Security firm Wallarm has released a report based on data collected from its globally distributed API honeypot network, revealing insights into the threat landscape for APIs.

Key findings from the report include:

• APIs are the prime target: APIs now attract more attacks than traditional web applications.

• Rapid discovery: Newly deployed APIs are discovered by attackers in as little as 29 seconds.

• Immediate exploitation: Unprotected APIs are exploited within one minute of discovery.

• High-velocity data theft: Attackers using batched API requests can exfiltrate millions of user records in seconds.

• Targeting well-known products: Recognizable and widely used API products face heightened targeting by attackers.

Wallarm’s honeypot, which spans 14 locations, provides targeted responses to API requests across multiple protocols, including REST, XML-RPC, GraphQL, and others. Over half (54%) of observed request types were API-specific, highlighting that APIs are the          . Among these, 40% of requests targeted known vulnerabilities (CVEs). While port 80 emerged as the most commonly discovered entry point, interactions were distributed across many ports, demonstrating that protecting only common ports is not enough.

“APIs are the foundation of modern applications, but their widespread deployment and inadequate protection make them an attractive target for attackers,” said Ivan Novikov, CEO and founder at Wallarm. “We hope this research helps organizations invest in strong protection for their APIs.”

More than $2.2 billion worth of cryptocurrency has been stolen from crypto platforms in 2024 so far, according to a report from blockchain research firm Chainalysis.

For the fifth consecutive year, thefts from crypto platforms have surpassed $1 billion, growing more than 21% in 2024 to $2.2 billion. The number of incidents increased from 282 in 2023 to 303 in 2024. Platforms reached $1.5 billion in losses between January and July alone — setting the industry on pace for $3 billion worth of thefts by year-end.

The report also found that North Korea-affiliated hacking groups were responsible for more than half of the amount stolen, stealing $1.34 billion across 47 incidents in 2024.

North Korean hackers have become “notorious” for their crypto heists, according to Chainalysis. North Korea uses the stolen funds to circumvent international sanctions and fund its ballistic missile programs.

The report notes that there was a steep decline in attacks by North Korean groups after July, which the researchers attributed to a June summit held between Russian President Vladimir Putin and North Korean leader Kim Jong Un. Following the summit, Russia has provided North Korea with money and weapons while Pyongyang has sent soldiers to fight in the invasion of Ukraine. The researchers said the amounts stolen by the DPRK dropped by approximately 53.73% after the summit, whereas non-DPRK amounts stolen rose by approximately 5%.

Researchers have found a way to get past Microsoft’s implementation of multi-factor authentication (MFA), which is used to access various Microsoft services such as OneDrive, Teams, Office 365, etc.

According to the researchers, the attack method, which has been named AuthQuake, is based on brute forcing the six-digit time-based one-time password (TOTP) authentication code. The attack takes up to an hour and does not raise any alarms due to the flawed implementation, which does not inform users whose account is being brute forced of a potential attack taking place, nor lock out the account after a certain number of failed attempts.

To speed up the attack, the researchers were able to initiate multiple login sessions simultaneously due to a lack of rate limiting, and with each session, they had up to 10 tries to guess the TOTP code.

In general, TOTP codes should have a 30-second expiry to provide a “balance between security and usability” but the researchers found that Microsoft’s implementation allowed up to 180 seconds, which widened the window significantly for potential abuse.

The issues found by the researchers have been shared with Microsoft and fixes have been implemented.

Researchers have found a way to leverage the Windows UI Automation (UIA) framework to perform malicious activities to help evade detection by security software.

UIA is an old feature in the .NET framework that was added to Windows since XP. It allows applications to have privileged access to manipulate user interface elements of applications. UIA was created as an assistive technology for developers to help users who may have difficulties using computers, such as individuals with poor eyesight or limited mobility.

However, researchers have found that an attacker could also abuse the privileged access and control of the UI to carry out malicious activities, such as interacting with on and off-screen UI elements like buttons or links, inputting data, or reading data entered into forms and potentially exfiltrating it.

To carry out a successful attack, an attacker must first trick the user into running the malware with administrator privileges, which could likely be achieved by social engineering. The researchers have demonstrated particular attack scenarios where an attacker could send messages on Slack without users interacting, or steal credit card information entered into a browser by monitoring for changes in the UI.

The researchers believe that this may become a useful technique for attackers to hide their post-breach activities from security software since it is leveraging a legitimate feature of the operating system to perform the malicious activity.

A newly discovered Linux rootkit called Pumakit uses stealth and advanced privilege escalation techniques to hide its presence on systems.

The malware was found by Elastic Security Lab researchers who described it as “a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers.”

The multi-component malware includes a dropper component named cron, two memory-resident executables (/memfd:tgt and /memfd:wpn), an LKM rootkit (puma.ko), and a shared object (SO) userland rootkit called Kitsune (lib64/libs.so).

Pumakit uses the internal Linux function tracer (ftrace) to hook into system calls and various kernel functions to alter core system behaviors and accomplish its goals. The LKM rootkit ensures it only activates when specific conditions, such as secure boot checks or kernel symbol availability, are met.

Pumakit has not been attributed to any known threat actor.

Prometheus is an open-sourced monitoring and alerting system used by many organizations worldwide for monitoring various IT endpoint assets. It uses a system of servers and exporters to gather data from monitored assets and aggregates the data for analysis. Researchers have found more than 40,000 Prometheus servers and around 296,000 exporter instances exposed to the internet, leaving them open to potential compromise by attackers.

