Welcome to our March API newsletter, recapping some of the events of last month. And what a month it was. Among other buzzworthy news, OWASP published the initial Release Candidate for the 2023 API Security Top-10 list – we analyzed the ins & outs and presented them over the course of a couple of webinars. In addition, the hive was busy with several product updates – so read on for this month’s bit o’ honey!
March sure kept us on our toes! It all began when we uncovered active exploits in the wild targeting VMware NSX Manager. Talk about a cybersecurity rodeo! This news spread like wildfire, and even CISA added CVE-2021-39144 to their Known Exploited Vulnerabilities (KEV) catalog. Yeehaw!
In case you missed it, OWASP released their API Security Top-10 2023 Release Candidate (RC) and, boy, did it stir up some buzz. Our team dug deep into the proposed changes and found a treasure trove of discussion-worthy topics. So much so, we hosted not one, but two online shindigs: the first was a good ol’ overview, and the second was an in-depth exploration of each top-10 threat.
Spoiler Alert: We reckon there’s a crucial threat that didn’t make the list, and you’ll definitely want to be in the know! So, saddle up and watch our on-demand events for the full scoop!
We also kicked off a series of “listening events” to hear straight from the horse’s mouth – cybersecurity executives dealing with API security. It’s been quite the learning experience, hearing about daily challenges like juggling “tools (your team and security stack), budgets, and expectations,” as well as some serious anxiety about potential personal liability if things go south. We’ll be hosting more of these shindigs across the US in the coming months, including one at RSAC 2023 (April 24-27 in San Francisco). Shoot me a DM if you’d like to join us for some grub and riveting conversation.
– Ivan, CEO & Co-Founder, Wallarm
P.S. – Keep your finger on the pulse of all things #apisecurity with the latest exploits and updates by following our new API ThreatStats LinkedIn page. We promise, it’s no joke!
As mentioned by Ivan, the Wallarm Detect team found exploit attempts in the wild of CVE-2022-31678 and CVE-2021-39144. The original vulnerabilities were found in VMware NSX Manager at the end of last year, and can lead to remote code execution (RCE) by pre-authenticated attackers. Here is some coverage of our research on the exploits against the VMware NSX vulnerabilities:
- BleepingComputer – CISA warns of critical VMware RCE flaw exploited in attacks
- SC Magazine – Active attacks exploiting old bugs in VMware NSX Manager spike
- The Hacker News – CISA’s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems
- SecurityWeek – Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing
Also, this past month we released the 2022 Year-End API ThreatStats™ Report. This report is our in-depth analysis and discussion of 2022 API vulnerability, exploit and (new, for this report) attack data. We also offer some predictions to help improve your API security in 2023. Enjoy!
The hive has been busy preparing for Spring. Here are some of the updates they’ve released:
API Rate Limiting
The recent release of Wallarm Node 4.6 enables an improved API Rate Limiting capability. This powerful feature allows you to better protect against bad bots and other bad actors and to effectively manage service load and prevent false alarms, thereby ensuring the service is always available and secure for legitimate users.
You can now set specific parameters and session settings to apply rate limit rules based on any request parameter, including JSON fields, base64 encoded data, cookies, XML fields, and more. You can also adjust settings like the rate, burst, delay, and response code to fine-tune the rate limit settings and apply session settings to specific requests. Learn more here.
Native Integration with Microsoft Azure Sentinel
Wallarm End-to-End API Security now offers native integration with Microsoft Sentinel, a leading cloud-native Security Information and Event Management (SIEM) platform. This integration allows you to send API security events and alerts to Microsoft Sentinel, providing a consolidated view of your security landscape.
By combining these capabilities, you can streamline threat identification, automate response actions, and enhance your overall security posture. This eliminates the need for manual processes and ensures improved visibility and control over security events. Learn more about this integration with Microsoft Azure Sentinel here, and about all our integrations here.
Did You Know? You can subscribe to our update announcements to keep up-to-date with the latest product news.
Webinar [2023-Apr-20] — 25 Years of API Security – A Comprehensive Review and Outlook
Join our upcoming webinar as we review 25 years of API Security, in order to understand where API Security has been and where it’s headed
Tradeshow [2023-Apr-24 thru Apr 27] — RSA Conference 2023 – Booth #6585
Come see a personal demo of the Wallarm platform at booth #6585, join us at our Tuesday evening cocktail party along with some of our partners at The Cordial Bar, or grab a bite with us on Wednesday evening at The Vault Steakhouse & Piano Bar.
Webinar [On-demand] — A CISOs Guide To The New 2023 OWASP API Security Update
Join our recorded webinar as we explored the new Top-10 API risks Release Candidate (RC) for 2023, and the implications of these updates to your API security posture.
Webinar [On-demand] — A Practitioner’s Guide To The New 2023 OWASP API Security Update
Join our second recorded webinar as we took a deeper dive into the new Top-10 API risks Release Candidate (RC) for 2023, and the impact of these updates will have on your API security posture.
The Wallarm Threat Research team found 18 critical API vulnerabilities in March. Here are some of the more impactful ones.
