Developers deploying APIs face the danger of automated attacks and exploits just seconds after deployment.
Researchers from security vendor Wallarm performed a first-of-its-kind “honeypot” study in which a group of servers were equipped with a Golang API and left open to all ports in 14 locations.
What they found was a waiting and ready environment of attackers ready to pounce on the servers and their underlying APIs with probes and exploit attempts. API exploit code was almost as common as web-based attacks, comprising 48% of exploit attempts.
“Newly deployed APIs are often less protected, unmanaged, and less secure,” wrote the the Wallarm team.
“Our findings indicate that the average time for a newly deployed API to be discovered is just under 29 seconds.”
According to the report, attackers would for the most part look to access the common ports for malware networks. Ports 80, 26657, 443, and 8080 were all amongst the most common targets for attackers.
One avenue of intrusion that did stand out, however, was port 7547, most commonly associated with routers that use the CMWP-REST command.
“This port was used by Mirai botnet back in 2016, and is still impactful for older router models,” the researchers explained.
What the team found was that, in many cases, developers are not considering their servers that listen to APIs as a weak point, though attackers are increasingly looking to target those commonly use protocols for exploits.
The most commonly targeted endpoints included Docker, UniFi, and Apache Hadoop. Should attackers exploit those protocols, they can take over the server.
In turn, this can lead to organizations being inadvertently exposed to network intrusions via internal servers that were never even intended to be facing the web common protocols, let alone given security hardening.
“This report sheds light on a rapidly evolving attack surface and represents a groundbreaking effort in API security research,” said Ivan Novikov, CEO and founder at Wallarm.
“APIs are the foundation of modern applications, but their widespread deployment and inadequate protection make them an attractive target for attackers.”
