How to Improve Your API Security Posture

 

APIs, more formally known as application programming interfaces, empower apps and microservices to communicate and share data. However, this level of connectivity doesn't come without major risks. Hackers can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data or even take control of the entire system. Therefore, it's essential to have a robust API security posture to protect your organization from potential threats.

What is API posture management?#

API posture management refers to the process of monitoring and managing the security posture of your APIs. It involves identifying potential vulnerabilities and misconfigurations that could be exploited by attackers, and taking the necessary steps to remediate them. Posture management also helps organizations classify sensitive data and ensure that it's compliant with the leading data compliance regulations such as GDPR, HIPAA, and PCI DSS.

As mentioned above, APIs are a popular target for attackers because they often provide direct access to sensitive data and systems. By implementing an API posture management tool, organizations can proactively identify and remediate potential security issues before they're exploited.

You can download a free copy of the Definitive Guide to API Posture Management to learn more.

How does API posture management work?#

API posture management involves several key steps:

1. Discovery: The first step is to identify all APIs in use within an organization. This can be done using automated tools or through manual inventory.
2. Assessment: Once APIs have been identified, they need to be assessed for potential vulnerabilities and misconfigurations. This can be done using tools that scan APIs for known vulnerabilities or by conducting manual penetration testing.
3. Remediation: Any vulnerabilities or misconfigurations that are identified need to be remediated. This may involve applying patches, reconfiguring APIs, or implementing additional security controls.
4. Monitoring: Finally, APIs need to be continuously monitored to ensure that they remain secure. This may involve implementing intrusion detection systems, log analysis, or other monitoring tools.

How to improve your API security posture#

Here are some best practices that can help improve your API security posture:

1. Use Secure Authentication and Authorization Mechanisms#

Authentication and authorization mechanisms are essential components of API security. They help ensure that only authorized users can access the API and perform specific actions. It is essential to use secure authentication and authorization mechanisms, such as OAuth 2.0 or OpenID Connect, to protect your APIs from unauthorized access.

2. Implement Role-Based Access Control#

Role-based access control (RBAC) is a security model that restricts access to resources based on the user's role. RBAC can help prevent unauthorized access to sensitive data by limiting access to only those users who need it to perform their job functions.

3. Use SSL/TLS Encryption#

SSL/TLS encryption is a security protocol that encrypts data transmitted between the client and the server. It helps prevent eavesdropping and ensures that data is transmitted securely. It is essential to use SSL/TLS encryption to protect your APIs from man-in-the-middle attacks.

4. Implement Rate Limiting#

Rate limiting is a technique that restricts the number of API requests that can be made within a specific time frame. It can help prevent API abuse and ensure that the API is available to all users. Implementing rate limiting can also help protect your APIs from denial-of-service (DoS) attacks.

5. Monitor and Log API Activity#

Monitoring and logging API activity can help detect suspicious activity and potential security breaches. It is essential to monitor API activity in real-time and log all API requests and responses. This can help identify security incidents and enable you to take appropriate action.

6. Conduct Regular API Security Audits#

Regular API security audits can help identify vulnerabilities and misconfigurations that may have been missed during the initial implementation. It is essential to conduct regular security audits to ensure that your APIs are secure and compliant with industry standards.

Conclusion#

APIs are a critical component of modern software development. However, with the increasing use of APIs, the risk of security breaches has also increased. Implementing API posture management can help improve your API security posture and protect your organization from potential threats. By following the best practices outlined in this article, you can reduce the risk of security breaches and ensure that your APIs are secure and compliant with industry standards.

