How to Improve Your API Security Posture

 

APIs, more formally known as application programming interfaces, empower apps and microservices to communicate and share data. However, this level of connectivity doesn't come without major risks. Hackers can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data or even take control of the entire system. Therefore, it's essential to have a robust API security posture to protect your organization from potential threats.

What is API posture management?#

API posture management refers to the process of monitoring and managing the security posture of your APIs. It involves identifying potential vulnerabilities and misconfigurations that could be exploited by attackers, and taking the necessary steps to remediate them. Posture management also helps organizations classify sensitive data and ensure that it's compliant with the leading data compliance regulations such as GDPR, HIPAA, and PCI DSS.

As mentioned above, APIs are a popular target for attackers because they often provide direct access to sensitive data and systems. By implementing an API posture management tool, organizations can proactively identify and remediate potential security issues before they're exploited.

You can download a free copy of the Definitive Guide to API Posture Management to learn more.

How does API posture management work?#

API posture management involves several key steps:

1. Discovery: The first step is to identify all APIs in use within an organization. This can be done using automated tools or through manual inventory.
2. Assessment: Once APIs have been identified, they need to be assessed for potential vulnerabilities and misconfigurations. This can be done using tools that scan APIs for known vulnerabilities or by conducting manual penetration testing.
3. Remediation: Any vulnerabilities or misconfigurations that are identified need to be remediated. This may involve applying patches, reconfiguring APIs, or implementing additional security controls.
4. Monitoring: Finally, APIs need to be continuously monitored to ensure that they remain secure. This may involve implementing intrusion detection systems, log analysis, or other monitoring tools.

How to improve your API security posture#

Here are some best practices that can help improve your API security posture:

1. Use Secure Authentication and Authorization Mechanisms#

Authentication and authorization mechanisms are essential components of API security. They help ensure that only authorized users can access the API and perform specific actions. It is essential to use secure authentication and authorization mechanisms, such as OAuth 2.0 or OpenID Connect, to protect your APIs from unauthorized access.

2. Implement Role-Based Access Control#

Role-based access control (RBAC) is a security model that restricts access to resources based on the user's role. RBAC can help prevent unauthorized access to sensitive data by limiting access to only those users who need it to perform their job functions.

3. Use SSL/TLS Encryption#

SSL/TLS encryption is a security protocol that encrypts data transmitted between the client and the server. It helps prevent eavesdropping and ensures that data is transmitted securely. It is essential to use SSL/TLS encryption to protect your APIs from man-in-the-middle attacks.

4. Implement Rate Limiting#

Rate limiting is a technique that restricts the number of API requests that can be made within a specific time frame. It can help prevent API abuse and ensure that the API is available to all users. Implementing rate limiting can also help protect your APIs from denial-of-service (DoS) attacks.

5. Monitor and Log API Activity#

Monitoring and logging API activity can help detect suspicious activity and potential security breaches. It is essential to monitor API activity in real-time and log all API requests and responses. This can help identify security incidents and enable you to take appropriate action.

6. Conduct Regular API Security Audits#

Regular API security audits can help identify vulnerabilities and misconfigurations that may have been missed during the initial implementation. It is essential to conduct regular security audits to ensure that your APIs are secure and compliant with industry standards.

Conclusion#

APIs are a critical component of modern software development. However, with the increasing use of APIs, the risk of security breaches has also increased. Implementing API posture management can help improve your API security posture and protect your organization from potential threats. By following the best practices outlined in this article, you can reduce the risk of security breaches and ensure that your APIs are secure and compliant with industry standards.

This Definitive Guide focuses on the key requirements for API Security Posture Management — click here to download now

North Africa Targeted by Stealth Soldier Backdoor in Espionage Attacks

 

Check Point Research has discovered a sequence of cyberespionage attacks using a previously undisclosed backdoor named Stealth Soldier targeting Libyan organizations. This advanced malicious software is a customized modular backdoor that possesses surveillance capabilities.

Libyan organizations as the target and the malware infrastructure indicate the potential return of a threat actor referred to as "The Eye on the Nile." which was seen in action in 2019.

Diving into details

The Command and Control (C&C) network of Stealth Soldier is a component of a broader infrastructure that has been used, at least partially, for spear-phishing attacks targeting government entities.

• The infection commences with the downloader, which initiates the attack chain. While the precise method of delivery used by the downloader remains undisclosed, social engineering is considered a likely possibility.
• The most recent version of the implant was reportedly compiled in February 2023.
• The malware's infection procedure encompasses the retrieval of numerous files from the C&C server, including the loader, watchdog, and payload.

Let’s discuss its versions

Security experts have identified three distinct infection chains involving three different versions of Stealth Soldier malware: 6, 8, and 9. 

