Leaks of API keys and other secrets. The industry has been abuzz with news about attacks – and the ongoing ripple effect – involving leaked API keys, credentials and other secrets. This adds another dimension to your API attack surface, which in turn complicates your defenses and adds to your workload. So, this month the focus of The APIary is on leaked API keys and other secrets – read on for this month’s bit o’ honey.
2023 certainly started with a bang. News, which dribbled out (perhaps deliberately?) in the waning minutes of 2022 and into early 2023, regarding several development infrastructure breaches involving APIs gave us a lot to think about. For instance:
- CircleCI posted an advisory in early January regarding a presumed breach of their systems, potentially putting 1000s of organizations at risk.
- Slack notified the development community on New Year’s Eve that some Slack employee tokens were stolen and misused to gain access to their GitHub repository.
- LastPass finally admitted on Dec 22nd that an earlier breach back in August, in which credentials and keys were obtained, allowed an adversary nearly unfettered access to a cloud-based backup system, putting end users’ password vaults at risk.
- Travis CI continues to have issues, with the latest coming from researchers who reported last summer that they had found over 73,000 tokens, secrets, and various credentials.
These incidents, all involving leaked API keys and other secrets at some point, are another example of the growing API attack surface that many may not be aware of. And while it’s absolutely necessary to mitigate this issue as early as possible (i.e., during the development process), it’s also true that it’s impossible to prevent the issue entirely.
Why? Because of increasing development velocity, tech stack complexity and of course SW supply chain risks. That’s why we’ve just dropped an “early release” version of our new API Leak Management capability. It provides actionable threat intelligence regarding leaked API keys and other secrets from your domain, covering your entire API portfolio. Read on to learn more!
Speaking of API-related breaches, by now you’ve undoubtedly heard about another T-Mobile breach, this one impacting 37M customers. If not, read the coverage by the always excellent Phil Muncaster in Infosecurity Magazine, or head over to our blog post. It’s just another proof point that API security needs to be at the forefront of everyone’s minds, and 2023 security plans!
– Ivan, CEO & Co-Founder, Wallarm
Last month we asked whether you use any of the existing cybersecurity frameworks (such as CIS CSC, MITRE ATT&CK, NIST CSF, etc.) for managing your API Security? It looks like most of you are well down this path, although almost one-third say it’s not on your radar:
And we’d love to have you weigh in on our next LinkedIn poll we’re conducting: How confident are you that _none_ your API keys and other secrets have leaked into the wild? Please let us know where you stand on this – connect with Ivan or follow us at Wallarm to register your vote.
(The Daily Swig) Developers are being urged to rotate secrets and API tokens following the discovery of a breach at popular DevOps platform CircleCI.
(Securities.io) In today’s digital age, it’s more important than ever to guard against the potential risks of API leaks, as it can lead to the loss of personal information and financial data.
(BleepingComputer) Almost 20 car manufacturers and services contained API security vulnerabilities that could have allowed hackers to unlock, start, and track cars, and/or expose customers’ personal information.
(Information Security Buzz) Indications are that intruders used stolen employee tokens to download private code from the company’s GitHub repository.
(VentureBeat) Insecure APIs provide cybercriminals with direct access to user’s personally identifiable information (PII), usernames and passwords when a client connects to a third-party service’s API.
(DarkReading) API attacks are back in the news. It turns out the likely ingress point for the Optus breach was a lowly REST API. And someone has leaked all of the data stolen from the Twitter breach — which also involved an API.
(Security Boulevard) APIs have now become the top attack vector for enterprises to worry about, according to an October 2022 Gartner report. Not coincidentally, the frequency of API attacks has increased by an astounding 681%.
(DevOps.com) GraphQL introduces new security concerns. And as attacks on APIs continue to increase and grow in sophistication, an increased security focus will undoubtedly be required to avoid vulnerabilities.
(Security Boulevard) By the end of 2023, the SEC is expected to finalize its proposal requiring companies to attest to their boards’ cybersecurity acumen—as well as disclose their cybersecurity oversight efforts and information on attacks.