This Definitive Guide focuses on the key requirements for API Security Posture Management — click here to download now

Guardz Launches AI-Powered Multilayered Phishing Protection To Secure SMEs

27

SHARES

ShareTwee[TEL AVIV, Israel, June 8, 2023] – Guardz, the cybersecurity company securing and insuring SMEs, today announced a new AI-powered Multilayered Phishing Protection solution to help small and medium-sized enterprises (SMEs) and managed service providers (MSPs) prevent phishing attacks before their security is compromised. The hassle-free and cost effective solution uses AI to provide small businesses and the MSPs that support them with automatic detection and remediation capabilities to protect against phishing attacks – the number one threat they face. By combining email security, web browsing protection, perimeter posture, and awareness culture in one native solution, businesses can now efficiently safeguard against phishing threats, bolstering resilience and future-proofing their systNinety percent of all cyber attacks are initiated with phishing, which relies on social engineering to prey on human nature. Cybercriminals attempt to obtain sensitive information such as usernames, passwords, and credit card details by tricking recipients clicking on malicious links or providing personal information, which can then be used for identity theft, ransomware attacks, or other malicious activities. These attacks can result in data breaches, financial loss, and reputational damage to small businesses and even compromise the security of a business’s entire network, leading to the exposure of further confidential information.

Guardz’s new Multilayered Phishing Protection: continuously scans for all inbound traffic with its advanced anti-phishing email protection solution; initiates detection through AI-powered anti-phishing and anti-malware engines; removes risky emails from users’ inboxes and automatically sends them to quarantine; monitors internet browsing to detect potential phishing attempts and delivers real-time alerts to system admins to enable timely responses; and  provides ongoing, active cyber awareness training and tailored phishing simulations for employees, fostering a culture of caution and vigilance. Perhaps most importantly when dealing with phishing, the Guardz solution empowers every employee to behave in ways that support and strengthen the business’s cybersecurity posture.

“The proliferation of phishing attack as a service (AaaS) tools sold on the dark web is putting the SME ecosystem increasingly at risk. Our new AI-powered phishing protection solution provides SMEs and MSPs with a holistic and accessible solution to prevent the success of phishing attacks,” said Dor Eisner, CEO and Co-Founder of Guardz. “This is a significant addition to Guardz’s holistic cyber security offering for small businesses, ensuring that they can react to cyber risks in real time with swift remediations, but also be protected by cyber insurance for complete peace of mind – a true secure and insure approach.”

The Multilayered Phishing Protection enables MSPs to provide their SME customers complete protection across all potential phishing attack vectors. It does so by automatically scanning the perimeter posture, inbound email traffic and internet browsing, and by providing ongoing, tailored cyber awareness training and simulation for employees. The platform automatically verifies emails for authentication protocols including Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and checks for malicious forwarding rules.

5 Reasons Why Access Management is the Key to Securing the Modern Workplace

 The way we work has undergone a dramatic transformation in recent years. We now operate within digital ecosystems, where remote work and the reliance on a multitude of digital tools is the norm rather than the exception. This shift – as you likely know from your own life – has led to superhuman levels of productivity that we wouldn't ever want to give up. But moving fast comes at a cost. And for our digital work environment, that cost is security.

Our desire for innovation, speed and efficiency has birthed new and complex security challenges that all in some way or another revolve around securing how we access resources. Because of this, effective access management now plays a more critical role in securing the modern workplace than ever. Follow along as we uncover five reasons why this is the case.

Educating People About Security is Not Working#

For years, we've held the belief that educating people about cyberthreats would make them more cautious online. Yet, despite 17 years of annual Cybersecurity Awareness Month initiatives, internet users are more susceptible to online threats than ever. Why is this so?

The shortcoming of security training is that it often fails to consider the wider organizational culture, policies, systems, and individual nuances such as a person's IT skills, comprehension levels, age, and gender. As a result, while training might cause temporary changes in behavior, it struggles to imprint lasting changes.

Now, we can't simply discard training.

What we can do is integrate it into a broader approach, one that recognizes the limitations of cybersecurity education and applies security solutions in areas like access management to minimize human-related risk.

This type of approach is similar to how the car industry does safety. We don't train everyone to be a professional driver. That would be unsustainable and hard to scale. Instead, we build cars with safety measures in place that greatly reduce the chances (and potential impact) of accidents.

We're Only Becoming More Digital#

The rapid digital transformation of the modern workplace brings both advantages and challenges. With the average company using over 250 apps and global cloud spending projected to reach $600 billion by 2023, we've seen unprecedented productivity boosts. However, every new app, device, and user increases an organization's digital attack surface.

This expansion puts immense pressure on IT teams who must maintain control of an organization's digital assets. Ensuring every tool is updated, every device is secure, and every user has the correct access rights is a complex task.

In this context, effective access management is paramount. It helps organizations maintain control over who can access what, securing the attack surface and mitigating the risk of unauthorized access.

Tricking Humans is Easier than Exploiting Systems#

Cybersecurity is no longer confined to just securing systems; it's about securing humans as well.

This shift in focus has been largely driven by the rise of social engineering tactics, where cybercriminals employ techniques like phishing, pretexting, and baiting to manipulate individuals into revealing sensitive information. The reason for this shift is simple: it's often easier to trick a person than to hack a system.

Humans, being creatures of habit, follow predictable patterns and can be susceptible to cognitive biases. For instance, we tend to be overly trusting and often seek the path of least resistance. These traits make us prime targets for cybercriminals who employ sophisticated schemes to exploit these vulnerabilities. In essence, our predictable behavior makes us the weakest link in the cybersecurity chain.

The rapid pace of digital transformation has also added to this problem. As we face an increasing amount of information daily and are expected to work at ever-increasing speeds, we risk falling into decision fatigue. This high-pressure environment can lead us to let our guard down, making us more susceptible to cyberattacks.

Given these challenges, it's clear that security solutions must adapt to our behavior, not rely on it. This entails implementing robust access management measures to protect against common human errors such as accidental data sharing or the use of weak passwords.

Technology Falls Short When Humans Make Errors#

Even the most sophisticated security systems are not immune to one profound vulnerability: human error. However, despite accounting for at least 88% of breaches, human error is an often-overlooked element that could potentially bring even the most advanced security systems to its knees.

The paradox lies in the fact that while technology evolves at a rapid pace, our habits and behaviors don't necessarily keep up. For instance, even with an advanced security infrastructure in place, a single moment of negligence such as clicking on a suspicious link or using an insecure network can expose an entire system to threats.

The implications of human error in cybersecurity can be likened to the act of meticulously locking your front door, only to leave a window wide open. No matter how advanced or secure your lock system is, if an open window is available, your security measures are rendered pointless. The challenge, therefore, is to find solutions that not only protect against external threats but also factor in the variable of human error.

We're Living in a Password Pandemic#

In the age of digital transformation, we've found ourselves grappling with what can be best described as a "password pandemic." As digital tools become more embedded in our daily lives, the number of accounts and consequently, the number of passwords each of us has to remember, have exploded.

The result is a troubling trend where individuals are increasingly losing control over their passwords. To cope with this, it's become all too common to resort to risky password practices, like using the same password across multiple platforms, or using easily guessable passwords. In the quest for convenience, we are willingly sacrificing security, thereby presenting cybercriminals with easy opportunities.

What's more, businesses face the daunting task of managing an enormous amount of login credentials, further escalating the risk of password-related breaches. This "password fatigue" makes it clear that we need smarter, more user-friendly approaches to managing access to our digital resources, ones that can offer convenience without compromising on security.

Implementing an Access Management Solution is Paramount#

The common thread running through these trends is that they all pose critical challenges to securing access to systems and resources.

To be fair, businesses have deployed traditional access management measures like SSO for decades. Instead, what needs to change is that these solutions must be able to adapt to both an expanding digital attack surface, but also embrace the unreliable nature of human actions.

The burden of security can no longer fall solely on the user's awareness or intent. Organizations must shoulder the responsibility of cybersecurity, which entails setting employees up for security success by proactively enforcing secure habits through solutions that suit the way people work today.

For businesses operating within Europe, the urgency of these measures is heightened due to the upcoming implementation of the NIS2 directive. Non-compliance is not an option and carries serious legal and financial consequences. Hence, implementing robust and efficient access management systems isn't just a choice, it's a necessity.

