Ransomware is arguably one of the top threats in cybersecurity right now. Its effects can be paralyzing. And it appears to be indiscriminate in its targeting, impacting entire nations, the largest companies, hospitals, and everything and everyone in between.
Cybercriminals are doubling down and employing additional tactics on their victims. We have now seen multiple extortion techniques designed to increase the cost and immediacy of the threat. These criminals are well aware of how lucrative these attacks can be and have made significant investments in recent years to optimize their approach. This includes running helpdesk operations to help victims get back online once they pay their ransoms.
The question is, what is the route that attackers use to infect organizations? A piece of research cutlery seems to indicate that it depends on what type of organization we are talking about. Smaller organizations are being targeted over unsecured RDP connections, while larger organizations continue to be targeted primarily through email phishing. Payment also varies greatly depending on the size of the organization. Palo Alto NetworksUnit 42 says the average ransom demand in cases handled by its consultants jumped 144% to $2.2 million last year. While the average payment increased 78% percent to $541,010 during the same period.
In a more recent article by cutlery, the data points to some changes in attack vectors, including the rise of social engineering and direct insider compromise. Social engineering attacks differ from phishing in that they are highly targeted and typically involve some grooming or grooming of a targeted employee. The employee is then finally persuaded to allow an attacker to gain a foothold in the network.
Where do APIs come into play?
First, let’s think about public clouds and how threat actors aim to infect hosts and encrypt files. The reality is that they will point to cloud APIs to access and encrypt such data. In an ideal world, APIs are meant to streamline cloud computing processes. But when unprotected, APIs can open lines of communication that allow people to exploit private data. Second, and this is perhaps less obvious, the path of least resistance is to find credentials or other access methods to point to the systems you are trying to encrypt. Research from North Carolina State University (NCSU) found that more than 100,000 GitHub repositories have leaked APIs or cryptographic keys. And that thousands of new APIs or crypto keys leak through GitHub projects every day. Or more RecentlySalesforce-owned subsidiary Heroku has acknowledged the theft of GitHub integration OAuth tokens used to download data from dozens of organizations, including NPM.
Another proof point is the work of Microsoft about Log4j vulnerabilities. They noted that suspected China-based cybercriminals are targeting the Log4j ‘Log4Shell’ flaw in VMware’s Horizon product. Its goal is to install NightSky, a new strain of ransomware that emerged on December 27 last year.
Us previously wrote about Log4j vulnerabilities and massive API risk exposure. APIs act as intermediaries between multiple applications and systems, and Log4Shell creates two major problems with APIs. The first is that API servers that are vulnerable to Log4Shell now expose a new attack surface for attackers. Most organizations have limited visibility into their API inventory and API behavior, making APIs a preferred target for threat actors.
Second, if an attacker exploits the Log4Shell vulnerability to gain access to a system, the APIs are capable of extending the attacker’s reach and the damage they can inflict. For example, many companies have trusted third-party APIs that may be exposed to the Log4Shell vulnerability. Even if a company itself does not use the Log4j framework for logging, third-party APIs could increase risk exposure.
Companies need to have more granular visibility and observability of their APIs to understand their exposure to risk. An additional perspective would be through tracking outgoing connectivity. Noname Security’s egress feature provides customers with network information related to outgoing traffic within their cloud to help them track their outgoing data.
It is clear that ransomware actors are becoming more sophisticated and are finding innovative ways to steal or exploit credentials and go after your data. And as APIs continue their inevitable rise in every organization, it becomes paramount to understand how this interconnection can be misused. Defense in depth remains critical to thwarting attacks, and understanding your API exposure should be part of your cyber hygiene.
For more information on Noname security, request a demo with our team.
*** This is a syndicated Security Bloggers Network blog from Noname API Security Blog written by Philip Verloy. Read the original post at: https://nonamesecurity.com/blog/ransomware-is-the-result-what-is-the-cause