The drive for digital transformation has made APIs every organization’s MVP. They’re the glue that holds machine-to-machine communications together, facilitating the transfer of much-needed information from one machine to the next.
However, as the gateways to treasure troves of data, APIs are also a rising prime target for malicious actors.
In 2021, Gartner predicted that API attacks would be the most common attack vector by the end of 2022. Ultimately, that prediction turned out to be true. 2022 saw some of the most devastating API attacks yet on organizations of all shapes, verticals, and sizes.
But don’t worry, there’s good news. API attacks can affect any company, which means there’s a lot to learn from other people’s (understandable) mistakes. Here are the biggest lessons from 2022’s highest-profile API attacks.
Threat Actors’ Greatest Hits: The Top 2022 API Attacks and Incidents to Learn From
A strong API security program plays a fundamental role in protecting your organization’s attack surface. Here are three incidents that hold lessons for defending against today’s malicious actors, data breaches, and attacks:
1. Twitter’s Zero-Day Vulnerability and the Importance of Validating Identities with Each API Call
An attacker exploited a zero-day vulnerability within Twitter APIs, allowing them to pull data on Twitter users by submitting email addresses and phone numbers to the API and scraping the corresponding usernames. Nearly 5.5 million users were affected by the leak.
While the stolen user data was initially offered for sale at $30,000 in July 2022, it was leaked freely in November 2022 on Breach Forums. The data haul from the API attack included private user information — such as email addresses and telephone numbers.
Corsha’s Big Takeaway
In the wake of the API attack, Twitter suggested that users implement two-factor authentication to safeguard access to their accounts. But why not extend that level of authentication to API access in the first place? With MFA in play, any calls to an API (even those by apparently authorized users) will require an additional level of verification.
While Twitter patched the vulnerability, it didn’t solve the base issue: The vulnerability had already opened up access to its APIs.
Threat actors work fast — that’s why API security needs to work even faster. Traditional vulnerability patching is necessary, but it can’t account for the problems with security that vulnerabilities open up before they’re detected.
What can account for those problems? Then MFA with every API call is the answer.
2. Dropbox’s Leak Reveals Gaps with Third Parties
In 2022, threat actors infiltrated 130 Dropbox source code repositories on GitHub. The tech giant was the target of a massive phishing campaign that resulted in free access to several of Dropbox’s API keys.
While this particular breach didn’t immediately threaten any highly valuable resources like source code, infrastructure, or core apps, the API key leak could still have potentially devastating future consequences. These leaked keys in particular were used by Dropbox developers, meaning threat actors could have quickly exploited the APIs responsible for transferring sensitive data in critical CI/CD pipelines or workflows.
Corsha’s Big Takeaway
MFA again has the potential to come to the rescue – in particular, MFA for machine identity. When API keys are lost in the digital ether, they can no longer reliably validate a user’s identity. That’s because each call made to an API would automatically assume — simply if the user held the right key — that they were an authorized user.
In this case, Dropbox APIs would assume that anyone with the correct key is a Dropbox developer. MFA provides an additional layer of security that doesn’t rely on static credentials to validate identities, meaning just having the right key is no longer enough for bad actors looking to breach systems.
Don’t just take our word for it. In 2022, CISA also issued strong guidance for organizations to implement MFA to build better resilience and defense against malicious attacks – specifically phishing. While MFA for human users is already popular, the rise of API breaches makes it clear that organizations must work to prevent “phishing,” or bad actors masquerading as machine identities as well.
3. The Uber Breach Reminds Us That Threats Can Come From The Inside
A malicious actor gained login access to Uber’s privileged access management (PAM) solution. In this case, the attacker was already a contractor for Uber, meaning that they had some legitimate network access and privileges. The contractor also happened to have access to a PowerShell script that contained hard-coded credentials – including SSH keys, API tokens, API keys, and even passwords.
How did this bad actor escalate privileges to reach Uber’s PAM? By stealing those hard-coded credentials.
Hard coding credentials is a common practice in the developer world. It helps streamline workflows so that developers can have quick and easy access to the secrets they need while working. However, that also makes secrets tough to rotate, manage, and secure. That’s because hard coding leaves them out in the open to anyone who has access to the code files.
What’s the result? Fast development, but at a cost.
Corsha’s Big Takeaway
Chances are, your enterprise is already working with contractors and other third parties to help get the job done. Although they might have some legitimate and authorized privileges, hard-coded credentials can quickly give third parties access that they simply shouldn’t have.
Fortifying your API security program with machine identity MFA levels up your defense against these potential internal compromises. It makes sure that users keep to the assets they’re authorized to access — and only those assets. When it comes to preventing third parties from using stolen or leaked API keys, there’s only one answer: Machine identity MFA.
Machine identity MFA is relatively hands-off, meaning organizations don’t have to allocate additional budget or resources to other more intensive API security measures, like secrets management. MFA can also be particularly useful in defending against insider threat attacks, like the 2022 Uber incident.
The additional safety net of machine identity MFA uplifts a key pillar of best cybersecurity practices: Continuous verification. That is — verifying access for any and all resources, at any and all times.
Don’t Let Breaches Become A Broken Record
API attacks and breaches are a new standard story in the news cycle. With app-to-app communication facilitating modern business more than ever, API security is an even greater priority for organizations determined to defend against financial and reputational loss.
That means they need an immediately effective security solution. But investment in the bearer model and secrets management cannot produce immediate results.
What can? Machine identity MFA. With the protective layer of multi-factor authentication, organizations can avoid the headlines and become leading industry players.
Taking your API security program to the next level can seem daunting. Find out how to get started with our API scorecard.