According to a new study by Thales, the rapid adoption of APIs and AI-powered bot attacks cost global companies up to $186 billion annually. Losses caused by insecure APIs have increased from $12 billion in 2021 to $35–87 billion today, while losses from bot attacks may reach up to $116 billion.

The rapid expansion of APIs, lack of expertise, and weak coordination between security and development teams create additional risks. Large companies with annual revenue of more than $100 billion are especially vulnerable to these threats.

This report on the economic impact of API and bot attacks is based on an analysis of 161,000 cybersecurity incidents conducted by Thales Imperva and the Cyber Risk Intelligence Center at Marsh McLennan.

The report notes that APIs are becoming a popular target because they can provide access to sensitive corporate and customer data. Attackers often use automated bots to detect vulnerable or misconfigured APIs.

Generative AI enables even inexperienced cybercriminals to launch sophisticated bot attacks by improving methods for bypassing security systems.

Companies with high revenue are most often targeted by attacks involving insecure APIs and bots. These threats account for 26% of all security incidents in such organizations, compared with the average rate of 12%.

The reason is that large companies usually manage complex API ecosystems that may contain vulnerable interfaces. On average, such enterprises use 613 API endpoints.

Dependence on APIs will continue to grow, especially with the development of generative AI and large language models. At the same time, cybercriminals will accelerate the creation of sophisticated bots.

As the number of APIs increases and bots become more advanced, the economic damage to companies will continue to grow unless preventive measures are taken.

The complexity and interconnection of these threats require companies to integrate security strategies against both bot attacks and API attacks.

Top Vulnerabilities of the Week: Critical Flaws in Rockwell Automation, Siemens and Viessmann

CRIL Research Lab reported several vulnerabilities identified between September 10 and 16. CISA released 29 security advisories, including serious vulnerabilities found in products from Rockwell Automation, Siemens and Viessmann.

1. CVE-2024-45824: Command Injection — Rockwell Automation

This is a critical vulnerability in Rockwell Automation FactoryTalk View Site Edition prior to version 14.0, with a CVSS score of 9.8. Exploitation requires network access, but does not require privileges or user interaction.

Mitigation: Updating the software resolves the issue. Use ODIN capabilities to assess and protect devices.

2. CVE-2024-35783: Execution with Excessive Privileges — Siemens

A critical vulnerability with a CVSS score of 9.1 was discovered in Siemens products, including SIMATIC. Exploitation requires high privileges in network conditions.

Mitigation: Updating the software resolves the vulnerability.

3. CVE-2023-44373: Improper Neutralization of Special Characters — Siemens

This vulnerability was discovered in Siemens devices where input fields are not properly sanitized. As a result, a remote attacker with administrative privileges may inject commands, execute code, or gain root-level access through a command injection attack.

Affected devices include Siemens RUGGEDCOM and SCALANCE product families.

Mitigation: Update the firmware to version 3.0.2 or later.

4. CVE-2024-45032: Authorization Bypass — Siemens Industrial Edge Management

A critical vulnerability in the Device Token Handler component allows authorization to be bypassed.

Mitigation: Update Siemens Industrial Edge Management to versions 1.9.5 or 2.3.1-1 and later.

5. CVE-2023-46850: Use After Free — Siemens

This vulnerability affects OpenVPN versions 2.6.0–2.6.6 and may lead to memory leakage or remote code execution during the processing of network buffers.

The CVSS score is 9.8. Exploitation requires network access, but does not require privileges or user interaction.

Mitigation: Install the latest updates provided by Siemens to address the vulnerability.

6. CVE-2024-33698: Buffer Overflow — Siemens

A vulnerability in Siemens user management components may lead to a buffer overflow. The CVSS score is 9.8. Exploitation is possible over the network without special privileges.

Mitigation: Use port filtering and update the software.

7. CVE-2023-45852: Command Injection — Viessmann Climate Solutions SE

This vulnerability in the Viessmann Vitogate 300 firmware allows an unauthenticated attacker to inject commands through the `ipaddr` parameter, bypassing authentication.