• Different versions vary by factors such as filenames, mutex names, XOR keys, and directory names. 
• Moreover, there is a discrepancy in the values assigned to the SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key for persistence:
• "Cache" for Version 6
• "WinUpdate" for Version 8
• "DevUpdate" for Version 9

Nonetheless, the overall flow follows a similar pattern for different versions and exhibits the same underlying logic.

Attribution

• Check Point Research uncovered similarities between the present operation and the previously identified "Eye on the Nile" campaign, which Amnesty International and Check Point Research had associated with government-affiliated entities. 
• The presence of overlapping infrastructure implies a potential correlation between these two campaigns, highlighting the tenacity and flexibility of the threat actor responsible for their orchestration.

The bottom line

The recent Stealth Soldier malware campaign directed at Libyan organizations underscores the growing complexity of cyberespionage activities. The utilization of personalized backdoors and advanced surveillance functionalities presents substantial risks to the data security and privacy of the entities being targeted.

Stealth Soldier: A New Custom Backdoor Targets North Africa with Espionage Attacks

 

A new custom backdoor dubbed Stealth Soldier has been deployed as part of a set of highly-targeted espionage attacks in North Africa.

"Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information," cybersecurity company Check Point said in a technical report.

The ongoing operation is characterized by the use of command-and-control (C&C) servers that mimic sites belonging to the Libyan Ministry of Foreign Affairs. The earliest artifacts associated with the campaign date back to October 2022.

The attacks commence with potential targets downloading bogus downloader binaries that are delivered via social engineering attacks and act as a conduit for retrieving Stealth Soldier, while simultaneously displaying a decoy empty PDF file.

The custom modular implant, which is believed to be used sparingly, enables surveillance capabilities by gathering directory listings and browser credentials, logging keystrokes, recording microphone audio, taking screenshots, uploading files, and running PowerShell commands.

"The malware uses different types of commands: some are plugins that are downloaded from the C&C and some are modules inside the malware," Check Point said, adding the discovery of three versions of Stealth Soldier indicates that it's being actively maintained by its operators.

Some of the components are no longer available for retrieval, but the screen capture and browser credential stealer plugins are said to have been inspired by open source projects available on GitHub.

What's more, the Stealth Soldier infrastructure exhibits overlaps with infrastructure associated with another phishing campaign dubbed Eye on the Nile, which targeted Egyptian journalists and human rights activists in 2019.

The development signals the "first possible re-appearance of this threat actor" since then, suggesting the group is geared towards surveillance against Egyptian and Libyan targets.

"Given the modularity of the malware and the use of multiple stages of infection, it is likely that the attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future," Check Point said.

Punjab National Bank (PNB) Credit and Debit Card Data Breached

Punjab National Bank (PNB)'s Sensitive Information of 10,000 Credit and Debit Card Data Breached

The leaked information includes Names, Personal Identification Numbers (PIN), Expiry Dates and card verification values online.

Credit and debit cards details  are selling on Darkweb websites. Darkweb is illegally selling underground services such as Hacking or other leaked information.

Firstly CloudSek team identified a listing that claimed to have multiple cards that belonged to PNB that were put up for sale on a DarkWeb site. "We immediately tried reaching out to PNB using the cybercrime contact emails that were listed on their website. But that email bounced. said Rahul Sasi, CTO of Cloudsek.

On 21st, Feb, 8:10 PM company was able to get in touch with PNB officials via a third party source. The PNB officials were quick to respond as they got a call back the same day at 10.00 PM from PNB security officials. We provided them a detailed report about the leaked data.

On 22nd, Feb, 1:10 AM we provided them a more detailed report. And the officials ensured swift action."

According to report of Atimes,

“We believe, on preliminary analysis, that the data has been available for at least three months. While this is yet to be firmly established, we are carrying out our forensic investigation,” said a government official familiar with the case. Virwani was asked by Asia Times to comment on the breach, but has not yet responded. A message received from him states that he was not authorized to respond to the media and the queries have been forwarded to the Corporate Communications department. The story will be updated as and when a response is received.

“Usually these sites on the deep/dark web build up reputations on the authenticity of the data they sell illegally. This particular site has a very good reputation. They offer a sample size to buyers to establish their credentials before the sale is made. In this case they were offering to sell the data at US$4.90 per card,” he reported

PNB is already suffering from the latest fraud case worth 11,400 Crore in Indian Rupees. The firms were unable to pay to Bank after their bank accounts were frozen by the ED and the CBI in connection with the alleged Rs 11,400-crore scam.

In India, there are still some Banks and ATM's running on Windows XP, however support for Windows XP ended on 8 April 2014. Microsoft will no longer provide security updates or technical support for the Windows XP operating system. It is very important that customers and partners migrate to a modern operating system such as latest Microsoft Operating System Windows 10.