Next-Auth – Missing Some OAuth Authentication Checks (CVSS score: 8.8)
A bad actor who can spy on the victim’s network or is able to social engineer the victim into clicking a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing the CSRF protection. (CVE-2023-27490)
HashiCorp Nomad – Job Submitter Privilege Escalation Using Workload Identity (CVSS score: 8.8)
A user with the submit-job ACL capability could submit a job that could escalate to management-level privileges. This issue has been fixed in Nomad 1.5.1. (CVE-2023-1299)
Netgear – Overflow to Format String Attack in SOAP Server (CVSS score: 9.8)
NETGEAR Nighthawk WiFi6 Router prior to V188.8.131.52 contains a format string vulnerability in a SOAP service that could allow an attacker to execute arbitrary code on the device. (CVE-2023-27853)
Ansible Semaphore – Improper Authentication (CVSS score: 9.8)
api/auth.go in Ansible Semaphore before 2.8.89 mishandles authentication. (CVE-2023-28609)
Deno – Interactive ‘run’ Permission Prompt Spoofing via Improper ANSI Neutralization (CVSS score: 8.8)
Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a op_spawn_child or op_kill prompt and replace it with any desired text. (CVE-2023-28446)
MinIO – Privilege Escalation on Linux/MacOS (CVSS score: 8.8)
An attacker could use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. This attack requires credentials with `arn:aws:s3:::*` permission as well as enabled Console API access. A patch and workaround are available. (CVE-2023-28434)
Jeecg-boot – SQL Injection Vulnerability (CVSS score: 9.8)
Affected versions of this package are vulnerable to Information Exposure due to improper user-input sanitization via the apiSelectId parameter in the jmreport/qurestSql file. (CVE-2023-1454)
Hasura GraphQL Engine – Unauthenticated Path Traversal Vulnerability (CVSS score: 7.5)
If your self-hosted deployment is publicly exposed and not protected by a WAF or other HTTP protection layer, you may unset HASURA_GRAPHQL_CONSOLE_ASSETS_DIR, disable console for versions prior to 2.17.0, or update immediately to one of the fixed versions. (CVE-2023-27588)
We recommend that you assess your portfolio for exposure to these vulnerabilities, apply updates where possible, and monitor for further incidents. For more on notable API vulns, make sure to subscribe to our new API ThreatStats LinkedIn page.
OWASP API Security Top 10: Upcoming Changes You Need To Know About
(Dana Epp’s blog) A nice look into the new top 10 in more detail, one by one, and discuss how this might impact your API security testing.
First-known Dero cryptojacking operation seen targeting Kubernetes
(Bleeping Computer) The first known cryptojacking operation mining the Dero coin has been found targeting vulnerable Kubernetes container orchestrator infrastructure with exposed APIs.
Just Who Exactly Should Take Responsibility for Application Security?
(DataBreachToday) In theory, the rise of DevSecOps best practices that shift responsibility for application security further left should reduce the number of vulnerabilities that now routinely make it into production applications. However, real life is a little messier.
Do you trust AI to find app sec holes while you sleep?
(Security Boulevard) Survey of opinions on “Security Copilot” – Microsoft’s conversational, ChatGPT security analysis and monitoring offering – which will answer questions and learn about your network, summarizing and interpreting as it goes.
AlienFox Malware Targets API Keys and Secrets from AWS, Google, and MS Cloud Services
(The Hacker News) A new “comprehensive toolset” called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers.
Attackers increasingly using transfer.sh to host malicious code
(Help Net Security) The attackers are finding internet-exposed Redis API endpoints that don’t have authentication configured and use this security hole to remotely connect to the data store.
Increase in exploits against Joomla (CVE-2023-23752)
(SANS Internet Storm Center) Exploits for this vulnerability were made public pretty much the day the vulnerability became public.
Why writing API exploits is important when reporting vulnerabilities
(Dana Epp’s blog) Providing PoC exploits aids significantly in understanding how a vulnerability works and the potential risk it represents.
NECCDC 2023: Red Team Adventures
(Hurricane Labs) Learn the best security tips to safeguard your own AWS environment, based on an expert red-teaming perspective.
Smart Mobility has a Blindspot When it Comes to API Security
(The Hacker News) The recent Automotive and Smart Mobility Cybersecurity Report indicates that the automotive and smart mobility ecosystem has seen a 380% increase in API-based incidents in 2022, compared to 2021.
Last month we asked how far along you are in your API vulnerability assessment & management journey. It appears that almost a quarter of your have reached hog heaven while over 60% are still on the road there:
And we’d love to have you weigh in on our next LinkedIn poll we’re conducting: Do you use / are you offering APISec-as-a-Service (e.g., from an MSSP)? Please let us know where you stand on this – connect with Ivan or follow us at Wallarm to register your vote.
And now for something completely different. Since the theme of The APIary newsletter is based on hardworking & industrious bees, we like to finish with an uplifting image. Since it’s April, the flowers are beginning to bloom and our namesakes are preparing for flight, as you can see. Enjoy!