By Brad LaPorte, Chief Evangelist, Kasada

The pandemic has forever changed how we work, shop, learn, entertain, and see our doctors. Most of us have likely started using a new app or feature that didn’t exist in February, whether that be new conferencing and collaborating apps to food or shopping apps to new apps just to entertain ourselves.

Most of today’s apps leverage easy-to-build and easy-to-consume APIs to speed development. When the APIs are secured, they offer a smart way to deliver critical features and functionality and pass data between systems.  But, when left unprotected, they make it easy for attackers to commit fraud with speed and at scale. Our growing dependence on APIs within applications and the significant rise in malicious machine-driven traffic are giving opportunistic cybercriminals ripe opportunities to wreak havoc online, everywhere.

Web-enabled applications already have 40% of their attack surface in the form of APIs instead of user interfaces, according to a recent Gartner report. By 2021, APIs will account for 90% of the attack surface. By 2022, according to Gartner, API abuses will become the most-frequent attack vector.

Assess the Risk

The first place to start is by assessing your current environment and understanding the level of risk your business faces today. This will help inform the development of a strategy and associated policies for securing APIs.

Remarkably, many security teams can’t assess the risk to their companies for their APIs because they don’t have visibility into all of the APIs in use. Often, APIs and API security are in the hands of developers and DevOps teams. Each team may have its own set of APIs that it uses. In that situation, no one has visibility into all of the APIs being developed and used across the company.

That’s why any security strategy for protecting APIs must begin with a complete understanding of all the APIs developed by the company. Make sure you understand:

• How many APIs are deployed?
• Who manages/owns the APIs?
• Who is using the APIs?
• Which APIs are exposed to partners?
• Which ones are exposed publicly?
• Which APIs are driving traffic?
• How is that traffic being monitored?

Once you have an inventory of APIs, you can begin evaluating your risk by looking for common API security weaknesses, such as authorization flaws, excessive data exposure, lack of rate-limiting, security misconfigurations, insufficient logging, and others.  A great place to start is the OWASP API Security Project and its API Security Top Ten report.

Best Practices to Protect APIs

Once you have an understanding of the APIs in your company, common API weaknesses, and the types of threats that can be used against them, make sure you are using recommended best practices to help protect your APIs. Start with the APIs that represent the greatest risk for your business.

Lock Down Access to the API

The ability to control API access is a cornerstone of effective API security. Make sure you’re authenticating both end-users and applications, and make sure that access policies and authentication mechanisms are set up correctly.

The authentication mechanism is a popular target for attack and as such, should be a top priority for extra layers of protection.  OWASP’s Top Ten report says that authentication mechanisms “are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other users’ identities temporarily or permanently.” It’s critical to understand the authentication mechanisms your organization has in place and then apply authentication best practices to these endpoints.

Monitor and Log Everything

You can’t protect your APIs if you don’t have visibility into what is happening, and you can’t mitigate damage from an attack if you don’t know what was impacted. Continuous logging and monitoring give you that visibility so that you can track and respond to suspicious activity in a timely way.

Logging and monitoring are especially relevant to authentications and preventing an API endpoint from being a gateway to other endpoints. Log all authentication attempts, denied access, validation errors, and response codes so you can track ratios to detect when something suspicious, such as a credential stuffing attack is occurring.

Implement Rate Limiting

Rate limiting or throttling helps protect against brute-force attacks, but often the API doesn’t impose or enforce any restrictions on the size or number of resources that can be requested by the user. For example, a bad actor might use automated software to generate a large number of consecutive login attempts by systematically guessing passwords.

If the API is not protected by rate limits, it may allow this attack to continue indefinitely or until it succeeds—even if that means accessing the API a million times per second, which could make the API unresponsive or lead to denial of service (DoS), both of which impact legitimate users.  This is why it’s important to impose rate limits such as the number of requests per user and number of requests per user within a defined timeframe, number of records per page return, request payload size, memory, and CPU usage.

Layers of Protection Against Automated Attack 

Best practices around authentication, logging, and rate-limiting are worthwhile and effective as the first layer of protection. However, they aren’t enough to secure your APIs and protect them from more sophisticated forms of automated attacks. For greater protection, you need additional layers of security that can identify suspicious activity and block it.

