Leaks of API keys and other secrets. The industry has been abuzz with news about attacks – and the ongoing ripple effect – involving leaked API keys, credentials and other secrets. This adds another dimension to your API attack surface, which in turn complicates your defenses and adds to your workload. So, this month the focus of The APIary is on leaked API keys and other secrets – read on for this month’s bit o’ honey.
Software Supply Chain Risks for Low- and No-Code Application Development
Supply chain attacks occur when a third-party vendor or partner with less robust security measures is breached, allowing attackers to indirectly gain access to an organization. This can happen through backdoors planted in software updates, as seen in incidents like SolarWinds and Kaseya. New architectures such as multi-cloud and microservices have made consistent security controls […]
Introducing the Anomali User Research Group
co-authored with Michael Elliott, Lead Researcher, Anomali Research Team
Political ads face tougher targeting restrictions in EU if MEPs get their way
Europe has moved a step closer to having dedicated rules on online political ad targeting and transparency after the European Parliament fixed its negotiating position — paving the way for talks to start between MEPs and Member States to agree a final compromise text that can be passed into pan-EU law.
Zeek 5.0.6
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek’s user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.
New “Crypto Drainer” Phishing Pages Siphon Cryptocurrency in Seconds
Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
Dashlane publishes its source code to GitHub in transparency push
Password management company Dashlane has made its mobile app code available on GitHub for public perusal, a first step it says in a broader push to make its platform more transparent.
CISO Makes a Pitch for Security Project Budget with Cost Benefit Analysis
We recently helped a CISO quickly turn around a cost benefit analysis using cyber risk quantification to make the case to save an important security project from death by budget cut. Here’s the story:
Need an Insurance Policy Against Ransomware Attacks? Get Silverfort’s Free Identity Security Assessment
Many organizations are struggling today with aligning their security controls with what underwriters now require in order to get insurance coverage against ransomware attacks. From the identity protection perspective, even the initial discovery of MFA and administrative access gaps to address can be a severe challenge, due to a lack of tools that can reveal the security posture of all admin users and service accounts. This is why Silverfort is launching a free identity security assessment offering — to assist organizations in this task and enable them to easily meet insurers’ requirements.
Clarity and Transparency: How to Build Trust for Zero Trust
Be impeccable with your words. It’s the first of the Four Agreements – a set of universal life principles outlined in the bestselling book by Don Miguel Ruiz. ‘Being impeccable with your words’ is my favorite, and it’s no surprise. As a product marketer, I spend most of my daily existence casting about for the perfect word to use in web copy, a webinar, or video script.
Building a secure and scalable multi-cloud environment with Cisco Secure Firewall Threat Defense on Alkira Cloud
In today’s security climate, NetOps and SecOps teams are witnessing increased attack surface area as applications and workloads move far beyond the boundaries of their data center. These applications/workloads move to, and reside in multi-cloud architecture, adding complexity to connectivity, visibility, and control. In the multi-cloud world, the SecOps teams use a distributed security model that is expensive, difficult to deploy, and complex to manage.
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
EXECUTIVE SUMMARY
- Since at least 2019, the Mustang Panda threat actor group has targeted government and public sector organizations across Asia and Europe [3] with long-term cyberespionage campaigns in line with strategic interests of the Chinese government.
- In November 2022, Mustang Panda shifted from using archive files to using malicious optical disc image (ISO) files containing a shortcut (LNK) file to deliver the modified version of PlugX malware. This switch increases the evasion against anti-malware solutions [2].
- The Mustang Panda APT group loads the PlugX malware in the memory of legitimate software by employing a four-stage infection chain which leverages malicious shortcut (LNK) files, triggering execution via dynamic-link library (DLL) search-order-hijacking.
PLUGX MALWARE EXECUTION FLOW
Figure 1 – Execution flow of PlugX malware.
First Stage: PlugX Malware Delivered by ISO Image
In the first stage of the infection chain, EclecticIQ researchers assess that the malware was almost certainly delivered by a malicious email with an ISO image attachment. The ISO image contains a shortcut (LNK) file, but it decoyed as a DOC file called “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc”.