Address Modern Access Management Needs with a Modern Solution#

Uniqkey, a cybersecurity company originating from Europe, aims to address the access-related challenges posed by today's ever-evolving digital workplaces. Recognizing that IT teams are heavily overloaded, Uniqkey provides a comprehensive access management platform designed to simplify and enhance access control and password management.

This platform streamlines access management by offering centralized control of an organization's digital assets. By doing so, Uniqkey effectively simplifies the task of managing permissions and user access, making it easier to ensure the integrity of a company's digital infrastructure.

Uniqkey also offers an intuitive password manager designed for employees that empowers individuals by securing the use of passwords in the workplace. By shifting the burden of secure password practices away from the user and onto an automated system, Uniqkey promotes safer habits without demanding significant behavioral changes from the end user.

This user-centric approach is what distinguishes solutions like Uniqkey from competitors.

Beyond empowering IT tools with the right tools to manage access effectively, their solution embraces people's innately flawed behavior, fostering healthy secure practices from the bottom and up. This way, they permanently address the human-centered challenges posed by our modern digital workplaces.

In conclusion, as our modern workplaces become increasingly digital, our approach to security needs to evolve concurrently. We can't afford to overlook the importance of a modern access management solution. Platforms like Uniqkey offer businesses the opportunity to stay ahead of potential access-related threats, ensuring not just survival, but the ability to thrive in this ever-evolving digital landscape.

Analysis of TeleBots’ cunning backdoor

On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely

we attributed this attack to the TeleBots group and uncovered details about other similar supply chain attacks against Ukraine. This article reveals details about the initial distribution vector that was used during the DiskCoder.C outbreak.

Tale of a malicious update

The Cyberpolice Department of Ukraine’s National Police stated, on its Facebook account, as did ESET and other information security companies, that the legitimate Ukrainian accounting software M.E.Doc was used by the attackers to push DiskCoder.C malware in the initial phase of the attack. However, until now, no details were provided as to exactly how it was accomplished.

During our research, we identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules. It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.

The backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework. It is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.

We examined all M.E.Doc updates that were released during 2017, and found that there are at least three updates that contained the backdoored module:

• 01.175-10.01.176, released on 14th of April 2017
• 01.180-10.01.181, released on 15th of May 2017
• 01.188-10.01.189, released on 22nd of June 2017

The incident with Win32/Filecoder.AESNI.C happened three days after the 10.01.180-10.01.181 update and the DiskCoder.C outbreak happened five days after the 10.01.188-10.01.189 update. Interestingly, four updates from April 24th 2017, through to May 10th 2017, and seven software updates from May 17th 2017, through to June 21st 2017, didn’t contain the backdoored module.

Since the May 15th update did contain the backdoored module and the May 17th update didn’t, here is a hypothesis that could explain low infection Win32/Filecoder.AESNI.C ratio: the release of the May 17th update was an unexpected event for the attackers. They pushed the ransomware on May 18th, but the majority of M.E.Doc users no longer had the backdoored module as they had updated already.

The PE compilation stamps of analyzed files suggest that these files were compiled on the same date as the update or the day before.

Figure 1 – Compilation timestamp of the backdoored module pushed in May 15th update.

Figure 2 shows difference between list of classes of backdoored and non-backdoored version of module, using the ILSpy .NET Decompiler:

Figure 2 – List of classes in backdoored module (at left) and non-backdoored (at right).

The main backdoor class is named MeCom and it is located in the ZvitPublishedObjects.Server namespace as shown in Figure 3.

Figure 3 – The MeCom class with malicious code, as shown in ILSpy .NET Decompiler.

The methods of the MeCom class are invoked by the IsNewUpdate method of UpdaterUtils in the ZvitPublishedObjects.Server namespace. The IsNewUpdate method is called periodically in order to check whether a new update is available. The backdoored module from May 15th is implemented in a slightly different way and has fewer features than the one from June 22nd.

