Published on 31 Mar 2023
Cloud technology and services continue to be increasingly adopted by organisations and individuals, with public cloud spending forecasted to grow by 20% to US$591.8 billion in 2023, according to market estimates by Gartner. Application Programming Interfaces (APIs) are an essential component for cloud services and client applications, serving as an intermediary to allow applications to communicate with one another using pre-defined protocols.
Thus, without proper API management in place, cloud APIs can inadvertently increase the attack surface and be exploited as an unauthorised entry point into an organisation’s network and databases that are hosted on the cloud. Consequently, as more organisations move their data and operations to the cloud, the likelihood of data breaches and leaks also rises. In this issue of CyberSense, we take a deeper look at API-related cybersecurity risks in cloud technology, their common causes, examples of cloud-related breaches, and how they can be prevented.
WHAT ARE THE CAUSES OF API COMPROMISES?
Let’s begin by having a look at the common causes behind cloud-related API compromises:
i. Insecure storage of API keys can facilitate attacks. An API key is a unique code used by an API to authenticate and authorise the calling user or application, which is typically stored using encryption or a secret manager provided by the cloud service provider. Such keys could be compromised if erroneously stored in original plaintext format or on public-exposed computers or through misconfigured cloud configuration. Should threat actors get hold of the cloud API key, they would be able to gain access to the services or applications, and even access sensitive data stored on the cloud.
ii. Insecure transmission of API key can enable attacks. Many APIs are either based on REST (Representative State Transfer) or SOAP (Simple Object Access Protocol), both of which are web standards and hence susceptible to web-based attacks such as eavesdropping, session hijacking, and malicious code execution. Weaknesses in APIs used for authentication can hence increase the risk of credential data theft as information like passwords and session tokens are exchanged when these APIs are used for authentication.
iii. Undocumented APIs, which are APIs that are not supported for use in end-user code and may be removed or changed in future releases, can pose an unknown threat to end users as well. The discovery of undocumented APIs can allow threat actors to perform malicious activities in unexpected ways. For instance, the Datadog Security Research Team identified a method in March 2022 to bypass CloudTrail logging (an event logging service for Amazon Web Services account) for specific Identity Access Management (IAM) API requests via undocumented APIs. Through bypassing CloudTrail logging, threat actors would be able to perform reconnaissance activities in the IAM service without leaving any trace of their actions.
iv. API exhaustion can lead to distributed denial of service (DDoS) attacks on cloud API services. This could occur when threat actors send large quantities of malicious API requests to overwhelm the system. Subsequently, APIs with no rate-limiting mechanisms can become vulnerable to DDoS attacks. Threat actors might hence harness large-scale internet traffic originating from multiple compromised sources to bring down cloud networks.
a. Slack and Imperva. In 2022, Slack discovered that a limited number of their employee’s API tokens had been stolen and misused to gain access to an externally hosted repository. The Imperva data breach in 2019 was also caused by a stolen Amazon Web Services (AWS) API key that was left externally accessible. This occurred when the company created a database snapshot for testing while also building an internal compute instance containing an AWS API key during their database migration.
b.Capital One. The Capital One data breach incident in 2019 was enabled by the presence of a misconfigured Web Application Firewall (WAF), which allowed the threat actors to obtain a set of API keys. The keys were then abused to access data stored in the cloud storage. This incident highlights how misconfigured cloud configuration could be exploited by threat actors to obtain API keys necessary to further malicious intent.
c. In 2023, CrowdStrike reported on a novel technique observed to be used by threat actors to escape typical containment practices and establish persistence in victim AWS environments. For permissions associated with federated sessions1 in an AWS environment, these are only revoked when the permissions associated with the base user are removed or overwritten. However, to preserve evidence during typical incident responses, only the disabling of base credentials is carried out. With the permissions associated with federated sessions remaining active, threat actors can leverage them to conduct malicious activities while incident response is being carried out.
Cloud adoption will likely continue to grow exponentially, contributing to its attractiveness as an attack vector for threat actors to access victims’ networks and data. Ensuring security of the cloud technology used, in particular, APIs, will hence be vital for organisations, both to ensure business continuity and prevent reputational damage.
Enable web application firewalls (WAFs) on the cloud platforms to protect APIs and their endpoints from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. WAFs could also ensure API availability and performance, through the creation of rules to allow or block requests.
Gartner, VentureBeat, Forbes, Technopedia, BleepingComputer, International Journal of Engineering Trends and Technology, Security Boulevard, Trend Micro, ACM Digital Library, CrowdStrike, Securitylabs, Netlify, Activereach, Infosecurity Magazine, ScholarWorks, Amazon AWS, ProtectOnce, Microsoft Azure