Cequence recently protected multiple major telecommunications companies, each a global leader with over 100 million customers, from a series of six high-profile Broken Object Level Authorization (BOLA) API attacks. Most of these companies use Google’s Apigee API Gateway and rely on Cequence for advanced threat detection and prevention. Cequence successfully blocked over 22 million malicious requests at one of these telecom companies, preventing significant financial loss and safeguarding sensitive customer data. This blog delves deeper into the details of this BOLA attack.

The Anatomy of the Attack

One of the world’s largest telecoms faced an unprecedented attack, with over 22 million requests bombarding six different APIs. The attackers aimed to blend their malicious traffic with legitimate API requests, making detection difficult. This attack was meticulously designed to exploit API endpoints, particularly those involved in device trade-ins (e.g., phones, tablets), by manipulating International Mobile Equipment Identity (IMEI) numbers to submit fraudulent trade-in orders.

Clean Proxies: The Attackers’ Cloak of Invisibility

A key tactic employed by the attackers was the use of clean proxies with residential IP addresses of the targets’ primary business country, previously unassociated with malicious activities. This approach allowed the malicious traffic to seamlessly blend with legitimate user requests, bypassing traditional IP-based defenses. The use of these proxies exemplified the sophistication of the attack, highlighting the inadequacy of conventional security measures that rely solely on IP reputation databases.

IMEI Number Manipulation: The Core of the Attack

The attackers systematically generated and validated IMEI numbers, exploiting vulnerabilities in the device trade-in systems. By identifying valid IMEI numbers, they could fraudulently manipulate orders to claim higher trade-in values for less valuable devices. This posed significant financial risks and threatened the integrity of the telecom’s trade-in program. Detecting and mitigating such an attack required advanced tools capable of deep packet inspection (DPI) and behavioral analysis, which Cequence provided.

Temporal Patterns: Mimicking Legitimate User Behavior

The bot activity was concentrated on weekdays between 9:00 a.m. and 5:00 p.m., mimicking legitimate user behavior. This tactic further complicated detection efforts, as traditional anomaly detection systems, which rely on identifying unusual traffic spikes, were less likely to flag this activity. The attackers’ ability to disguise their actions within normal business hours emphasized the need for more sophisticated detection mechanisms.

Cequence’s Response: A Multi-Layered Defense Strategy

Initial Detection: Leveraging Advanced Analytics

Cequence’s state-of-the art bot management solution played a crucial role in identifying the BOLA attack. Advanced analytics capabilities allowed it to detect abnormal traffic patterns associated with the 22 million malicious requests. Unlike traditional systems that might only flag large volumes of requests, Cequence delved deeper, identifying systematic IMEI testing and the use of clean proxies. By performing deep packet inspection and analyzing traffic at a granular level, Cequence flagged the suspicious activity early, enabling a swift response.

Session Identifiers and Bearer Tokens: Tracing the Attack’s Footprint

To trace the attack back to its source, the Cequence team analyzed session identifiers and bearer tokens. These tools allowed the team to track the bots’ movement across various APIs, detecting when the same tokens were reused in multiple requests – a clear indicator of automated activity. This analysis was pivotal in identifying and isolating the malicious traffic.

Behavioral Analysis: Identifying and Isolating Malicious Patterns

Behavioral analysis was instrumental in the successful response. By examining the timing, frequency, and nature of the requests, the security team differentiated between legitimate user behavior and bot activities. Specific patterns, such as systematic IMEI testing and temporal alignment with business hours, were identified as key indicators of the attack. These insights enabled the development of targeted countermeasures.

Real-time Defense: Blocking the Attack Without Disrupting Service

Armed with a comprehensive understanding of the attack, Cequence implemented precise countermeasures in the form of rules and policies to protect the company’s network without disrupting legitimate users. Cequence utilized header injection to monitor API traffic in real time, adding custom headers to HTTP requests and responses. This allowed for detailed tracking of suspicious activities without altering the end-user experience. Stricter blocking policies were also enforced, focusing on specific malicious behaviors, such as the use of clean proxies and IMEI manipulation. These targeted measures effectively neutralized the BOLA attack while ensuring uninterrupted service for legitimate users.

How Cequence Can Protect Your APIs

As application and API attacks continue to evolve, so too must the security measures designed to protect them. Cequence’s multi-layered defense strategy – leveraging comprehensive collection, advanced analytics, and behavioral analysis using a combination of product and managed services – proved crucial in mitigating this sophisticated attack on some of the world’s largest telecom organizations.

Comprehensive API Protection for Telecoms: Cequence provides a holistic approach to safeguarding telecommunications APIs, addressing both known and emerging threats. With our deep understanding of the telecom domain, including critical identifiers like IMEI (International Mobile Equipment Identity), MSISDN (Mobile Station International Subscriber Directory Number), and CPNI (Customer Proprietary Network Information), our solutions are precisely tailored to protect these sensitive assets from sophisticated attack vectors.

Real-Time Threat Detection and Mitigation in Telecom Networks: Our advanced tools are designed for real-time monitoring and analysis of telecom-specific API traffic, ensuring immediate detection and response to suspicious activities. By preventing unauthorized access to IMEI databases, MSISDN manipulation, and safeguarding CPNI, Cequence minimizes the risk of data breaches, financial losses, and regulatory non-compliance.

Tailored Security Solutions for Telecommunication Infrastructure: Cequence delivers customizable security policies that seamlessly integrate with existing telecom infrastructure, including APIs associated with device trade-ins, customer service portals, and billing systems. Our solutions are built to handle the unique challenges of large-scale, complex telecom environments, ensuring continuous and secure operations.

Expertise in Tackling Complex Telecom-Specific Attack Scenarios: With extensive experience in managing large-scale attacks across the telecommunications sector, our team is equipped to deploy multi-layered defenses against threats targeting critical telecom assets. We understand the complexities involved in protecting APIs linked to IMEI and MSISDN validation, billing systems, and customer data, and we apply our expertise to defend against even the most sophisticated BOLA attacks.

While our recent successes in protecting some of the world’s largest telecommunications companies showcase our deep domain expertise, the Cequence solution is industry agnostic. We bring the same level of precision and effectiveness to application and API security across various sectors, including retail, financial institutions, travel and hospitality, government organizations, and more. Our comprehensive approach ensures that your APIs are safeguarded from advanced threats, no matter your industry.

To see how Cequence can fortify your API landscape, sign up for a free, no-commitment API security assessment.

The post Cequence Protects 6 Major Telecoms from BOLA API Attacks appeared first on Cequence Security.

*** This is a Security Bloggers Network syndicated blog from Cequence Security authored by Will Glazier. Read the original post at: https://www.cequence.ai/blog/bot-management/bola-attack-protection-telecom/