API Attacks Increase During Lockdown

Security

Cyber-attacks against API endpoints have increased since lockdown measures were introduced to slow the spread of COVID-19.

Threat research published today by California cybersecurity software company Cequence noted a huge spike in malicious traffic since April, with API endpoints being targeted far more than usual. 

Describing the number of threats leveled at just one of their customers, Cequence researchers saw malicious traffic increase by 40% to 28 million events over the week commencing April 17. As time marched forward, the volume of attacks rose. 

“Week of April 23rd saw a massive spike of 279% to 78M with one attack campaign peaking at 100,000 requests per minute,” noted researchers. ”Week of May 1st showed yet another increase in malicious traffic to 139M requests or an 85% week over week increase.”

Attackers were found to be directing the lion’s share of traffic at one login API endpoint for the Android application. 

Asked why this particular API received a battering, CQ Threat Research team member and hacker in residence Jason Kent told Infosecurity Magazine: “Usually this is because an attack worked once against that endpoint. Often the focus API endpoint is old, learned either several months ago, or the attacker assumes the older endpoints are forgotten (often the case) and not monitored. 

“Additionally, it is much easier to decompose the API calls an application makes from Android because there are several tools to help with this, versus iOS, which is a bit more difficult.”

According to Kent, the biggest trend observed in attacks instigated since “stay safe” became a standard email sign-off has been a growth in overall volume. He added that the tactics around volume, source IPs, and User-Agents (device type) have increased significantly. 

“Attackers are obviously focused on account takeover and are clearly trying to get past mitigation efforts: traffic is being distributed across approximately 1 million residential IP addresses from 15,000 different organizations owned by Bulletproof Proxy vendors, and they are rotating 3 million user agents,” said Kent. 

“The heavy use of residential IP addresses, combined with Covid-19 driven stay-at-home orders, makes separating out malicious traffic from legitimate traffic even more important.  The attackers know if they can use residential IP addresses from Bulletproof Proxy Networks, they’ll be that much harder to catch and defend against.”

Products You May Like

Articles You May Like

New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks
S2 Ep 40: Demonic printers, a sleazy stalker and 10 reasons to patch – Naked Security Podcast
KKR to invest $1.5 billion in India’s Reliance Jio Platforms
How Cybersecurity Enables Government, Health, EduTech Cope With COVID-19
New Tool Can Jailbreak Any iPhone and iPad Using An Unpatched 0-Day Bug

Leave a Reply

Your email address will not be published. Required fields are marked *