Up in the Cloud: Mitigating API-Related Risks in Cloud Technology

OVERVIEW

Cloud technology and services continue to be increasingly adopted by organisations and individuals, with public cloud spending forecasted to grow by 20% to US$591.8 billion in 2023, according to market estimates by Gartner. Application Programming Interfaces (APIs) are an essential component for cloud services and client applications, serving as an intermediary to allow applications to communicate with one another using pre-defined protocols.

Thus, without proper API management in place, cloud APIs can inadvertently increase the attack surface and be exploited as an unauthorised entry point into an organisation’s network and databases that are hosted on the cloud. Consequently, as more organisations move their data and operations to the cloud, the likelihood of data breaches and leaks also rises. In this issue of CyberSense, we take a deeper look at API-related cybersecurity risks in cloud technology, their common causes, examples of cloud-related breaches, and how they can be prevented.

WHAT ARE THE CAUSES OF API COMPROMISES?

Let’s begin by having a look at the common causes behind cloud-related API compromises:

i. Insecure storage of API keys can facilitate attacks. An API key is a unique code used by an API to authenticate and authorise the calling user or application, which is typically stored using encryption or a secret manager provided by the cloud service provider. Such keys could be compromised if erroneously stored in original plaintext format or on public-exposed computers or through misconfigured cloud configuration. Should threat actors get hold of the cloud API key, they would be able to gain access to the services or applications, and even access sensitive data stored on the cloud.

ii. Insecure transmission of API key can enable attacks. Many APIs are either based on REST (Representative State Transfer) or SOAP (Simple Object Access Protocol), both of which are web standards and hence susceptible to web-based attacks such as eavesdropping, session hijacking, and malicious code execution. Weaknesses in APIs used for authentication can hence increase the risk of credential data theft as information like passwords and session tokens are exchanged when these APIs are used for authentication.

iii. Undocumented APIs, which are APIs that are not supported for use in end-user code and may be removed or changed in future releases, can pose an unknown threat to end users as well. The discovery of undocumented APIs can allow threat actors to perform malicious activities in unexpected ways. For instance, the Datadog Security Research Team identified a method in March 2022 to bypass CloudTrail logging (an event logging service for Amazon Web Services account) for specific Identity Access Management (IAM) API requests via undocumented APIs. Through bypassing CloudTrail logging, threat actors would be able to perform reconnaissance activities in the IAM service without leaving any trace of their actions.

iv. API exhaustion can lead to distributed denial of service (DDoS) attacks on cloud API services. This could occur when threat actors send large quantities of malicious API requests to overwhelm the system. Subsequently, APIs with no rate-limiting mechanisms can become vulnerable to DDoS attacks. Threat actors might hence harness large-scale internet traffic originating from multiple compromised sources to bring down cloud networks.

MAJOR INCIDENTS

a. Slack and Imperva. In 2022, Slack discovered that a limited number of their employee’s API tokens had been stolen and misused to gain access to an externally hosted repository. The Imperva data breach in 2019 was also caused by a stolen Amazon Web Services (AWS) API key that was left externally accessible. This occurred when the company created a database snapshot for testing while also building an internal compute instance containing an AWS API key during their database migration.

b.Capital One. The Capital One data breach incident in 2019 was enabled by the presence of a misconfigured Web Application Firewall (WAF), which allowed the threat actors to obtain a set of API keys. The keys were then abused to access data stored in the cloud storage. This incident highlights how misconfigured cloud configuration could be exploited by threat actors to obtain API keys necessary to further malicious intent.

c. In 2023, CrowdStrike reported on a novel technique observed to be used by threat actors to escape typical containment practices and establish persistence in victim AWS environments. For permissions associated with federated sessions¹  in an AWS environment, these are only revoked when the permissions associated with the base user are removed or overwritten. However, to preserve evidence during typical incident responses, only the disabling of base credentials is carried out. With the permissions associated with federated sessions remaining active, threat actors can leverage them to conduct malicious activities while incident response is being carried out.

CONCLUSION

Cloud adoption will likely continue to grow exponentially, contributing to its attractiveness as an attack vector for threat actors to access victims’ networks and data. Ensuring security of the cloud technology used, in particular, APIs, will hence be vital for organisations, both to ensure business continuity and prevent reputational damage.

• Organisations are hence advised to take proactive measures to protect themselves against attacks that can be carried out through the exploitation of APIs on cloud services. Measures to defend against such include:
• Apply the principle of least privilege when defining the permissions granted to cloud resources to minimise the potential for a threat actor to gain access to a wider range of resources when an API is compromised.
• Use standards such as OAuth 2.0, OpenID Connect and JSON Web Token (JWT) to authenticate API traffic.
• Enforce API key management to ensure they are properly secured and not reused. It is recommended that API keys be password-protected, and changed or re-generated regularly to enhance security.
• Implement basic security measures such as using SSL/TLS encryption for all communications to ensure the integrity of exchanged data, including sensitive access tokens.
• Leverage DDoS protection services provided by cloud vendors, which could include continuous traffic monitoring that auto-initiates mitigation measures once a certain traffic threshold is exceeded, and adaptive real-time machine-learning of the baseline user patterns to minimise false positives.
• Adopt API rate limiting measures to reduce the number of calls per second made to an API endpoint, the amount of data requested, or the types of data requested.
• Apply active monitoring of the API endpoints to enable users to identify abnormal traffic patterns.
• Implement logging to retain records of actions taken by a user, role, or a cloud service in the API gateway, which can assist investigation in the event of cloud compromise.

• Enable web application firewalls (WAFs) on the cloud platforms to protect APIs and their endpoints from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. WAFs could also ensure API availability and performance, through the creation of rules to allow or block requests.

Sources Include:

Gartner, VentureBeat, Forbes, Technopedia, BleepingComputer, International Journal of Engineering Trends and Technology, Security Boulevard, Trend Micro, ACM Digital Library, CrowdStrike, Securitylabs, Netlify, Activereach, Infosecurity Magazine, ScholarWorks, Amazon AWS, ProtectOnce, Microsoft Azure