Shadow APIs a key target for malicious attacks, reveals new report

Malicious API requests targeting unprotected application programming interfaces (API) are the top threat in the industry, a new research report by Cequence Security revealed.

To produce the report, the Cequence research team analyzed 20 billion API transactions in the first half of 2022. Of the 16.7 billion malicious requests made, around 5 billion, or 31 per cent, targeted unknown, unmanaged, and unprotected APIs, also known as shadow APIs.

These requests were made from a variety of bots, ranging from sneaker bots to credential stuffing campaigns, to test the use of stolen credit cards. Cequence Security noted that these attacks have continued to increase throughout the year.

But even well-coded APIs are not immune to threats. The report also warned that attackers are increasingly abusing the top 10 API threats described by the Open Web Application Security Project (OWASP), a non-profit organization that highlights the top 10 API vulnerabilities. The vulnerabilities in the list could lurk in any API, not just shadow APIs. Published in 2019, the list consists of the following:

      1. API1: Broken object-level authentication
      2. API2: Broken authentication
      3. API3: Excessive data exposure
      4. API4: lack of resources and rate limiting
      5. API5: Broken function level authentication
      6. API6: Mass assignment
      7. API7: Security misconfiguration
      8. API8: Injection
      9. API9: Improper asset management
      10. API10: Insufficient logging and monitoring

The second largest API security threat was API abuse, where attackers target improperly coded and inventoried APIs. There were 3.6 billion such attacks detected and blocked in 2022. The most blocked attacks are the staggering 3 billion shopping bots targeting sneakers and luxury goods, followed by 290 million gift card checking attacks, and then 237 million fake account creations on dating and shopping applications.

The third most pervasive threat to API security was the combination of API2, API3 and API9. According to the report, the combination of these attack vectors indicates that attackers are analyzing how the target APIs work, and how they communicate.

“The sample size of 20 billion alone means there is a high likelihood that enterprises across industries are impacted by these types of threats.”

William Glazier, director of threat research at Cequence Security

Cequence also pointed out that partner ecosystem APIs also posed a threat, describing it as a “target-rich environment.” While they enabled useful functions for consumers, their interconnectivity and one-to-many connection also made them a prime target for attackers. In one case, attackers targeted a financial services partner ecosystem API to execute a series of coordinated credential stuffing attacks against multiple financial institutions simultaneously. In one of the weeks observed, Cequence blocked over 50 million malicious requests abusing these APIs.

These attacks often trace back to countries where genuine user interaction is non-existent, or from known malicious infrastructure. A hallmark of malicious requests includes high session rotation and high login failure rate. They’re also characterized by high proxy IP address rotation and requests made between specific time intervals.

“Our findings underscore the importance of IT and security leaders having a complete understanding of how correctly coded APIs, as well as those with errors, can be attacked,” said William Glazier, director of threat research at Cequence Security, in the press release. “The sample size of 20 billion alone means there is a high likelihood that enterprises across industries are impacted by these types of threats.”

In conclusion, the report urged organizations to check their APIs against the OWASP list, but also API10+, a category that describes even more ways well-coded APIs can be attacked.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Tom Li
Tom Li
Telecommunication and consumer hardware are Tom's main beats at IT World Canada. He loves to talk about Canada's network infrastructure, semiconductor products, and of course, anything hot and new in the consumer technology space. You'll also occasionally see his name appended to articles on cloud, security, and SaaS-related news. If you're ever up for a lengthy discussion about the nuances of each of the above sectors or have an upcoming product that people will love, feel free to drop him a line at [email protected]

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.