The vulnerability has a CVSS score of 9.8, indicating critical severity.

Mitigation: Updating the firmware to the latest version resolves the vulnerability.

8. CVE-2023-5222: Use of Hard-Coded Credentials — Viessmann

This critical vulnerability is related to the use of hard-coded passwords in the management interface, allowing remote exploitation of the system without privileges.

Mitigation: Public exploits are available, but the vendor has not yet responded.

The distribution of these vulnerabilities shows that most of the issues fall into critical and high-severity categories, especially in products from vendors such as Siemens and Rockwell Automation.

These vulnerabilities should be addressed as quickly as possible by applying patches and strengthening security measures. Organizations should pay particular attention to regular updates, security monitoring and risk management in order to protect their systems and critical infrastructure from potential threats.

Winners of the NCSIC 2024 Cyber Exercises

Our SOC team became the winner of the NCSIC 2024 cyber exercises by protecting the infrastructure of the Ministry of Education and successfully attacking an IT company. The exercises confirmed the high professionalism of DQ specialists.

Digital Qalqan LLP is proud to announce that the team of the Digital Qalqan Security Operations Center (SOC) took first place in the cyber exercises organized by the National Coordination Center for Information Security (NCSIC), which were held on August 19–20, 2024.

During the exercises, our Blue Team successfully protected the virtual infrastructure of the Ministry of Education, identifying and investigating 100% of the realized risks. This demonstrated the team’s exceptional skills and high readiness to respond to modern cyber threats.

At the same time, the DQ Red Team successfully carried out attacks against the virtual infrastructure of an IT company, realizing two risks.

These cyber exercises became a unique experience for us, providing an opportunity to work with new tools such as SIEM Splunk and NTA Arkime. Our team demonstrated flexibility and professionalism, effectively adapting to new conditions and challenges.

These results highlight the strong professional skills of our specialists and their ability to respond quickly to information security incidents.

We would like to thank all our partners for their cooperation, which allowed us to improve the quality of information security event monitoring and strengthen collaboration in incident response.

The results achieved confirm our readiness to continue protecting critical infrastructure and ensuring a high level of security.

Link to the Bluescreen news article: https://bluescreen.kz/kvoiki-iest-komu-zashchishchat-iest-nad-chiem-porabotat/

CrowdStrike Update Failure Affected Millions of Windows Computers Worldwide

At the end of this week, a major outage occurred on computers running Microsoft Windows that had CrowdStrike security software installed. The update of this software caused widespread failures, affecting around 8.5 million PCs worldwide. However, Microsoft stated that this represents less than 1% of all functioning Windows systems.

Microsoft published data on the scale of the incident in its blog. According to the company’s assessment, the outage caused by the failed CrowdStrike Falcon update affected computers in different countries, but the total number of impacted devices accounted for less than 1% of all Windows systems.

Despite this, David Weston, Vice President of Enterprise and OS Security at Microsoft, noted: “Although the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services.”

“This incident demonstrates the interconnected nature of our broad ecosystem — global cloud providers, software platforms, security vendors and other software providers. It also reminds us how important safe software deployment and disaster recovery are, using reliable mechanisms,” a Microsoft representative added.

According to Microsoft, CrowdStrike has already provided a scalable fix to help restore the operation of Amazon’s cloud infrastructure. Microsoft is also working with Amazon and Google to identify the best ways to address the consequences of the incident.

In addition, hundreds of Microsoft technical support specialists are helping eliminate the impact across customer infrastructures, while internal specialists at affected companies are receiving urgent recovery instructions.

Information security experts note that the wide publicity around the incident has attracted the attention of attackers attempting to gain access to the infrastructures of affected companies by posing as CrowdStrike or Microsoft technical consultants.

According to some estimates, because CrowdStrike update files may need to be removed manually from computers, full infrastructure recovery in some affected companies may take from several days to several weeks.