Crucially, while Prometheus does support user authentication, many organizations fail to make use of it and also leave the installation exposed to the internet. The result is an attacker could easily connect to it and query the system with various tools to steal information. Researchers have found highly sensitive data such as credentials, authentication tokens, API keys, and much more in trawl. Given the nature of the data collected by users of Prometheus, it could represent a gold mine of information about an organization’s infrastructure, enabling an attacker to gain insights into the layout of the systems within it.

Besides the potential data exposure, the researchers also found that misconfigured servers exposed a debug HTTP endpoint (/debug/pprof) that could be used by an attacker to carry out denial-of-service (DoS) attacks.

To add to the woes, the researchers also found that several exporters are vulnerable to an attack technique called RepoJacking. This type of attack can happen if the original owners of a repo do not do a namespace retirement when deleting old repositories. This leaves the namespace available to be claimed by anybody else, including an attacker. Any downstream projects that have a dependency on the hijacked repo could then be potentially exposed to malicious updates published by the attacker.

Prometheus users are urged to ensure the use of authentication to prevent unauthorized access to their servers and exporters. In addition, limit exposure of system components from the internet, tighten up access to the debug endpoints, and perform an audit for potential RepoJacking risk.

Iranian threat actors are said to be behind a malware campaign that uses newly discovered malware called IOCONTROL.

The new malware is said to be designed to target Internet of Things (IoT) devices like routers, firewalls, and cameras, as well as operational technology (OT) and SCADA systems such as programmable logic controllers, human-machine interfaces, and fuel management systems. The modular malware is said to be capable of compromising devices from a wide range of manufacturers including D-Link (networking devices), Hikvision (cameras), Orpak (fleet automation), Gasboy (fuel management), and many others.

According to the researchers, the malware is being used to target organizations in Israel and the U.S. and has been seen in a number of settings including an infection at around 200 gas stations in Israel and the U.S. In these attacks, it was unclear how the malware was originally installed, but the infection provided the attackers remote access to the machines enabling them to execute other commands that could enable them to steal information or disrupt services.

When installed, the malware drops a script named “S93InitSystemd.sh”, which is executed on restart to enable the malware to remain persistent. It also communicates with the command-and-control (C&C) server via the MQTT protocol through TCP port 8883.

Organizations making use of operational technology (OT) or industrial control systems (ICS) are warned to harden these systems against attack. Organizations use these technologies to control various industrial and manufacturing processes, disruption or sabotage of these systems could lead to catastrophic consequences.

Organizations using OT/ICS systems often also use internet-connected engineering workstations to help engineers manage and control these systems. These workstations make prime targets for a would-be adversary who may be seeking to cause damage or disruption to critical systems.

Researchers recently published a blog that suggests organizations are not paying enough attention to securing these workstations against attacks. In some instances, they discovered engineering workstations infected with copies of the Ramnit malware. This is an older malware that can spread by infecting files and via removable drives. It can provide backdoor access to the infected computer as well as steal information and install other malware. While not specifically designed to target OT/ICS systems, the presence of Ramnit infections on these systems suggests a weakness in security.

In other instances, the researchers found malware of potentially Dutch or Belgian origin called Chaya_003, which has the functionality to terminate the Siemens TIA portal as well as other applications running on the computer. Process termination attempts are reported to the attacker via a Discord webhook.

While these incidents may not have caused direct damage to the organizations, they highlight the risks faced if organizations fail to adequately protect engineering workstations from attack. Infections on these systems could ultimately be used by attackers to carry out far more devastating attacks and pivot to other systems within the organization. The researchers recommend reviewing and hardening the security of these systems to avoid potential attacks.

Automobile parts giant LKQ Corporation recently revealed that its business unit in Canada was compromised, allowing malicious actors to steal data from the company.

LKQ is a U.S. company that specializes in automotive replacement parts, components, and services to repair and maintain vehicles. The company has 45,000 employees in 25 countries and operates several brands, including Keystone, Tri Star, and ADL.

The company said one of its business units in Canada was breached on November 13, disrupting business operations for “a few weeks.”

“We are analyzing data impacted by the incident and will be notifying affected parties as appropriate,” LKQ said in a FORM 8-K filing filed with the U.S. Securities and Exchange Commission (SEC).

No ransomware gangs or other threat actors have claimed responsibility for the attack.

A recently patched vulnerability in Microsoft Windows could permit attackers to obtain system privileges on vulnerable systems using a “low complexity” exploit that requires no user interaction.

The vulnerability (CVE-2024-35250) was patched by Microsoft in June and affects the Microsoft Kernel Streaming Service (mskssrv.sys). The bug was uncovered by researchers at Devcore, who used the exploit at this year’s Pwn2Own Vancouver 2024 hacking competition.

The vulnerability now appears to be actively exploited in the wild, since CISA has just added it to its Known Exploited Vulnerabilities catalog, noting that it was being actively exploited in the wild.

The Texas Tech University Health Sciences Center (HSC) and its El Paso counterpart has published a notification on its website that leads to a separate domain (ttuhscinfo.com) that provides information about a breach that occurred in its network between September 17 and September 29, 2024. Detection of the breach resulted in some disruption to services at the time as computers and systems were shut down or isolated to prevent the spread of the attack and begin an investigation.

The investigation discovered that information was stolen during the attack and that the personal information of 1.4 million individuals, with data such as names, dates of birth, Social Security numbers, driver license numbers, medical records, and billing and information about treatments, was compromised as a result.

The Interlock ransomware took credit for the breach back in October on its extortion site claiming that up to 2.1 million files, amounting to 2.6 TB of data, were stolen from the attack. The gang eventually made the data available for download after the ransomware was not paid.

In the meantime, the HSC is sending out notifications to individuals impacted by the breach and is offering credit monitoring services. Victims are advised to watch for an increase in phishing attempts following the data breach.