Security researchers set up an API honeypot to dupe hackers – and the results were startling
Attackers are quick off the mark in targeting and accessing APIs to enter company networks and steal data, according to the results of an API ‘honeypot’.
API security firm Wallarm set up their trap last month, and has now reported on its first 20 days of activity.
“We expected that it might take longer to have compelling data to report, but the speed at which our fake APIs were discovered and accessed surprised us. Instead of waiting for months of data, we decided to collect and report our immediate findings quickly,” said the firm.
The honeypot consisted of a mock API written in Golang with a self-signed SSL certificate. It logs all incoming requests, including storing full request bodies, for all possible 65535 ports, and provides valid responses depending on the type of request – REST, GraphQL, and so on.
No domain names were assigned, and all the honeypot instances were published on IP addresses distributed across 14 different locations around the globe.
And the results were startling: the average time for a newly deployed API to be discovered was just 29 seconds, with the longest still only 34 seconds.
The most frequently targeted port was port 80, which accounted for 19% of the results; next was 26657, followed by the 443, 8080, and 8443.
In terms of endpoints, it was common names such as /status, /info, /health or /metrics that presented the most risk.
“Endpoints like these will be discovered in well under two minutes,” the firm warned. “If your service absolutely requires public, unauthenticated endpoints, it would be better to use less common names, or even better, use a random UUID or SHA256 hash, similar to the approach for webhooks.”
Meanwhile, 54.4% of the total requests targeted APIs rather than web applications, indicating that APIs have become a slightly more attractive attack surface. However, in terms of the diversity of unique exploits, web exploits made up 52% of the total.
“This is particularly interesting because APIs only emerged as significant attack targets in recent years, whereas web applications have been a focal point for attackers for decades,” said the researchers.
“This shift underscores how quickly APIs have risen in prominence within the threat landscape, demanding more attention from security teams, despite their relatively recent entry into the spotlight.”
Attacks were coming from a broad geographical range, the company noted. Pfcloud UG, operating in Germany and The Netherlands, stood out with the highest diversity of unique exploits, at 748.
Meanwhile, DigitalOcean, active across multiple countries, was a close second.
“There is no dispute that the API attack surface is growing. API adoption is fueling business growth, and attackers follow the money,” the researchers said.
“The conclusions should drive organizations to adapt existing security practices and adopt new security tools. Discovery of your API attack surface is a must, and protection from API attacks in real time is a hard requirement.”
Source link
/cdn.vox-cdn.com/uploads/chorus_asset/file/25785669/glazer_tall2_Ashna.jpg)