Each organization that does business in Ukraine has a unique legal entity identifier called the EDRPOU number (Код ЄДРПОУ). This is extremely important for the attackers: having the EDRPOU number, they could identify the exact organization that is now using the backdoored M.E.Doc. Once such an organization is identified, attackers could then use various tactics against the computer network of the organization, depending on the attackers’ goal(s).

Since M.E.Doc is accounting software commonly used in Ukraine, the EDRPOU values could be expected to be found in application data on machines using this software. Hence, the code that was injected in the IsNewUpdate method collects all EDRPOU values from application data: one M.E.Doc instance could be used to perform accounting operations for multiple organizations, so the backdoored code collects all possible EDRPOU numbers.

Figure 4 – Code that collects EDRPOU numbers.

Along with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and passwords, from the M.E.Doc application.

Warning! We recommend changing passwords for proxies, and for email accounts for all users of M.E.Doc software.

The malicious code writes the information collected into the Windows registry under theHKEY_CURRENT_USER\SOFTWARE\WC key using Cred and Prx value names. So if these values exist on a computer, it is highly likely that the backdoored module did, in fact, run on that computer.

And here is the most cunning part! The backdoored module does not use any external servers as C&Cs: it uses the M.E.Doc software’s regular update check requests to the official M.E.Doc server upd.me-doc.com[.]ua. The only difference from a legitimate request is that the backdoored code sends the collected information in cookies.

Figure 5 – HTTP request of backdoored module that contains EDRPOU number in cookies.

We have not performed forensic analysis on the M.E.Doc server. However, as we noted in our previous blogpost, there are signs that the server was compromised. So we can speculate that the attackers deployed server software that allows them to differentiate between requests from compromised and non-compromised machines.

Figure 6 – Code of backdoor that adds cookies to the request.

And, of course, the attackers added the ability to control the infected machine. The code receives a binary blob official M.E.Doc server, decrypts it using the Triple DES algorithm, and, afterwards, decompresses it using GZip. The result is an XML file that could contain several commands at once. This remote control feature makes the backdoor a fully-featured cyberespionage and cybersabotage platform at the same time.

Figure 7 – Code of backdoor that decrypts incoming malware operators’ commands.

The following table shows possible commands:

Command	Purpose
0 – RunCmd	Executes supplied shell command
1 – DumpData	Decodes supplied Base64 data and saves it to a file
2 – MinInfo	Collects information about OS version, bitness (32 or 64), current privileges, UAC settings, proxy settings, email settings including login and password
3 – GetFile	Collects file from the infected computer
4 – Payload	Decodes supplied Base64 data, saves it to as executable file and runs it
5 – AutoPayload	Same as previous but the supplied file should be a DLL and it will be dropped and executed from Windows folder using rundll32.exe. In addition, it makes attempt to overwrite dropped DLL and delete it.

It should be noted that command number 5, named by malware authors as AutoPayload, perfectly matches the way in which DiskCoder.C was initially executed on “patient zero” machines.

Figure 8 – AutoPayload method that was used to execute DiskCoder.C malware.

Conclusions

As our analysis shows, this is a thoroughly well-planned and well-executed operation. We assume that the attackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a very stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors.

There are still questions to answer. How long has this backdoor been in use? What commands and malware other than DiskCoder.C or Win32/Filecoder.AESNI.C has been pushed via this channel? What other software update supply chains might the gang behind this attack have already compromised but are yet to weaponize?

Special thanks to my colleagues Frédéric Vachon and Thomas Dupuy for their help in this research.

Indicators of Compromise (IoC)

ESET detection names:

MSIL/TeleDoor.A

Legitimate servers abused by malware authors:

upd.me-doc.com[.]ua

SHA-1 hashes:

7B051E7E7A82F07873FA360958ACC6492E4385DD7F3B1C56C180369AE7891483675BEC61F3182F273567434E2E49358E8210674641A20B147E0BD23C