Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront

Ory Segal
Senior Director, Threat Research
Akamai
VICES AND DEVICES
How IoT & Insecure APIs Became the New Cyber Battlefront

AGENDA:
• APIs Overview & History
• AKAMAI Security visibility & scale
• API statistics from the Akamai platform
• Credential abuse attack overview
• APIs credential abuse campaigns
• SSHowDowN IoT device attacks

APPLICATION
PROGRAMMING
INTERFACE
A software design approach which enables
developers to integrate with other systems based on
a defined set of communication methods.
APIs serve as software building blocks and allow for
software reuse essentially allowing fast
development of new systems based on existing
capabilities

BRIEF HISTORY OF API
TECHNOLOGIES
0
10
20
30
40
50
60
70
80
90
100
Interestovertime
20072004 2010 20162013
CORBA
SOAP SERVICES
UDDI
WSDL
RESTful SERVICES
JSON APIs
MICROSERVICES

OPEN
&
SIMPLE
The same openness & simplicity that make APIs
attractive to developers also make APIs an
attractive target for attackers

©2017 AKAMAI | FASTER FORWARDTM
The Intelligent Platform
• 220,000+ Edge Servers
• 3,315+ Locations
• 1200+ Cities
• 129 Countries
• 1,227+ Networks
The Data
• 3 trillion hits per day
• 1 Billion unique IPs seen quarterly
• 13+ trillion log lines per day
• 260+ terabytes of compressed daily logs
15 - 30% of all web traffichttp://wwwnui.akamai.com/gnet/globe/
http://tech.akamai.com/attack-globe/
AKAMAI

AKAMAI’S SECURITY VISIBILITY
Akamai
Intelligent Platform
Akamai
Intelligent Platform
Cloud Security Intelligence
Visibility │15-30% of global web traffic │3 Trillion Hits/Day │550M Daily logins monitored
Data │40B daily security events│700,000 log lines a second │20 TB new attack data daily
Analysis │Dedicated threat research team │100 automated heuristics │6M botnets monitored daily

144.7BHTTP requests
36.6B
API Calls
25% of all traffic -
API calls!
65%Mobile APIs
35%
AJAX, Web, Other

28%
23%
23%
10%
8%
5%
3%
High Technology
Online Retail
Media
Gaming
Hotel & Travel
Financial Services
Other
API Usage (By Industry)

51%
36%
11%
0%
0%
2%
25%
56%
10%
4%
2%
3%
JSON
Form-Data
XML
Plain Text
Binary
Other
Request Content-Type (APIs vs. Standard Web)
Standard Web API Calls
51% OF API CALLS
USE JSON!
Not all security protections are suitable for deep
inspection of attacks within complex JSON
messages

TOP ATTACK
VECTORS AFFECTING
API ENDPOINTS
Application Layer Attacks
Attacks targeting application logic – SQL
Injection, Cross-Site Request Forgery, XSS,
etc.
Denial of Service
Mass-scale attempts to exhaust system
resources and deny service from others
Content Scraping
Illegitimate data mining and content
harvesting
Credential Abuse (“Credential Stuffing”)
Mass-scale account abuse, either by brute-
force guessing, or by using leaked
credentials
76%
13%
6%
3%
2%
0.01%
SQL Injection
Local File Include
Code Injection
Command Injection
XSS
Remote File Include

413.4MLogin requests
27.9MUnique IP Addresses
48.7KInternet Hosts
42%
Only API Calls
(JSON, XML, SOAP)
55%
Only Forms Login
3% Use Both
78%
Mobile Logins
22%
Browsers, IoT

Password
Another password
ONE MORE PASSWORD
Password
YET ANOTHER PASSWORD
The average user uses over 50 different
services requiring a password
People have limited memory (and they
are often lazy)
Password
Password
PEOPLE USE THE SAME
PASSWORD
EVERYWHERE

It only takes one site to leak...
EVEN THE MOST TRUSTED
SERVICES HAVE BEEN BREACHED

413.4MLogin requests
27.9MUnique IP Addresses
48.7KInternet Hosts
30%Of all login requests are
malicious

CAMPAIGN ANALYSIS
1,000,000
4,000,000
Standard Web APIs
Average Campaign Size (By Number of
Accounts)
ATTACKERS ATTEMPT x4 MORE
STOLEN ACCOUNTS THROUGH API
88% OF ATTACKERS
PERFORMED API-BASED
ATTACKS!
x4.75 MORE IPs (Avg.)
PER CAMPAIGN IN APIs

