Don’t Let API Leaks Sink Your Ship | API Security Newsletter

Leaks of API keys and other secrets. The industry has been abuzz with news about attacks – and the ongoing ripple effect – involving leaked API keys, credentials and other secrets. This adds another dimension to your API attack surface, which in turn complicates your defenses and adds to your workload. So, this month the focus of The APIary is on leaked API keys and other secrets – read on for this month’s bit o’ honey.

Software Supply Chain Risks for Low- and No-Code Application Development

Supply chain attacks occur when a third-party vendor or partner with less robust security measures is breached, allowing attackers to indirectly gain access to an organization. This can happen through backdoors planted in software updates, as seen in incidents like SolarWinds and Kaseya. New architectures such as multi-cloud and microservices have made consistent security controls […]

Zeek 5.0.6

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek’s user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.

Need an Insurance Policy Against Ransomware Attacks? Get Silverfort’s Free Identity Security Assessment

Many organizations are struggling today with aligning their security controls with what underwriters now require in order to get insurance coverage against ransomware attacks. From the identity protection perspective, even the initial discovery of MFA and administrative access gaps to address can be a severe challenge, due to a lack of tools that can reveal the security posture of all admin users and service accounts. This is why Silverfort is launching a free identity security assessment offering — to assist organizations in this task and enable them to easily meet insurers’ requirements.

Clarity and Transparency: How to Build Trust for Zero Trust

Be impeccable with your words. It’s the first of the Four Agreements – a set of universal life principles outlined in the bestselling book by Don Miguel Ruiz. ‘Being impeccable with your words’ is my favorite, and it’s no surprise. As a product marketer, I spend most of my daily existence casting about for the perfect word to use in web copy, a webinar, or video script.

Building a secure and scalable multi-cloud environment with Cisco Secure Firewall Threat Defense on Alkira Cloud

In today’s security climate, NetOps and SecOps teams are witnessing increased attack surface area as applications and workloads move far beyond the boundaries of their data center. These applications/workloads move to, and reside in multi-cloud architecture, adding complexity to connectivity, visibility, and control. In the multi-cloud world, the SecOps teams use a distributed security model that is expensive, difficult to deploy, and complex to manage.

Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware


  • Since at least 2019, the Mustang Panda threat actor group has targeted government and public sector organizations across Asia and Europe [3] with long-term cyberespionage campaigns in line with strategic interests of the Chinese government.
  • In November 2022, Mustang Panda shifted from using archive files to using malicious optical disc image (ISO) files containing a shortcut (LNK) file to deliver the modified version of PlugX malware. This switch increases the evasion against anti-malware solutions [2].
  • The Mustang Panda APT group loads the PlugX malware in the memory of legitimate software by employing a four-stage infection chain which leverages malicious shortcut (LNK) files, triggering execution via dynamic-link library (DLL) search-order-hijacking.


Figure 1 – Execution flow of PlugX malware.

First Stage: PlugX Malware Delivered by ISO Image

In the first stage of the infection chain, EclecticIQ researchers assess that the malware was almost certainly delivered by a malicious email with an ISO image attachment. The ISO image contains a shortcut (LNK) file, but it decoyed as a DOC file called “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc”.  

AIs as Computer Hackers

AIs as Computer Hackers

Hacker “Capture the Flag” has been a mainstay at hacker gatherings since the mid-1990s. It’s like the outdoor game, but played on computer networks. Teams of hackers defend their own computers while attacking other teams’. It’s a controlled setting for what computer hackers do in real life: finding and fixing vulnerabilities in their own systems and exploiting them in others’. It’s the software vulnerability lifecycle.

The Critical API Security Gaps in WAAPs

Confused about the difference between a web application firewall (WAF) and a web application and API protection platform (WAAP)? Curious how intelligent a next-gen “intelligent WAF” really is? Wondering whether you need dedicated API security if you have a WAAP? Can you really trust a WAAP to secure your critical data and services?

How a Tiny Radioactive Capsule Was Found In Western Australia

A radioactive capsule that was reported lost in Western Australia on January 25 has been found. The BBC reports: On 25 January, when mining company Rio Tinto reported that one of their Caesium-137 radioactive capsules had gone missing, Western Australian authorities faced a seemingly impossible task. They had to locate a pea-sized capsule anywhere along a 1,400km (870 mile) route stretching from the Gudai-Darri mine in the north of the state to a depot just north of Perth’s city centre. Authorities sprung into action, mobilizing specialist search crews to look for the capsule, with firefighters among those asked to foray from their usual summer tasks. […] Before notifying the public to the threat, on 26 January, authorities began searching in Perth and around the mine site in Newman.

On January 27, an urgent health warning was issued to notify the public about the risk posed by the radioactive capsule. Health authorities had a simple message to anyone who may come across it: Stay away. “It emits both beta rays and gamma rays so if you have it close to you, you could either end up with skin damage including skin burns,” the state’s Chief Health Officer Andy Robertson warned. By January 27, search parties were in full force looking for the tiny capsule. But they were not scouting for it using their eyes – they were using portable radiation survey meters. The survey meters are designed to detect radioactivity within a 20m radius. Police focused their efforts on the GPS route the truck had taken, and on sites close to Perth’s metropolitan and high-density areas. One site along the Great Northern Highway was prioritized by police on 28 January after unusual activity on a Geiger counter – a device used for measuring radioactivity – was reported by a member of public. But that search did not uncover the capsule.

Creating a Honey Token – A complete tutorial

Today we are going to run through step by step how to create your own Honey Tokens using entirely open-source tools. With this method, you can create 1 – 2,000 tokens that you can manage using entirely your own infrastructure. To complete this tutorial you will need an AWS account and create a terraform backend, but don’t worry, even if you have no experience with these tools this tutorial will walk through each step.

What are Honey Tokens or Canary Tokens? Both are different names for essentially the same thing. You can find a much more detailed description in this blog post, but as a refresher, Honey Tokens are secrets (like AWS API keys, or other credentials) that are left in your infrastructure to temp attackers to try and exploit them. Once an attacker uses a HoneyToken, it sends an alert and this lets you know you have an intruder in your systems.

Enough about that, let’s get started. To make this tutorial accessible to everyone, I am going to explain each step including creating an AWS user with the correct permissions and setting up a slack web hook for notifications. Advanced users may wish to skim over these steps if they are experienced in using these tools.

When creating HoneyTokens I always recommend creating a fresh new user to handle these. This way you can restrict scope easily and keep it separate from your everyday workings. If you have never used AWS here are some steps to create them.
If you are familiar with these steps you can skip down to the permissions JSON file.

1. 1 log in to your AWS account or create a new one

If you are brand new to AWS you can create an account here, you can use other cloud providers for this but will require a lot of modifications so today we will stick with AWS.

1.2 Create a new user

Visit your IAM Dashboard and visit the IAM dashboard and click on the user’s tab and follow the prompts.

1.3 Set permissions

Next, we need to set the permissions of the user, it is always a best practice to specify the minimal possible permissions.
Permissions can be added to a group, this may be a good idea if you plan on creating multiple HoneyToken users, or you can assign permissions directly to a user.  For this tutorial, we will select “Assign policies directly” and click “Create policy”.

Select the JSON editor and copy in the policy code below.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudtrail:*", "dynamodb:*", "iam:*", "lambda:*", "logs:*", "s3:*" ], "Resource": "*" } ] }