Blockchain Technology

Blockchain technology is a new concept to understand, and its rapidly growing in every industry. In future technology virtual currency is the next stage of evolution of money.

The words block and chain were used separately in Satoshi Nakamoto’s original paper in October 2008, and when the term moved into wider use it was originally block chain, before becoming a single word, blockchain, by 2016. In August 2014, the bitcoin blockchain file size reached 20 gigabytes in size.

Blockchain technology have already placed in few countries. Funding and registration in the transport department in Australia. Real Estate department is growing fast by using BlockChain Technology in Dubai. Whereas Internal bank payments using BlockChain Technology in Singapore.

Bitcoin:

Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part. Through many of its unique properties, Bitcoin allows exciting uses that could not be covered by any previous payment system.

Bitcoin is a cryptocurrency and a payment system invented by an unidentified programmer, or group of programmers, under the name of Satoshi Nakamoto. Bitcoin was introduced on 31 October 2008 to a cryptography mailing list, and released as open-source software in 2009. Currently Banks, Credit Cards are charging 7-10% average fee of transaction. But this is the benfit with Bitcoin Users get direct payment from anyone and anywhere in the world.

Technology:

Source: DUPress

As we know about Bitcoin is a Virtual currency and it soon to be include transfer of property and identity management. The public and private sectors will face new challenges, opportunities and responsibilities. Government sector is also coperation with Bitcoin technology to create innovative product and services.

Identity management is also the tranform in Blockchain technology. As we known there are many identities and documents were stolen in past years.

Identity Management forms:

• Passports
• Social Security numbers
• Driving License
• Tax Identification Number and more..

According to Forbes

• The Blockchain is a public ledger that records (providing ownership and time stamp) and validates every transaction made worldwide.
• What makes this network unique and secure is that all transactions are authorized and backed by thousands of computers (called miners), achieving consensus on each transaction.
• No one owns it (hence the term “decentralized”), and therefore it’s immutable and there’s no single point of attack for those attempting to “hack” or otherwise alter the records on the Blockchain registry.
• The technology enables peer to peer (P2P) transaction capabilities without any involvement of a central authority or a third party.

How it works?

Below graphic is showing cases.

Exchange Bithumb to Compensate Users Following the Hacking

Bithumb, one of the leading cryptocurrency exchange platforms in South Korea, announces that it will compensate its customers whose accounts were compromised during an attack on its data systems.

The data leak is believed to originate from a computer of an unidentified employee of the company.

According to a report by regional news service Yonhap, there are up to 30,000 users who were affected by the data leak.

Global crypto market standing

Based on data provided by CoinMarketCap, Bithumb is one of the top ten Bitcoin exchanges worldwide in terms of volume. Bithumb’s Bitcoin transactions account for approximately 3% of the entire Bitcoin market. The exchange, meanwhile, captures around 13.5% of the total Ethereum market.

Compensation to affected users

In their recent blog post, the exchange said that it will pay each affected client 100,000 Korean Won, which is equivalent to around USD 86.50.

The company also reveals that additional compensation will be provided to customers whose funds were stolen due to the data leak. The company, however, did not provide an exact figure on the total losses incurred as well as the number of users who were affected.

One local customer, meanwhile, said that he lost 10 million Won or around USD 8,700 from his/her account.

Bithumb reassures:

"In addition, for the members who suffer additional damage due to this incident, we will compensate the entire amount of damages in a responsible manner”.

The incident of account theft and data leak at the exchange was first reported to local authorities in late June 2017.

The reports have prompted the Korea Internet and Security Agency to conduct an initial probe on the case. According to an unidentified official, the Korea Communications Commission has also participated in the preliminary investigation.

Wikileaks Unveils CIA Implants that Steal SSH Credentials from Windows & Linux PCs

WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors.

Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network.

Dubbed BothanSpy — implant for Microsoft Windows Xshell client, and Gyrfalcon — targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy — implant for Microsoft Windows Xshell client, and Gyrfalcon — targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.



Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.

BothanSpy — Implant for Windows OS

BothanSpy is installed as a Shellterm 3.x extension on the target machine and only works if Xshell is running on it with active sessions.

Xshell is a powerful terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL for delivering industry leading features including dynamic port forwarding, custom key mapping, user defined buttons, and VB scripting.

"In order to use BothanSpy against targets running a x64 version of Windows, the loader being used must support Wow64 injection," the leaked CIA user manual reads. 

"Xshell only comes as a x86 binary, and thus BothanSpy is only compiled as x86. Shellterm 3.0+ supports Wow64 injection, and Shellterm is highly recommended."

