Threat Research

The Escalation of Web API Cyber Attacks in 2024 – Check Point Blog

Securonix

Web APIs faced a sharp rise in attacks in early 2024, with about 1 in 4.6 organizations targeted weekly and cloud-based networks increasingly in the crosshairs. The report highlights critical API vulnerabilities (Fortinet, Joomla!, ownCloud, Ivanti) and crypto-miner activity linked to exposed API endpoints, underscoring the urgent need for stronger API security. #Ivanti #Fortinet #Joomla #ownCloud #IvantiConnectSecure #IvantiPolicySecure #C3pool #Skypool #CryptoMining

Keypoints

  • In January 2024, attacks on Web APIs affected about 1 in 4.6 organizations weekly, a 20% rise from January 2023.
  • Education is the most impacted industry, while cloud-based networks saw a 34% increase in attacks vs. the prior year, overtaking on-premises.
  • Notable vulnerabilities include Fortinet CVE-2022-40684, Joomla! CVE-2023-23752, ownCloud CVE-2023-49103, and Ivanti zero-days (CVE-2023-35078, and CVE-2023-46805; CVE-2024-21887).
  • Attacks commonly involved attacker-controlled dropper scripts (ivanti.js, script.sh) used to download crypto-miner malware and establish outbound wallet connections in clear text.
  • The January 2024 timeframe included a CISA directive to disconnect Ivanti Connect Secure and Ivanti Policy Secure solutions for U.S. federal agencies due to zero-days.
  • IoCs include specific IPs (e.g., 192.252.183.116; 45.130.22.219), mining pool domains (C3pool.org, Skypool.xyz), and several file hashes associated with the malware families.

MITRE Techniques

  • [T1190] Exploitation of Public-Facing Application – Used publicly exposed web APIs and vulnerabilities (Fortinet, Ivanti, Joomla!, ownCloud) to access endpoints and perform actions such as data exfiltration and command execution. ‘A publicly exposed vulnerability in a web API can allow attackers to perform many actions on the affected systems. An attacker may use a vulnerable API to exfiltrate data, download malicious files, and run arbitrary commands with potential consequences such as unauthorized access to personally identifiable information (PII).’
  • [T1059] Command and Scripting Interpreter – Attacker-controlled hosts contained dropper scripts (ivanti.js and script.sh) used to download crypto-miner malware. ‘…malicious files (ivanti.js and script.sh)…’
  • [T1105] Ingress Tool Transfer – Scripts were used to download crypto-miner malware from remote sources. ‘used to download crypto-miner malware.’
  • [T1071] Application Layer Protocol – Outbound connections to wallets/mining pools in clear text, indicating C2/crypto-mining traffic over standard protocols. ‘Outbound connection with the wallet in clear text.’
  • [T1041] Exfiltration – Publicly exposed API vulnerabilities could allow data exfiltration from affected systems. ‘to exfiltrate data…’

Indicators of Compromise

  • [IP Address] context – 192.252.183.116, 45.130.22.219
  • [Mining Pool Domain] context – C3pool.org, Skypool.xyz
  • [Hash] context – 4cba272d83f6ff353eb05e117a1057699200a996d483ca56fa189e9eaa6bb56c, 39ead6055306739ab969a3531bde2050f556b05e500894b3cda120178f2773be, and 2 more hashes
  • [Filename] context – script.sh, Ivanti.js

Read more: https://blog.checkpoint.com/research/a-shadowed-menace-the-escalation-of-web-api-cyber-attacks-in-2024/