Upgrade to Pro — share decks privately, control downloads, hide ads and more …

INTERFACE by apidays 2023 - APIs & APTs: Manipu...

apidays
PRO
July 11, 2023
Programming
0
11

INTERFACE by apidays 2023 - APIs & APTs: Manipulating Access in Current Events, John Hammond, Huntress

INTERFACE by apidays 2023
APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization
June 28 & 29, 2023

APIs & APTs: Manipulating Access in Current Events
John Hammond, Senior Security Researcher at Huntress

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

July 11, 2023
Tweet

More Decks by apidays

See All by apidays
Apidays London 2024 - Securing APIs, Beyond the Basics with Advanced Security Practices, Karanvir Attwal
apidays
PRO
0
21
Apidays London 2024 - From Fragmentation to Federation by Peter Mörsch, Boomi
apidays
PRO
0
15
Apidays London 2024 - Open Standards for Getting your APIs into the Geospatial Ecosystem by Gobe Hobona
apidays
PRO
0
8
Apidays London 2024 - Harmonizing Asynchronous Systems by Artur Ciocanu, Adobe
apidays
PRO
0
8
Apidays London 2024 - Renovate to Innovate 5 by Rashmi Venugopal, Netflix
apidays
PRO
0
7
Apidays London 2024 - Open Standards, AI and Data for Better Decisions by Ravinder Singh
apidays
PRO
0
17
Apidays London 2024 - The Hidden Power Brokers in the EU Data Act Enforcement by David Vazquez Cortizo, apinity
apidays
PRO
0
10
Apidays London 2024 - The Web Sustainability Guidelines by Alexander Dawson, W3C
apidays
PRO
0
11
Apidays London 2024 - Battle-tested APIs_Tech and Business working together by Jean Burellier, Sanofi
apidays
PRO
0
10

Other Decks in Programming

See All in Programming
What’s New in Compose Multiplatform - A Live Tour (droidcon London 2024)
zsmb
1
470
EventSourcingの理想と現実
wenas
6
2.3k
JavaでLチカしたい! / JJUG CCC 2024 Fall LT
nhayato
0
140
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
1.9k
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k
subpath importsで始めるモック生活
10tera
0
270
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
ヤプリ新卒SREの オンボーディング
masaki12
0
120
エンジニアとして関わる要件と仕様(公開用)
murabayashi
0
220
Dev ContainersとGitHub Codespacesの素敵な関係
ymd65536
1
150
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
280

Featured

See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Code Review Best Practice
trishagee
64
17k
Why Our Code Smells
bkeepers
PRO
334
57k
It's Worth the Effort
3n
183
27k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Designing for Performance
lara
604
68k
Automating Front-end Workflow
addyosmani
1366
200k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
The Invisible Side of Design
smashingmag
298
50k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Faster Mobile Websites
deanohume
305
30k

Transcript

  1. APIs & APTs Manipulating Access in Current Events John Hammond

  2. None

  3. Before we dive in: Thanks 🙂

  4. None

  5. In the recent weeks following the 2023 Memorial Day weekend,

    the cybersecurity community sprung into action to chase threats following the exploitation of the MOVEit Transfer application. Security researchers worked to analyze the attack chain, organizations worked to patch, and soon enough, the cl0p ransomware gang began to extort and blackmail victims with the threat of publishing stolen information online. One unique part of the attack chain relied on tampering with the MOVEit Transfer API -- to upload, download, and stage different files -- all through one undocumented feature. In this presentation we will dive into the technical details as to how threat actors gained access to the API, and what security implications came from it... documented or not!

  6. News articles on MOVEit exploit • https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ • https://thehackernews.com/2023/06/microsoft-lace-tempest-hackers-behind.html •

    • • https://digital.nhs.uk/cyber-alerts/2023/cc-4326
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None

  18. “Undocumented” authentication method!

  19. https://twitter.com/_JohnHammond /status/1665898849314164736

  20. None
  21. None

  22. Cybersecurity is teamwork.

  23. Call to action: rallying cry. It’s up to us to

    find vulnerabilities & help fix. Even amidst APIs! 😊

  24. Thank you :)

  25. “Don’t Scan QR codes” Don’t be a stranger If you

    want to chat: j-h.io/links