Unsecured APIs are now a Popular Delivery Mechanism in Ransomware Attacks

The Importance of APIs

APIs are everywhere and enable most of the everyday digital interactions we take for granted. From ordering food to transferring funds, APIs power our digital lives.

And their popularity makes APIs attractive to attackers. The 2021 Gartner report predicted that APIs would be the number one attack vector- and two years later, this has turned out to be true¹.  

The increasing threat of unsecured APIs

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a list of the 12 most commonly exploited vulnerabilities of last year, many of which involved APIs, such as missing authentication / authentication bypass and improper privilege elevation². 

Within this list, the search term “API” produces several results, and surprisingly many of these show confirmed ransomware events associated with API attacks. 

Ransomware and APIs

Ransomware grabs a lot of headlines but this form of attack rarely gets mentioned in relation to API security.

Ransomware is malware in which hackers are able to encrypt sensitive data and demand a ransom payment for its decryption. Essentially, ransomware campaigns gain access to personally identifiable information (PII) or other critical business data and threaten to release it or put it beyond use unless a ransom is paid to them. 

Typically, ransomware infection is associated with things like phishing, smishing, credential stuffing, remote desktop protocol and other human or software vulnerabilities.  And ransomware attacks have been steadily rising over the last few years, a trend observed as early as 2018³.

Some notable incidents of ransomware over the last few years include the Solarwinds Ransomware attack in 2019, in which a Russian ransomware group targeted the Solarwinds Orion software and was able to breach their data and the Colonial Pipeline Ransomware attack in May of 2021, which forced the oil Pipeline to shut down operations for a full week⁴.

Additionally, healthcare organizations are often targeted due to their volume of PII, for instance Planned Parenthood Los Angeles was attacked by a ransomware group also in 2021, threatening hundreds of sensitive patient records⁴.

The highest-profile attack vector for ransomware in 2023 has been the abuse of Progress Software’s moveIT file transfer software. This saw attackers using a ‘resume upload’ API to deliver the ransomware payload. Thus, APIs are becoming an attack surface for ransomware groups as well.

The Ransomware Vulnerability Warning Pilot

This year, CISA also started a program called the Ransomware Vulnerability Warning Pilot, which tracks weaknesses and misconfigurations known to be used in ransomware gangs (RVWP)⁵.  So far, the RVWP has spotted over 800 vulnerable systems with internet-accessible vulnerabilities frequently targeted by ransomware operations⁵.

They compiled a catalog of the vulnerabilities called the Known Exploited Vulnerabilities catalog (KEV), and many of these vulnerabilities involve API requests and endpoints. 

For instance, they discovered that Atlassian Bitbucket had multiple API endpoints with a command injection vulnerability where an attacker with access to a public Bitbucket repository or with read permissions to a private one could execute code by sending a malicious HTTP request⁶.

Similarly, the Linux Kernel had an improper input validation vulnerability in their get_user and put_user API functions. This could allow an attacker to gain privileged access on certain platforms, and potentially write their own kernel code⁷.

Secure your APIs from Ransomware Attacks

As ransomware and other attacks become more frequent and advanced, effective API security is more important than ever before. APIs are the ‘connective tissue’ of the modern web and they are now the attack surface of choice for bad actors.

FireTail is on a mission to secure the world’s APIs and we have developed a unique hybrid approach that combines open-source code libraries with a feature-packed cloud platform to deliver real API security to organizations across the globe.

If you would like to secure your APIs and protect your organization from ransomware attacks, book a demo with FireTail today.

‍

¹- https://cybersecurity.att.com/blogs/security-essentials/gartner-predicted-apis-would-be-the-1-attack-vector-two-years-later-is-it-true

²- https://www.bleepingcomputer.com/news/security/fbi-cisa-and-nsa-reveal-top-exploited-vulnerabilities-of-2022/

³- https://www.statista.com/graphic/1/204457/businesses-ransomware-attack-rate.jpg

⁴-https://www.velosio.com/blog/6-high-profile-ransomware-attack-examples-and-what-you-can-learn-from-them/#1-solarwinds-ransomware-attack

⁵-https://www.bleepingcomputer.com/news/security/cisa-shares-vulnerabilities-misconfigs-used-by-ransomware-gangs/

⁶- https://jira.atlassian.com/browse/BSERV-13438

^7-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8404663f81d212918ff85f493649a7991209fa04