For your most sensitive API endpoints that are at greatest risk from automated attacks, you need to fight bad automation with good automation to detect and stop attacks in real time. It’s important to be able to:

• Visualize all your traffic including good bots, bad bots, and humans
• Detect bad bots attempting to attack your APIs
• Make it economically infeasible for bots to be successful

Whether it’s fraud, DDoS, or some other form of attack, under-protected APIs are a favorite target of cybercriminals. You can stop these attacks from being successful by:

• Making API security a top priority for your company and your IT and security teams
• Applying the best practices described here and in the OWASP Top Ten for API Security
• By layering an automated solution able to detect malicious automation on top of these best practices to protect your most sensitive and valuable APIs.

About the Author

Brad LaPorte is Chief Evangelist at Kasada and Gartner Veteran. He has more than 15 years of combined cyber security, product management, and business experience. Brad has been on the frontlines fighting cybercriminals and advising top CISOs, CIOs, CxOs, and other thought leaders on how to be as efficient and effective as possible. He has served in various advisory roles at the highest levels of top intelligence agencies, as a senior product leader at both Dell and IBM, at a late-stage startup, and as a Gartner analyst where he conducted over 1,000 conversations with leading corporations about the rapidly expanding threat landscape.

By David Balaban

Every electronic system has a finite data processing capacity. This threshold is never exceeded under normal conditions, but things may change when anomalous activity kicks in. A distributed denial-of-service (DDoS) attack fits the mold of a stratagem that can drain a web server’s resources and disrupt the associated online service.

DDoS attacks appeared in the mid-1990 as ideological weaponry favored by the Anonymous and like-minded hacktivists. As time went by, it embraced extra motivations ranging from script kiddies’ whim to satisfy their ego and get an adrenaline rush – to unscrupulous entrepreneurs’ plots aimed at sucker-punching business rivals.

Extortion through what is called “ransom DDoS” is the latest evil quirk of threat actors. To set it in motion, an adversary threatens to knock an organization’s website offline unless the would-be victim pays a specified amount of Bitcoin.

Since mid-August 2020, several high-profile hacker gangs, including the infamous Lazarus Group and Fancy Bear, have been sending such ransom notes to thousands of companies around the world, primarily ones from the finance and retail sectors. The felons demand a minimum of 10 BTC (currently worth about $106,000) for not mounting the attack. On August 28, the FBI alerted U.S. companies to the menace by issuing an ad hoc flash warning.

All in all, DDoS has grown into a multipurpose cybercrime heavyweight over time, and it is getting worse. With that said, it is high time organizations stepped up their preparedness to tackle this challenge. This article provides a roundup of known attack methods and shines the light on effective countermeasures.

Demystifying the DDoS Ecosystem

Whereas the fundamental principle of DDoS boils down to swamping a network with a plethora of rogue data packets, security professionals single out a trio of categories that differ in the logic of precipitating a denial-of-service condition. Any DDoS raid falls under one of the following classes:

• Volumetric Attacks. To execute these onslaughts, adversaries hinge on numerous previously compromised devices and spoofed Internet connections to inundate victim networks with more data packets than they can withstand. Effectively, they exhaust a network’s bandwidth with an enormous volume of dodgy traffic.
• Protocol Attacks. Rather than cause a bandwidth shortage quandary, these incursions sap the processing power of a web server via malicious protocol requests. They typically home in on firewalls or network infrastructure equipment such as switches, load balancers, or routers.
• Application Layer Attacks. This attack vector stands out from the rest by depleting the resources allocated to a specific web application. To set it on motion, felons often parasitize zero-day flaws in web applications, which makes such an offensive incredibly hard to pinpoint and thwart.

This broad classification relates to theory, for the most part, and does not give enough insights into the inner workings of a particular cybercrime campaign. To better understand the network disruption repertoire of the present-day crooks, go over a hands-on summary of 33 different DDoS types.

1. DNS Flood. To execute this incursion, malefactors deluge a DNS server with a huge number of malformed requests coming from numerous different IP addresses. This is one of the toughest attacks to detect and recover from.

2. UDP Flood. An adversary fires out a slew of rogue User Datagram Protocol (UDP) packets at a victim server to make it run out of processing capacity. A serious pitfall in terms of identifying this attack is that UDP connections provide scarce methods to verify source IP addresses.

3. SYN Flood. This foul play abuses the TCP three-way handshake, a fundamental mechanism used to set up a connection between a client, a host, and a server in the TCP protocol framework. Criminals flood a target server with multiple SYN (synchronize) packets coming from a rogue IP. For the record, the role of SYN packets in a benign scenario is to request a connection with a server.

