Cyber-attacks against API endpoints have increased since lockdown measures were introduced to slow the spread of COVID-19.
Describing the number of threats leveled at just one of their customers, Cequence researchers saw malicious traffic increase by 40% to 28 million events over the week commencing April 17. As time marched forward, the volume of attacks rose.
“Week of April 23rd saw a massive spike of 279% to 78M with one attack campaign peaking at 100,000 requests per minute,” noted researchers. ”Week of May 1st showed yet another increase in malicious traffic to 139M requests or an 85% week over week increase.”
Attackers were found to be directing the lion’s share of traffic at one login API endpoint for the Android application.
Asked why this particular API received a battering, CQ Threat Research team member and hacker in residence Jason Kent told Infosecurity Magazine: “Usually this is because an attack worked once against that endpoint. Often the focus API endpoint is old, learned either several months ago, or the attacker assumes the older endpoints are forgotten (often the case) and not monitored.
“Additionally, it is much easier to decompose the API calls an application makes from Android because there are several tools to help with this, versus iOS, which is a bit more difficult.”
According to Kent, the biggest trend observed in attacks instigated since “stay safe” became a standard email sign-off has been a growth in overall volume. He added that the tactics around volume, source IPs, and User-Agents (device type) have increased significantly.
“Attackers are obviously focused on account takeover and are clearly trying to get past mitigation efforts: traffic is being distributed across approximately 1 million residential IP addresses from 15,000 different organizations owned by Bulletproof Proxy vendors, and they are rotating 3 million user agents,” said Kent.
“The heavy use of residential IP addresses, combined with Covid-19 driven stay-at-home orders, makes separating out malicious traffic from legitimate traffic even more important. The attackers know if they can use residential IP addresses from Bulletproof Proxy Networks, they’ll be that much harder to catch and defend against.”