(Dana Epp’s Blog) Realize that Ronald Reagan’s thinking that we can “trust, but verify” is backward. Trust nothing. Verify everything.
KubePi Hardcoded Jwtsigkeys (CVSS score: 9.8)
In certain versions of KubePi, hard-coded Jwtsigkeys could allow an attacker to take over the admin account of any online project using a forged JWT. (CVE-2023-22463)
Izanami Authentication Bypass (CVSS score: 9.8)
In some versions of Izanami, attackers could bypass authentication settings using a hard-coded JWT to compromise other Izanami instances. (CVE-2023-22495)
Argo CD JWT Audience Claim is Not Verified (CVSS score: 9.0)
In some versions of Argo CD, certain invalid tokens are accepted due to improper authorization, which could allow attackers to obtain unintended privileges. (CVE-2023-22482)
Rancher Wrangler API Missing Encryption (CVSS score: 9.9)
In some versions of Rancher Wrangler, certain secrets (including sensitive fields, secret tokens, encryption keys, and SSH keys) are being stored in plaintext, impacting access and confidentiality. (CVE-2022-43757)
GitHub Enterprise Server Incorrect Authorization Vulnerability (CVSS score: 9.8)
In some versions of GitHub Enterprise Server, scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. (CVE-2022-23739)
KubeOperator Unauthorized Access to System API (CVSS score: 9.8)
In some versions of KubeOperator, attackers could bypass preset permission settings to access some API interfaces, allowing them to take over the cluster under certain circumstances. (CVE-2023-22480)
SAP NetWeaver AS for Java Improper Access Control (CVSS score: 9.8)
In certain versions of SAP NetWeaver AS for Java, improper access controls could allow attackers to obtain full read / write access and perform unauthorized operations impacting users and data. (CVE-2023-0017)
We recommend that you assess your portfolio for exposure to these vulnerabilities, apply updates where possible, and monitor for further incidents.
ICYMI, Wallarm recently announced the early release of our new API Leak Management solution to help protect against unintended or malicious use of leaked API keys and other secrets.
With this capability, we automatically and proactively discover leaked API keys and other secrets, create controls to block API calls/requests using leaked credentials, and track those leaked credentials across the organization’s entire API portfolio to protect against follow-on attacks. For more information, please see:
In addition, we are offering a complimentary assessment to discover any leaked API secrets from your domain, including API keys, credentials, private specifications, etc. Knowledge is power – because you can’t protect what you don’t know about.
Did You Know? You can subscribe to our update announcements to keep up-to-date with the latest product news.
Wallarm, introduced the newest cybersecurity luminaries to join the company’s already impressive Board of Advisors, who bring broad and in-depth cybersecurity and business expertise, and are eager to share their hard-won knowledge and insights with fellow cybersecurity executives.
Webinar [2023-Feb-16] — API ThreatStats Report: 2022 Year-in-Review & Q4 Results
Join us for a live, interactive product demo of Wallarm on January 5, where you can learn more about the key components of the platform and recent feature enhancements.
Webinar [on-demand] — Wallarm Platform Democast: What’s New
Watch this interactive product demo of Wallarm we hosted on January 5, where you can learn more about the key components of the platform and recent feature enhancements.
Webinar [on-demand] — Solving Your API Key Leaks Challenge: Wallarm Launches API Leak Solution
Come see this short webinar where we introduced our early release of the Wallarm API Leak Management solution, an enhanced API security technology designed to help organizations discover and remediate attacks exploiting leaked API keys and secrets.
Webinar [on-demand] — How CISOs Can Build an API Security Program
Rajendra Umadas, Senior Platform Security Manager at ActBlue, and Stepan Ilyin, Wallarm co-founder, have a fireside chat about the necessary components of a robust API security program to better protect your organization’s APIs and web applications.
Where APIs Meet Apis
And now for something completely different. Since the t heme of The APIary newsletter is based on hardworking & industrious bees, we thought we’d share this bee-meme with you. Nothing better than a good Dad joke. Enjoy!