4. Tsunami SYN Flood. This method harnesses scores of TCP SYN packets that are larger than 1,000 bytes each. This quirk makes it different from a “classic” SYN Flood attack in which the data footprint of malicious requests is much lower.

5. SYN-ACK Flood. Unlike the previous type, this one exploits a TCP connection phase at which a web server replies to a client to acknowledge a request it has received. Because these packets are submitted in a disorderly manner that is at odds with the three-way handshake principle, the server reaches its processing threshold trying to sort them out.

6. ACK & PUSH ACK Flood. To get this raid going, a crook perplexes a server with a bevy of ACK (acknowledge) and PUSH ACK requests that do not fit the context of the regular TCP mechanism.

7. Fragmented ACK Flood. An attacker shells a network with patchy ACK packets. When attempting to organize these requests, routers encounter a denial-of-service condition. This raid is one of the crooks’ favorites because it can disrupt a network with a comparatively small number of partial packets.

8. Spoofed Session Flood. The recipe for this attack includes a spoofed SYN packet, several ACK packets, and at least one RST (reset) or FIN (end of the connection) packet. Some network defenses do not examine return traffic, and therefore this offensive might go unnoticed.

9. NTP Flood. The purpose of the Network Time Protocol (NTP) is to synchronize the clock parameter between networks. Since many NTP servers are scarcely protected against exploitation, perpetrators can piggyback on them to generate a ton of anomalous UDP traffic and direct it toward a victim computer network.

10. SSDP Flood. The Simple Service Discovery Protocol (SSDP) is part of the Universal Plug and Play (UPnP) cluster of networking protocols that provide seamless interoperability between connected devices. To cybercriminals, though, it primarily denotes an instrument for orchestrating one of the common forms of DDoS. A bad actor sends tiny UDP requests carrying the spoofed IP address of a target server to a plethora of networked devices that run UPnP. These devices reply to that IP, only to drain the server’s processing power.

11. SNMP Flood. This one capitalizes on the Simple Network Management Protocol (SNMP) that amasses and arranges information relating to Internet-enabled devices. An attacker submits a series of requests containing a victim server’s mimicked IP address to network gear (e.g., a router or a switch) that leverages SNMP. This equipment, in turn, generates reply packets to the specified IP, thereby taking the server down.

12. CHARGEN Flood. Having been around for more than three decades, the Character Generator Protocol (CHARGEN) is one of the oldest of its kind. Despite its age, it is still being used by some networked printers and photocopiers. A malefactor can query many such devices with small packets carrying a target server’s IP. This leads to numerous replies rushing to the server.

13. Ping Flood. This DDoS attack revolves around fraudulent Internet Control Message Protocol (ICMP) echo requests. The victim server allocates all its resources to spawn packets in response to these numerous pings and denies service to legitimate clients.

14. VoIP Flood. To pull off this onslaught, crooks bombard a network with countless Voice over Internet Protocol (VoIP) packets that mimic regular traffic coming from a slew of different IP addresses.

15. Media Data Flood. When a server is being targeted this way, it receives multiple spammy audio and video files that drain its capacity. Since these files are sent from different genuine-looking IPs, the attack is likely to fly undetected.

16. HTTP Flood. To initiate this incursion, a threat actor shells a web application with malformed GET or POST requests. To imitate natural traffic, this technique may engage a botnet of previously infected devices.

17. Recursive HTTP GET Flood. To carry out this attack, a perpetrator requests a series of web pages from a server and examines the replies. Then, each web page element is recurrently queried to overburden the server.

18. Random Recursive GET Flood. The usual targets of this DDoS attack are websites that contain recursive pages. Forums and blogs are common examples. An adversary sends numerous GET requests to knock the resource offline. To feign real traffic, the attacker picks page numbers randomly from a valid set.

19. Single Session HTTP Flood. A malicious actor establishes a single HTTP session that spawns multiple requests lurking within the same HTTP packet. In addition to magnifying the disruptive effect, this technique can bypass some network protections that do not flag such traffic as abnormal.

20. LDAP Amplification. This attack misuses the Lightweight Directory Access Protocol (LDAP) that facilitates username and password verification to access web applications in the enterprise environment. A criminal submits tiny requests conveying a target’s IP address to an unsecured LDAP server, which replies to that IP recurrently. In the aftermath of this flood, the victim network runs out of resources.

