Do you know what goes on in the darknet? Well, your API security could be at stake. DarkOwl, a leading provider of darknet data, has observed conversations on the darknet on topics including hacking APIs, stolen API secrets that are then traded in underground digital marketplaces, and shared API exploitation codes.
Ultimately, data from conversations on the darknet can inform security professionals about malicious threat actor tactics, techniques, and methods that will ultimately help them construct better, actionable defenses to combat those threats. Corsha CEO and Co-Founder Anusha Iyer and DarkOwl CEO and Co-Founder Mark Turnage got together to discuss how API security professionals can benefit by studying the conversations happening within the darknet.
Read on to learn:
Targeting APIs is not a new phenomenon, but it is a tactic that threat actors are leveraging more frequently. As organizations work to digitally transform app ecosystems into microservices, APIs end up forming the backbone of communication. In addition, while more enterprises move toward the cloud, their API ecosystems only grow more complex, with greater surface area for bad actors to exploit. Unfortunately, APIs are often an underserved component of cybersecurity in most enterprises.
In October 2022, the Toyota Motor Corporation warned customers that their personal information may have been exposed because an API key was publicly available on GitHub for almost five years. In December 2017, a subcontractor uploaded some source code from Toyota T-Connect, the official Toyota connectivity app, to a publicly accessible GitHub repository. From this incident alone, 296,019 customer records were exposed.
Recently, FTX and 3Commas revealed that an API exploit was used to make illegal FTX transactions using API keys that were obtained from phishing attacks. 3Commas alerted users that the API keys were obtained from outside of the platform, but still pose the risk of being used to make financial transactions. As a result, FTX will delve out $6 million to compensate the victims of this incident.
So, how can the darknet help shed light on incidents like these? And what exactly is the darknet?
We call the darknet “dark” because you can’t get there from your Google browser. It’s a network of sites that often require a specialized browser or specialized access that obfuscates user identity. The traffic itself is usually encrypted, making it a ripe environment for criminal communication and engagement.
For example, two threat actors could anonymously conduct a transaction, have a conversation, buy or sell illegal goods, and so on. Even if a law enforcement agency had a full view of the discussion and transaction, they wouldn’t know the identities of the people having the conversation.
Darknet use in the U.S. has increased by 80% over the past three years, and 37% of all organizations were attacked with ransomware from or had sensitive information leaked on the darknet in 2021. Not only that, but 67% of darknet offers for access to corporate networks cost $5,000 USD or less in 2021. That’s a small price to pay for such a useful asset.
DarkOwl extracts data at scale from tens of thousands of darknet sites on a daily basis. The company then indexes that data, stores it, and makes it available and searchable for clients. Through its data collection, DarkOwl has seen an increasing number of threat actors discussing stolen API secrets, keys, and session tokens.
Here’s an example of what some of the API-related conversations that DarkOwl has observed sound like: Imagine two threat actors entering a forum to talk about how one of them mounted a successful API attack using one of the JSON Web Token authentication bypass methods.
The first threat actor might say: “Can I buy or borrow that method from you? I’d like to test it on a potential target.” The second threat actor would then pass on said method for the first actor to use however they would like.
By observing and analyzing these conversations, security providers can gain more insight and details on the specific methods that threat actors are using to execute API attacks. For example, security providers could see if threat actors are plotting an attack against a specific organization, and what kind of attack methods they plan on leveraging. The more insight organizations have, the better they can guard against them.
For the sake of convenience, many enterprises that use API secrets have probably inadvertently leaked API keys across systems. Secrets are largely static, often shared, and rarely rotated– meaning they're likely continuously leaked, sprayed, and sprawled across numerous environments. And because the current model of API authentication is largely static, they’re the perfect targets for threat actors.
To fully protect APIs against the threat actors conspiring on the darknet, enterprises need dynamic machine identity for APIs and fully automated MFA for machines. This provides a lot of the benefits we see on the human side of MFA, like pinning access to only trusted machines. Even if a key inadvertently gets checked into a public GitHub repository (like the Toyota incident), if MFA is enforced as a secondary factor, your APIs are still safe.
Think of this as a second, dynamic layer of protection for your APIs, where you can ensure that API calls are being made with single-use MFA credentials – and not static credentials that have potentially fallen into the wrong hands.
To learn more about how Corsha can secure your APIs against ever-evolving threat actors, check out our product page and explore how our solution could protect all your apps, services, and data with a zero trust architecture.