Application programming interfaces (APIs) are increasingly being targeted in hostile takeover attempts, according to Akamai Technologies.
“We have a really consistent amount of credential abuse going on,” Steve Ragan, Akamai editor-security research and publications, said Feb. 20 during a webinar on the “State of the Internet/Security: Financial Services – Hostile Takeover Attempts.”
Although the focus of the webinar, like the firm’s latest “State of the Internet” security report, released one day earlier, was on the financial services sector, it’s clear that the media and entertainment industry ought to be aware of the threat also, based on comments by Ragan and other Akamai representatives on the webinar and data in the report.
Akamai’s research findings showed that from May 2019 and continuing on until the end of the year, there was a dramatic shift by criminals who started targeting APIs in an effort to bypass security controls.
And, according to Akamai’s data, up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly.
From December 2017 through November 2019, Akamai observed 85.4 billion credential abuse attacks, Ragan pointed out on the webinar. Almost 20% (more than 16.5 billion) of them, were against hostnames that were clearly identified as API endpoints, he said.
However, 20% was a conservative estimate, Martin McKeay, editorial director and security researcher, stressed on the webinar, adding that the actual number could actually be as high as 80%. After all, the 20% were just those that could obviously be identified as API endpoints.
Of the attacks, 473.5 million targeted organizations in the financial services industry, according to Akamai.
There were “tens of millions” and even “up to hundreds of millions of API attacks a day,” Ragan said, adding it was “consistent all throughout the reporting period.”
“It started to spike” around May 2019, he pointed out. The peak period happened in August, shortly after Akamai published its previous financial services report, he noted. That was the largest spike in targeted credential abuse since the firm started tracking these types of attacks, he said.
Part of the reason was a “flood of credential lists that hit the criminal market,” he said. There were many markets that were “shut down due to law enforcement activity” last summer, he pointed out. That led to “fire sales” by the criminals who didn’t get arrested, who, he added, were “dumping their lists and selling them really cheap” and “lower-tier criminals were scooping them up and just running them everywhere.”
Another explanation: “Criminals are very hyper-focused on their target, so if something’s not working, they’re going to try something else,” he said, adding: “Traditional means of credential stuffing just wasn’t cutting it for them, so now they started targeting APIs in an effort to bypass mitigations that were up on the front end.” Cybercriminals, after all, tend to be good at shifting their tactics “on the fly,” he noted.
“When it comes to all vertical” enterprise sectors, structured query language injection (SQLi) is the “dominant type of attack that we see,” but in financial services they make up a much lower percentage, he noted. The top type of web attack in financial services, he said, are ones that instead involve Local File Includes (LFI), a local file inclusion vulnerability that enables an attacker to include files that exist on the target web server.
“Gaming is the largest” distributed denial of service (DDoS) “vertical when it comes to attack events,” he pointed out. However, when looking at unique targets by verticals, financial services “jumps to first place,” he said.
Moving on to discuss the Zero Trust framework that was designed to address these attacks, Patrick Sullivan, senior director of global security strategy at Akamai, said that one major benefit is that, with this system, where you are is “irrelevant” in terms of the access that is granted to you.
Or, as Ragan said, “Zero Trust is trust no one ever” – not even if they’re on your network.
High tech is the sector adopting Enterprise Application Access (EAA) to enable access and identity controls the fastest, according to Akamai, which pointed out in its report that high tech firms make up 27.7% of EAA customers. Video media trails far behind, at 7.1%, with other digital media at just 2.9%. Therefore, media organizations clearly have a long way to go to catch up.
What is “key” to combat API attacks are using multifactor authentication and rate limiting on APIs because these initiatives “make the criminals look elsewhere,” Ragan said during the webinar’s Q&A. That is because when an attempt fails, they tend to move on, he said.
However, those initiatives still are “not a silver bullet – you have to constantly keep up with your security program,” he told listeners.
One more suggestion by the company at the end of the webinar: Stop recycling and sharing passwords.