Issue 235: 25m loss at Kronos due to API key loss and three other API vulnerabilities

This week, we have news of four API-related security vulnerabilities, including Kronos’s $25m loss. Other vulnerabilities include a malware threat of DDoS on Docker APIs, a report on vulnerabilities on WordPress and Netflix, and an API vulnerability found in the Ray AI framework. We also have an article on why APIs are fertile ground for attackers and on protecting APIs for online retail.

Breach: Kronos suffers $25m loss involving API key loss

The most important news this week is the breach at the cryptocurrency fintech firm Kronos Research, who revealed in a post on X that they had suffered a loss estimated at $25 million. The company admitted that the breach originated with “unauthorized access to some of their API keys.” although it did not provide any further detail. Independent observers commented that they had seen Ethereum outflows from a wallet to a value of approximately $25m, which seems to correlate with the disclosure. 

This is yet another in a steady sequence of breaches involving the loss or leakage of API keys, particularly on cryptocurrency platforms. As ever, the advice is to protect the keys using vault or secure storage mechanisms and ensure they are invalidated in the event of loss or theft.

Vulnerability: Malware poses a DDoS threat to Docker API

The next vulnerability is the discovery of Python malware affecting exposed Docker engine API endpoints. Researchers discovered that a malicious container image (disguised as a benign MySQL image) contained Python malware compiled as an ELF executable. 

The attack was initiated by issuing an API request to the exposed Docker API to begin the download of the malicious image. Upon execution of the image, the malware connected to a command-and-control center and then undertook various DDoS using UDP and SSL-based flooding attacks. The command-and-control interface was found to control the target IP addresses and domains, including the duration, rate, and port.

We frequently cover issues with exposed Docker or Kubernetes API management interfaces being abused by attackers. Ensure these endpoints are either isolated from public networks or protected with strong authentication.

Vulnerability: Report exposes WordPress and Netflix API flaws

The next article covers the latest research into API threats and vulnerabilities from Wallarm in their ThreatStats report. The report aggregates findings from 239 API vulnerabilities, with the most significant finding being that nearly a third featured broken authentication, authorization, or access control. The report highlights cases of incorrect credential validation on OAuth tokens, allowing possible unauthorized access, and WordPress encountered issues with broken plugin authentication.

The rise in API adoption has resulted in increasing incidences of data leakage and ranked fourth in the report’s ranking for severity. The report cites findings from Netflix, VMware, and SAP, which recently exposed sensitive information over their APIs. The report also highlights the rise in leaked or stolen API keys incidents.

Vulnerability: API vulnerability found in Ray AI framework

The final of our vulnerabilities in this issue comes courtesy of a report in Security Week, which provides a review of a vulnerability (tracked as CVE-2023-48023) in the Ray AI framework. The root cause of the vulnerability is broken authentication on two of its components, the dashboard and the client. An attacker could use the vulnerability to submit or delete jobs to the engine or, even more seriously, retrieve sensitive information or execute arbitrary code.

Most surprising is that the framework does not provide any form of authentication at all, with the only reference being some support for mutual TLS, which is a significant oversight in the design since any user with dashboard access effectively had control of the platform. 

At the time of writing, the issues had yet to be addressed, either since the vendor did not recognize them as security issues or was unwilling to manage them.

Article: APIs are proving fertile ground for cyber attackers

The next article features the views of Matias Madou (CTO of Secure Code Warrior) on how API security creates an opportunity for cyber attackers who see APIs as an easy target. Madou highlights that many APIs suffer from poor access control, citing recent high-profile examples such as T-Mobile and LinkedIn. This is hardly surprising because access control flaws comprise the top half of the OWASP API Security Top 10. 

Madou suggests these findings result from poor awareness of security best practices by API developers. In particular, developers need help with the core topics of authentication and authorization. He recommends that organizations commit to continually upskilling their developers through training and allocating sufficient time to allow them to absorb learning and explore best practices. 

Madou also highlights some industry concerns about how API security is managed. Current reports suggest that 40% of organizations need a dedicated owner of API security; instead, the responsibility is shared between the CISO or the DevSecOps teams. Somewhat concerningly, 24% of respondents said no one in particular owns API security in their organization. If ownership is unclear, then it is likely that the responsibility for API security will fall between the cracks — ensure this critical topic has a dedicated owner.

Thanks to Matias for another great contribution to the importance of developer training.

Article: Protecting APIs for online retail

Finally, this week, we have a seasonal article on how to protect APIs for online retail over the festive season. The article highlights the scale of online fraud, citing the astonishing statistic that in the first six months of 2022, Americans lost a record figure of $3.56 billion to online fraud. During the peak holiday season (starting from 1 November, going to the year end), commerce sites will see a massive uptick in bot attacks ranging from a fivefold increase to a whopping thirtyfold increase. Attackers have readily discovered that APIs often lack the necessary sophisticated protections to defend against bot attacks and will often launch automated attacks on retail endpoints using stolen credit card numbers to identify retailers with insufficient fraud protection. 

The author recommends the use of a robust bot protection solution and the following API best practices:

  • Strong authentication mechanisms such as multifactor authentication.
  • Data encryption and secure transmission to protect data in transit.
  • Monitoring and anomaly detection to identify changing threats.
  • Fraud detection and prevention to verify payment information.

This is a timely reminder to all our readers to be extra vigilant to online fraud over this festive season.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy