: Avoid logging into your Facebook account using public Wi-Fi networks, as they may be insecure. Instead, use a secure and private internet connection, such as your mobile data or a trusted home network.

8. Regularly Monitor Account Activity: Keep an eye on your account activity and review the login history regularly. If you notice any suspicious activity or unauthorized access, change your password immediately and report it to Facebook.

9. Educate Yourself: Stay informed about common hacking techniques and security best practices. Regularly educate yourself on the latest threats and security measures to protect your Facebook account.

Remember, maintaining a secure Facebook account is crucial for safeguarding your personal information and online presence.