21. Smurf Attack. By harnessing a strain of malware called Smurf, a criminal torpedoes a large number of Internet-enabled devices with phony ICMP echo requests. Since these packets contain the victim server’s IP address, the devices reply back to that IP and thereby overwhelm the server with traffic it cannot handle.

22. Ping of Death Attack. A malefactor deluges a network with ping packets that “weigh” more than 64 bytes, which is the maximum permitted size. The receiving server tries to reassemble these offbeat packets to no avail and eventually crashes.

23. IP Null Attack. To launch this incursion, an evildoer targets a server with IPv4 packets in which the header value is set to null. These irregular messages confuse the server to the extent that it can no longer operate properly.

24. Fraggle Attack. This foul play involves rogue UDP packets carrying a knockoff IP address of the target’s router. As a result, the network device replies to itself non-stop until it becomes incapable of reacting to legitimate requests.

25. LAND Attack. LAND – short for Local Area Network Denial – is a raid relying on dodgy SYN packets in which the source IP and the destination IP are an exact match. The victim server is thereby pulled into a loop of iterative responses to itself, which causes a denial-of-service predicament.

26. Slowloris. An attacker initiates a bevy of simultaneous connections to a web server and keeps them active by periodically adding split packets and HTTP headers. These connections stay uncompleted for a long time and waste the server’s processing capacity. On a side note, a single computer can be enough to execute the Slowloris onslaught.

27. ReDoS. To mount a ReDoS (Regular Expression Denial-of-Service) attack, a criminal floods a web application with string searches whose algorithmic complexity diminishes the productivity of the associated server.

28. Misused Application Attack. At the first stage of this offensive, a hacker gains a foothold in multiple machines running resource-heavy utilities (e.g., peer-to-peer solutions). Next, the villain reflects hefty volumes of web traffic from these devices to an intended victim’s server.
29. Low Orbit Ion Cannon (LOIC). Ideally, LOIC is used as a tool that allows security experts to identify the pain points of a network by stress-testing it. However, sometimes criminals turn the original purpose upside down by mishandling it to deplete a server’s resources with fake HTTP, UDP, and TCP packets.

30. High Orbit Ion Cannon (HOIC). This is a LOIC spin-off with a much higher stress-testing potential under its hood. DDoS actors often hinge on it to generate myriads of HTTP POST and GET requests and knock a target server offline in a snap. Incidentally, HOIC can concurrently home in on more than 250 domains.

31. Zero-Day DoS. This form or a cyber-assault relies on previously unknown flaws in a server, a web application, or the implementation of a network protocol. It comes as no surprise that companies are hardly ever prepared to dodge this attack vector.

32. APDoS. The acronym stands for “Advanced Persistent Denial-of-Service.” This mechanism kicks in when attackers blend a series of different techniques to deteriorate the performance of a network or a server. Another hallmark of this attack is that it usually lasts for weeks and survives traditional incident response methods.

33. IoT Botnet Attack. This is one of the most destructive types of DDoS as it can generate immense data transfer rates that reach several terabits per second. These attacks parasitize a network of compromised Internet of Things (IoT) devices to generate fraudulent traffic and route it toward a computer network.

DDoS Mitigation Best Practices

DDoS is one of the oldest and the fastest evolving areas of cybercrime, and it is front and center in some of today’s most destructive attacks targeting the enterprise. This type of cybercrime is quickly evolving relying on botnets, open-source network stress testing frameworks, scams, and other means. Therefore, organizations should have effective defenses in place to emerge unscathed if the disaster strikes. A growingly popular and reliable method is to outsource DDoS mitigation to a trusted cloud-based service such as Cloudflare, Sucuri, or Akamai.

It is also a good idea to leverage an intrusion prevention system (IPS) along with a web application firewall (WAF). The former protects a network against malicious code and hacker attacks, while the latter thwarts web application abuse via cross-site scripting (XSS), cross-site request forgery (CSRF), or SQL injection.

In case of limited budgets, timely software updates are a hugely important element of DDoS protection, too. Vulnerability patches raise the bar for malefactors and prevent the network infrastructure from becoming easy prey.

