[BreachExchange] Credential stuffing is just the tip of the iceberg

[Destry Winant]

https://www.helpnetsecurity.com/2020/09/24/credential-stuffing-is-just-the-tip-of-the-iceberg/

Credential stuffing attacks are taking up a lot of the oxygen in
cybersecurity rooms these days. A steady blitz of large-scale
cybersecurity breaches in recent years have flooded the dark web with
passwords and other credentials that are used in subsequent attacks
such as those on Reddit and State Farm, as well as widespread efforts
to exploit the remote work and online get-togethers resulting from the
COVID-19 pandemic.

But while enterprises are rightly worried about weathering a hurricane
of credential-stuffing attacks, they also need to be concerned about
more subtle, but equally dangerous, threats to APIs that can slip in
under the radar.

Attacks that exploit APIs, beyond credential stuffing, can start small
with targeted probing of unique API logic, and lead to exploits such
as the theft of personal information, wholesale data exfiltration or
full account takeovers.

Unlike automated flood-the-zone, volume-based credential attacks,
other API attacks are conducted almost one-to-one and carried out in
elusive ways, targeting the distinct vulnerabilities of each API,
making them even harder to detect than attacks happening on a large
scale. Yet, they’re capable of causing as much, if not more, damage.
And they’re becoming more and more prevalent with APIs being the
foundation of modern applications.

Beyond credential stuffing

Credential stuffing attacks are a key concern for good reason. High
profile breaches—such as those of Equifax and LinkedIn, to name two of
many—have resulted in billions of compromised credentials floating
around on the dark web, feeding an underground industry of malicious
activity. For several years now, about 80% of breaches that have
resulted from hacking have involved stolen and/or weak passwords,
according to Verizon’s annual Data Breach Investigations Report.

Additionally, research by Akamai determined that three-quarters of
credential abuse attacks against the financial services industry in
2019 were aimed at APIs. Many of those attacks are conducted on a
large scale to overwhelm organizations with millions of automated
login attempts.

The majority of threats to APIs move beyond credential stuffing, which
is only one of many threats to APIs as defined in the 2019 OWASP API
Security Top 10. In many instances they are not automated, are much
more subtle and come from authenticated users.

APIs, which are essential to an increasing number of applications, are
specialized entities performing particular functions for specific
organizations. Someone exploiting a vulnerability in an API used by a
bank, retailer or other institution could, with a couple of subtle
calls, dump the database, drain an account, cause an outage or do all
kinds of other damage to impact revenue and brand reputation.

An attacker doesn’t even have to necessarily sneak in. For instance,
they could sign on to Disney+ as a legitimate user and then poke
around the API looking for opportunities to exploit. In one example of
a front-door approach, a researcher came across an API vulnerability
on the Steam developer site that would allow the theft of game license
keys. (Luckily for the company, he reported it—and was rewarded with
$20,000.)

Most API attacks are very difficult to detect and defend against since
they’re carried out in such a clandestine manner. Because APIs are
mostly unique, their vulnerabilities don’t conform to any pattern or
signature that would allow common security controls to be enforced at
scale. And the damage can be considerable, even coming from a single
source. For example, an attacker exploiting a weakness in an API could
launch a successful DoS attack with a single request.

API DoS

Rather than the more common DDoS attack, which floods a target with
requests from many sources via a botnet, an API DoS can happen when
the attacker manipulates the logic of the API, causing the application
to overwork itself. If an API is designed to return, say, 10 items per
request, an attacker could change that value to 10 million, using up
all of an application’s resources and crashing it—with a single
request.

Credential stuffing attacks present security challenges of their own.
With easy access to evasion tools—and with their own sophistication
improving dramatically – it’s not difficult for attackers to disguise
their activity behind a mesh of thousands of IP addresses and devices.
But credential stuffing nevertheless is an established problem with
established solutions.

How enterprises can improve

Enterprises can scale infrastructure to mitigate credential stuffing
attacks or buy a solution capable of identifying and stopping the
attacks. The trick is to evaluate large volumes of activity and block
malicious login attempts without impacting legitimate users, and to do
it quickly, identifying successful malicious logins and alerting users
in time to protect them from fraud.

Enterprises can improve API security first and foremost by identifying
all of their APIs including data exposure, usage, and even those they
didn’t know existed. When APIs fly under security operators’ radar,
otherwise secure infrastructure has a hole in the fence. Once full
visibility is attained, enterprises can more tightly control API
access and use, and thus, enable better security.