Gyrfalcon — Implant for Linux OS

Gyrfalcon targets Linux systems (32 or 64-bit kernel) using a CIA-developed JQC/KitV rootkit for persistent access.Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server. BothanSpy — Implant for Windows OS BothanSpy is installed as a Shellterm 3.x extension on the target machine and only works if Xshell is running on it with active sessions. Xshell is a powerful terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL for delivering industry leading features including dynamic port forwarding, custom key mapping, user defined buttons, and VB scripting. "In order to use BothanSpy against targets running a x64 version of Windows, the loader being used must support Wow64 injection," the leaked CIA user manual reads.  "Xshell only comes as a x86 binary, and thus BothanSpy is only compiled as x86. Shellterm 3.0+ supports Wow64 injection, and Shellterm is highly recommended." Gyrfalcon — Implant for Linux OS Gyrfalcon targets Linux systems (32 or 64-bit kernel) using a CIA-developed JQC/KitV rootkit for persistent access.

Gyrfalcon is also capable of collecting full or partial OpenSSH session traffic, and stores stolen information in an encrypted file for later exfiltration.

"The tool runs in an automated fashion. It is configured in advance, executed on the remote host and left running," the user manual of Gyrfalcon v1.0 reads. 

"Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data."

The user manual for Gyrfalcon v2.0 says that the implant is consist of "two compiled binaries that should be uploaded to the target platform along with the encrypted configuration file."

"Gyrfalcon does not provide any communication services between the local operator computer and target platform. The operator must use a third-party application to upload these three files to the target platform."

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped a classified CIA project that allowed the spying agency to hack and remotely spy on PCs running the Linux operating systems.

Dubbed OutlawCountry, the project lets the CIA hackers redirect all outbound network traffic on the targeted machine to CIA controlled computer systems for exfiltrate and infiltrate data.

Since March, the whistleblowing group has published 15 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

• ELSA – the alleged CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
• Brutal Kangaroo – A tool suite for Microsoft Windows used by the agency to targets closed networks or air-gapped computer systems within an organization or enterprise without requiring any direct access.
• Cherry Blossom – An agency's framework, basically a remotely controllable firmware-based implant, used for spying on the Internet activity of the targeted systems by exploiting flaws in WiFi devices.
• Pandemic – The agency's project that let it turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
• Athena – A spyware framework that has been designed by CIA to take full control over the infected Windows machines remotely, and works against every version of Windows OS, from Windows XP to Windows 10.
• AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor actions on the infected remote host computer and execute malicious actions.
• Archimedes – Man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
• Scribbles – Software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.
• Grasshopper – Framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
• Marble – Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
• Dark Matter – Hacking exploits the agency designed to target iPhones and Macs.
• Weeping Angel – Spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
• Year Zero – Alleged CIA hacking exploits for popular hardware and software.

Gyrfalcon is also capable of collecting full or partial OpenSSH session traffic, and stores stolen information in an encrypted file for later exfiltration. "The tool runs in an automated fashion. It is configured in advance, executed on the remote host and left running," the user manual of Gyrfalcon v1.0 reads.  "Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data." The user manual for Gyrfalcon v2.0 says that the implant is consist of "two compiled binaries that should be uploaded to the target platform along with the encrypted configuration file." "Gyrfalcon does not provide any communication services between the local operator computer and target platform. The operator must use a third-party application to upload these three files to the target platform." Previous Vault 7 CIA Leaks Last week, WikiLeaks dumped a classified CIA project that allowed the spying agency to hack and remotely spy on PCs running the Linux operating systems. Dubbed OutlawCountry, the project lets the CIA hackers redirect all outbound network traffic on the targeted machine to CIA controlled computer systems for exfiltrate and infiltrate data. Since March, the whistleblowing group has published 15 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches: ELSA – the alleged CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system. Brutal Kangaroo – A tool suite for Microsoft Windows used by the agency to targets closed networks or air-gapped computer systems within an organization or enterprise without requiring any direct access. Cherry Blossom – An agency's framework, basically a remotely controllable firmware-based implant, used for spying on the Internet activity of the targeted systems by exploiting flaws in WiFi devices. Pandemic – The agency's project that let it turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network. Athena – A spyware framework that has been designed by CIA to take full control over the infected Windows machines remotely, and works against every version of Windows OS, from Windows XP to Windows 10. AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor actions on the infected remote host computer and execute malicious actions. Archimedes – Man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN). Scribbles – Software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers. Grasshopper – Framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection. Marble – Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware. Dark Matter – Hacking exploits the agency designed to target iPhones and Macs. Weeping Angel – Spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones. Year Zero – Alleged CIA hacking exploits for popular hardware and software.