We at ThreatX are observing an uptick in multi-vector API and web application attacks, or orchestrated attacks that include several phases, leverage multiple techniques, and involve evasion tactics. Often, these multi-vector attacks serve a dual purpose: distract security’s attention while simultaneously aiming precisely at an intended target.
Below we highlight the recent experiences of three ThreatX customers who faced these sophisticated, multi-vector API attacks.
Get background on why APIs are now targets, how attackers are targeting them, and how to defend them in The Definitive Guide to API Attack Protection.
Large online retailer
A large online retailer came to us after several months of very frustrating attempts to thwart a multi-vector attack. At first, they noticed increased attack patterns, and identified a mid-grade DDoS attack. They immediately employed a stand-alone DDoS solution to try and defend their systems. At the same time, they started to notice a higher than usual level of login failures coming in through the web. They assumed this activity was a credential stuffing attack, and they pivoted to a bot solution to try to manage the bot-based attacks.
What they ultimately found, and what we were able to help them identify, was that the DDoS attacks were intended to distract the security team so that attackers could freely pursue the real target, the mobile APIs. The DDoS was being used to trigger BGP routing to bypass fraud protection for mobile APIs.
Learn more about the types of DDoS attacks we are seeing in our recent Live Q&A: The Evolution to Record-Breaking DDoS.
This customer’s experience highlights the limitations of attempting to address individual attack vectors with multiple point solutions. If these solutions are not fully integrated (and not stitched together with duct tape), and you don’t have visibility into the full context of the attack, it makes it very difficult to truly understand what the attackers are actually looking for.
Large credit union
A large credit union was migrating to its new mobile and web application platform. As part of this process, they were asking their customer base, which was in the tens of thousands, to create new credentials.
At the same time, we noticed what appeared to be a credential stuffing attack. Because the credit union wanted to minimize the impact to the legitimate customers, they were very disinclined to start blocking until they had reached a significant number of actual failed login attempts.
Get details on the types of credential stuffing attacks we are seeing in new research from ThreatX Labs.
We then worked to identify the common characteristics of the suspicious IPs. Rather than immediately blocking, we used advanced techniques such as tarpitting and rate limiting at the IP level, while we continued to collect additional information. And as we began to identify the characteristics of the attackers, we had enough data between fingerprints and the attack behaviors to accurately block the attacker. At the same time, the attackers launched a DDoS level brute force campaign as a diversionary tactic.
Now, in addition to legitimate users trying to log in, the credit union experienced a mid-grade credential stuffing attack, plus a much larger brute force campaign. The attacker goal here was to use multiple techniques to really overwhelm the security team to disguise enumeration and exploitation attempts.
The key to our success in thwarting this attack was identifying unique attacker characteristics. And identifying them in full context — not just from the perspective of a web application firewall or a DDoS solution or a bot solution. With that visibility, we were able to coordinate all of the information into a single platform and then correlate that data over time to identify the real attack vector and the real risk.
We had a gaming company customer that was launching a new product. Using a botnet, an attacker first identified the new product in the staging area, and was able to do a fair amount of discovery undetected to identify vulnerable APIs. The attacker then disappeared, and the company continued to develop the product.
Learn more about the role of bots in API attacks in our new whitepaper.
But months later, when the gaming company launched the new game, the attacker returned, deploying a large account takeover attack. While the security organization was dealing with what they thought was a brute force and account takeover attack, there were actually much lower and slower exploitation attempts that were triggered at the same time. The attackers were using the brute force attack as cover while they attempted to exploit the vulnerable APIs they had identified in the reconnaissance phase.
This example again highlights the fact that attackers are rotating their attack profiles, trying to obscure the real attack, in this case identifying and exploiting authentication APIs. Even though the attackers were using anonymizers, rotating the IPs, user agent information, and other key characteristics, we were able to identify TLS signatures and IP fingerprints, and then correlate the information to recognize that in addition to what they were doing from a diversionary tactic, there was a whole other set of behaviors targeting the vulnerable APIs. Ultimately, we were able to deploy blocking such that as they continue to rotate through more IPs, those IPs were blocked.
Get more details on this new attack type in our whitepaper, Why an Attacker-Centric Approach Is Key to API Protection.