API Threats are Expanding Beyond the Enterprise

For the past couple of years, FireTail has been tracking API threats across the Internet, cataloging confirmed breaches, analyzing supply chain effects like last year’s moveIT breaches, and trying to provide guidance on security strategies and more. All of this work has been primarily aimed at corporations, governments and educational institutions as the builders or providers of APIs.

But we recently learned of StopCrypt, a ransomware threat that leverages Windows APIs on consumer endpoints like laptop and desktop computers.

API security risks are coming for consumers, too

You probably don’t think of your computer as a networked device that responds to requests on a network. You might think of it as a personal computing device that reaches out to the Internet to retrieve data or request services from sites, software and systems that you use. And yet the operating system manufacturers have known for a while that your computer may be vulnerable to malicious requests coming inbound from other devices on a network. 

This is what the Windows Firewall and Mac OS Firewall are for.

What’s significant about this ransomware?

Ransomware is malicious software that encrypts a users personal data, files, etc. and demands a ransom in exchange for the decryption key. Unfortunately, ransomware is on the rise and can be executed in a variety of ways including through phishing, malicious websites, or exploiting web vulnerabilities.

The StopCrypt ransomware is especially pernicious as it utilizes multiple stages of small pieces of code known as shellcodes before it sends forward the final payload with the victim’s encryption key. To make matters even worse, StopCrypt ransomware is automated to execute attacks scheduled every five minutes. Once it’s infected your system, it functions similarly to other ransomware.

However, this ransomware attacks in stages- the first stage involves creating API function calls, instead of straightforward API calls that are easily detected and identified. This way, the calls pass through relatively unnoticed. Next, the software performs a “process hollowing” using the shellcode and creating additional API functions that are resolved to various addresses and hidden in plain sight. 

The API as a consumer breach vector

What’s notable here is that this is the first time that ransomware - in the wild and actively being used in attacks - has leveraged system APIs to gain access to target systems.

And most consumers are likely unaware of the risks. While Windows Firewall may be enabled by default, the likelihood is that most consumers will not understand the three-tier modes available:

‍Public assumes that the network is shared with the World and is the most restrictive profile.

• Private assumes that the network is isolated from the Internet and allows more inbound connections than public. A network is never assumed to be private unless designated as such by a local administrator.
• Domain profile is the least restrictive. It allows more inbound connections to allow for file sharing etc. The domain profile is selected automatically when connected to a network with a domain trusted by the local computer.

The names are possibly counterintuitive, and likely confusing to most consumers. In addition, when connecting their home PCs to a variety of web services, some of those services may ask for the firewall to be disabled to allow connections, and consumers may simply click yes, without understanding the implications.

Protecting against Ransomware Attacks

Strong cyber security is essential to preventing ransomware attacks of all kinds, including StopCrypt. 

While current API security solutions focus on defending and protecting server-side APIs, it’s clear that the threats against APIs are increasing in scale, scope and complexity. 

Want to know more about API security risks?

Schedule a demo here or join our newsletter below to get notified when our upcoming annual state of API security report will be released.