API LOGINS: THE PERFECT TARGET
Complexity of deep API message
inspection:
The Non-standard message formats of API calls
make it hard for security solutions to detect
attacks. Attacks remain unseen
{API}
Drawbacks of web “Anti-
Automation” solutions:
Most anti-automation solutions apply protections
that are irrelevant in the API ecosystem:
• HTTP anomalies
• CAPTCHA
• JS challenges & fingerprinting
• Rate limits
Limited visibility:
Security products that are not API-centric, do not
provide proper logging and visibility into API
attacks
Lack of proper API management:
Many orgs. deploy hundreds of APIs, each
exposing a multitude of endpoints. Managing
these APIs is a daunting task. Hackers are
constantly on the lookout for “rogue APIs”
Operational simplicity:
APIs provide granular interfaces to backend
software functions. Their consumption in a
programmatic way is extremely simple.
Adversaries recently started using undocumented
APIs intended to be used by mobile applications.

SSHowDowN
On IoT Devices & Credential Abuse Attack Campaigns

1M-bot campaign demonstrated ~25% of IPs as
“single use” (no repeat activity)
Over 1 month, ~70% of the IPs only attacked 1
day
REAL WORLD: FINSERV CAMPAIGN

⍰How come we see such a high % of “single use” attack machines
⍰How come the work load (checked accounts) is balanced so well
among so many bot nodes? (no repeated account attempts)
⍰How come we see large networks of attacking machines that are
Routers, Hotspots, CCTV systems and other IoT devices?
OPEN QUESTIONS?

A single source is generating the traffic – explains why it is identical
A single source runs over the list of accounts – explains why work is not repeated
Large proxy lists are easy & cheap to maintain – much more than a botnet
A single attacker is routing login traffic using
round robin over a long list of machines
serving as proxies
Missing piece – What’s the deal with IoT devices?
SPECULATION:

CCTVs
Routers
Servers
Satellite Antennas(?!)
ADSL/Cable Modems
Hotspots
MANY SOURCE IPs EXPOSED A WEB
INTERFACE

Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront

Search for ESTABLISHED TCP Connections
Seems like the SSH daemon is responsible for many active HTTP/HTTPS
connections – some of which are to Akamai Ghost machines

DEFAULT ACCOUNT CANNOT “SSH” INTO
MACHINE

No active shell sessions seen – not under ”root” or “admin” users
The “admin” user (which has the default admin:admin credentials) has
/sbin/nologin configured – so an attacker can’t SSH into the machine and
run commands
Was SSHD tampered with and contains a backdoor? We checked - No...
HOW IS SSH USED FOR THESE ATTACKS?

All traffic passes through the SSH server, as if you setup a VPN through
SSH but without shell permissions on the server
<AllowTcpForwarding yes> (default)
USING SSH AS SOCKS PROXY WHEN USER
HAS NO SHELL PERMISSIONS

Attacker
Vulnerable IoT
Device Target Web Server
SSH TUNNEL
/> ssh –D 8080 –N cctv_admin@iot.vuln (requires “default” account credentials)
/> curl --proxy socks5h://localhost:8080 http://target.site/
Malicious HTTP
SOCKS PROXY
SSHowDowN INSTRUCTIONS MANUAL:

SSH TUNNEL 1
SSH TUNNEL 2
SSH TUNNEL n
....
Attacker
Vulnerable IoT
Device
Target Web Server
FROM PROXY TO CLOUD/BOTNET:

VULNERABLE DEVICES SPOTTED “IN THE
WILD”

ACCESSING INTERNAL NETWORK MACHINES
IP of an internal machine

2. Access an Internal machine (in this example – over HTTP)
1. Create an SSH Proxy Tunnel:

1. Huge growth in API usage (>25% of all traffic)
• Mobile apps are the #1 driver
• Device & app integration. IoT ecosphere is a perfect
example
2. Simple & accessible APIs, developed with modern lightweight
frameworks are a convenient, easy target
3. 4 main attack vectors are relevant: Credential Stuffing, App
layer attacks, DDoS, Data Scraping
4. Existing security solutions have drawbacks:
• Deep inspection of modern API message formats
• Technical difficulties implementing “Anti-Automation”
• Lack of granular visibility
• Weak API management

Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront

More Related Content

What's hot (20)

Similar to Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront (20)

Recently uploaded (20)

Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront

Editor's Notes