About the Author – David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. https://www.linkedin.com/in/david-balaban/

Scammers take advantage of Clorox buying frenzy

While the world adjusts to COVID-19 and its deadly spread, malicious actors are mobilizing, attempting to capitalize on the collective attention that is currently focused on the virus. We recently analyzed traffic going to websites related to the Coronavirus, such as the online resources operated by the CDC and WHO as well as traffic to malicious websites that are masquerading as legitimate sources of information. Our analysis found that traffic to malicious sites skyrocketed — exceeding access to even the most trusted sources for COVID-19 information — as the pandemic sent the world into lockdown.

With so much change in the way the world operates – growth in remote work, more conference calls, increased online shopping – bad actors are getting crafty in order to continue attracting victims to their malicious sites. Wandera has identified a diverse set of sites posing as authentic during this time — from illegal products (e.g., prescription drugs posing as coronavirus antidotes) to phishing attacks (e.g., provide personal information for details on your tax credit) and downright scams (e.g., pay for a product and it never shows up).

Making dirty money off cleaning products

The latest scam site uncovered by our threat intelligence engine MI:RIAM is related to the sale of Clorox products. Clorox is a household brand known for cleaning and disinfecting products and reportedly saw demand surge by 500% in some of their product categories during Q1 2020, a direct link to consumer interest in cleaning as the coronavirus was starting its global outbreak. So it should come as no surprise that bad actors are trying to tap into this growth in consumer interest by launching a scam site.

MI:RIAM identified a site with the domain ‘adclorox[.]com’ while crawling the Internet. At the time of our investigation, an ad for this website was showing up in the second position of results when performing a Google search for ‘clorox’ (see below image taken on July 6, 2020).

The next red flag (after the questionable variation on the official Clorox brand domain name) was how strange it was for a fresh, nine-day-old website to be associated with such a storied brand like Clorox, which is owned by consumer goods giant Proctor & Gamble. Clorox has a legitimate domain clorox.com, and while it looks similar, it has many substantial differences to the scam adclorox[.]com domain.

Key indicators of a scam

First of all, Clorox currently does not sell directly to consumers. As you can see in the below screenshots the legitimate site directs users to retailers’ physical locations and websites to help them buy the product selected. Meanwhile, the adclorox[.]com website displays a ‘limited-time sale’ promotion and mechanism to purchase the selected product using PayPal. Additionally, we traced the Internet traffic to servers hosted in China. No legitimate retailers of Clorox products can be associated with the questionable domain at the time of publication.

Scam site

Legitimate site

Wandera’s threat research team performed an analysis of the infrastructure that is used to host the websites for both the official Clorox product as well as the suspicious domain. Both domains resolve to a set of totally different IPs, as indicated in the table below.

Additionally, the websites do not share any similarities via certificates, the components that enable both websites to encrypt page content and ensure the viewer’s browser displays a “lock icon” indicating a protected webpage. The certificate issuer for adclorox[.]com is Cloudflare, while the issuer for clorox.com is GlobalSign. Wandera research has indicated that attackers make regular use of encryption to trick users into believing the site is authentic.
 

Scam site

The most noteworthy indication of suspicion comes in the registration date. There is a huge difference in domain creation dates. The adclorox[.]com domain was registered nine days ago which is a really young domain for a company that has been around since 1913. The legitimate clorox.com domain was registered 26 years ago.

There is an entry for adclorox[.]com on this scam database website, which contains comments by users who have clued onto the scam, including this one: “I contacted Clorox. This is not one of their sites. I need to notify PayPal because I ordered some items thinking it was a legitimate site.”

Due to domain owner information being obfuscated, we are not able to say with certainty who owns and operates the scam adclorox[.]com domain. It is not standard practice with legitimate companies of this scale to obfuscate their domain registration details.

Legitimate site

Recommendations

We encourage users to take extra precautions during this time as scammers are taking advantage of the heightened reliance on online services. Here are our top tips:

• Always check the URL bar for suspicious domains
• Use a credible DNS server that includes the blocking of malicious domains such as QUAD9 (or Wandera’s Secure Access Layer if your employer has deployed it on your device)
• Don’t click on suspicious links that arrive via email and even messaging apps and social media
• Only use trusted websites
• Don’t download apps from unknown or third-party sources
• Businesses should protect employees by deploying security services to work devices that detect and block suspicious and malicious websites and apps

Update: At the time of writing on July 7, 2020, it appears that Google may have removed the site from its index since it is no longer showing up for the same search. However, the site is still live, but loading much slower than it was during the initial investigation.