AIs as Computer Hackers
AIs as Computer Hackers
Hacker “Capture the Flag” has been a mainstay at hacker gatherings since the mid-1990s. It’s like the outdoor game, but played on computer networks. Teams of hackers defend their own computers while attacking other teams’. It’s a controlled setting for what computer hackers do in real life: finding and fixing vulnerabilities in their own systems and exploiting them in others’. It’s the software vulnerability lifecycle.
New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers
The Critical API Security Gaps in WAAPs
Confused about the difference between a web application firewall (WAF) and a web application and API protection platform (WAAP)? Curious how intelligent a next-gen “intelligent WAF” really is? Wondering whether you need dedicated API security if you have a WAAP? Can you really trust a WAAP to secure your critical data and services?
How a Tiny Radioactive Capsule Was Found In Western Australia
On January 27, an urgent health warning was issued to notify the public about the risk posed by the radioactive capsule. Health authorities had a simple message to anyone who may come across it: Stay away. “It emits both beta rays and gamma rays so if you have it close to you, you could either end up with skin damage including skin burns,” the state’s Chief Health Officer Andy Robertson warned. By January 27, search parties were in full force looking for the tiny capsule. But they were not scouting for it using their eyes – they were using portable radiation survey meters. The survey meters are designed to detect radioactivity within a 20m radius. Police focused their efforts on the GPS route the truck had taken, and on sites close to Perth’s metropolitan and high-density areas. One site along the Great Northern Highway was prioritized by police on 28 January after unusual activity on a Geiger counter – a device used for measuring radioactivity – was reported by a member of public. But that search did not uncover the capsule.
USENIX Security ’22 – Yunang Chen, Yue Gao, Nick Ceccio, Rahul Chatterjee, Kassem Fawaz, Earlence Fernandes – ‘Experimental Security Analysis of the App Model in Business Collaboration Platforms’
Our thanks to USENIX for publishing their Presenter’s outstanding USENIX Security ’22 Conference content on the organization’s’ YouTube channel.
API Security Meets Government Regulators
The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security and recent data breaches and the potential theft of private data, have put a spotlight on API security.
Threat Hunting: The Best Defense is a Good (Proactive) Offense
As a senior executive, you know that the security of your organization’s networks and systems is of the utmost importance. Cyber threats are a constant concern, and a breach or attack could have serious consequences in terms of financial loss, reputational damage, and regulatory penalties.
Creating a Honey Token – A complete tutorial
Today we are going to run through step by step how to create your own Honey Tokens using entirely open-source tools. With this method, you can create 1 – 2,000 tokens that you can manage using entirely your own infrastructure. To complete this tutorial you will need an AWS account and create a terraform backend, but don’t worry, even if you have no experience with these tools this tutorial will walk through each step.
What are Honey Tokens or Canary Tokens? Both are different names for essentially the same thing. You can find a much more detailed description in this blog post, but as a refresher, Honey Tokens are secrets (like AWS API keys, or other credentials) that are left in your infrastructure to temp attackers to try and exploit them. Once an attacker uses a HoneyToken, it sends an alert and this lets you know you have an intruder in your systems.
Enough about that, let’s get started. To make this tutorial accessible to everyone, I am going to explain each step including creating an AWS user with the correct permissions and setting up a slack web hook for notifications. Advanced users may wish to skim over these steps if they are experienced in using these tools.
When creating HoneyTokens I always recommend creating a fresh new user to handle these. This way you can restrict scope easily and keep it separate from your everyday workings. If you have never used AWS here are some steps to create them.
If you are familiar with these steps you can skip down to the permissions JSON file.
1. 1 log in to your AWS account or create a new one
If you are brand new to AWS you can create an account here, you can use other cloud providers for this but will require a lot of modifications so today we will stick with AWS.
1.2 Create a new user
Visit your IAM Dashboard and visit the IAM dashboard and click on the user’s tab and follow the prompts.
1.3 Set permissions
Next, we need to set the permissions of the user, it is always a best practice to specify the minimal possible permissions.
Permissions can be added to a group, this may be a good idea if you plan on creating multiple HoneyToken users, or you can assign permissions directly to a user. For this tutorial, we will select “Assign policies directly” and click “Create policy”.
Select the JSON editor and copy in the policy code below.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudtrail:*", "dynamodb:*", "iam:*", "lambda:*", "logs:*", "s3:*" ], "Resource": "*" } ]
}