Blame the bot – how cybercriminals are exploiting API vulnerabilities
Each year Australian businesses are losing up to US$2 billion due to vulnerabilities in application programming interfaces (APIs) and bot-driven cyberattacks.
Cybersecurity firm Imperva’s Economic Impact of API and Bot Attacks report attributed one in four cybersecurity incidents in Australia to the growing threat posed by greater use of APIs.
Globally, on average, it is estimated that businesses lose US$94-186 billion to bot attacks and API insecurities each year. The report found the APAC region accounted for 17.7% of all API and bot-related security breaches in 2023, resulting in more than US$16.6 billion in business losses. The region saw the highest rate of API-related attacks at 14%, and 24% of attacks were bot-related, the second highest globally after Africa.
API – an explanation
An API is a set of rules and protocols that allows different software applications to communicate with each other to exchange data, features and functionality. IBM notes that APIs simplify and accelerate application and software development by allowing developers to integrate data, services and capabilities from other applications, instead of developing them from scratch.
APIs act as bridges, facilitating the sharing of information and functionalities. “It’s useful to think about API communication in terms of a request and response between a client and server. The application submitting the request is the client, and the server provides the response. The API is the bridge establishing the connection between them,” notes IBM.
The modern digital economy makes it increasingly necessary for businesses to rely on APIs to directly access their most critical data and assets, and to create communications with partners and consumers.
IBM notes API examples include:
- Universal logins – the function that enables people to log in to websites by using their Facebook, X, or Google profile login details.
- Internet of Things (IoT) – these ‘smart devices’ offer added functionality, such as internet-enabled touchscreens and data collection, through APIs.
- Navigation apps – use core APIs that display static or interactive maps and may also use other APIs and features to provide users with directions, speed limits, points of interest, traffic warnings and more.
- Social media – social media companies use APIs to allow other entities to share and embed content featured on social media apps to their own sites.
- Software-as-a-Service (SaaS) applications – platforms like CRMs (customer relationship management tools) often include several built-in APIs that let businesses integrate with applications they already use, such as messaging, social media and email apps.
The proliferation of cloud computing, mobile apps, and IoT have all accelerated the adoption of APIs – which act as the building blocks of software applications and enable developers to integrate third-party services, enhance functionalities, and create innovative solutions quickly.
“The explosion of APIs across industries has been driven by their unparalleled ability to enhance connectivity, streamline operations, and enable innovation. Organisations are leveraging APIs to achieve interoperability, accelerate development cycles, and offer enhanced user experiences. From e-commerce platforms integrating payment gateways to healthcare systems sharing patient data securely, APIs enable organisations to harness the strengths of specialised services and technologies without having to reinvent the wheel,” reported The Hacker News.
The ability of APIs to enable rapid development, seamless integration, and enhanced user experiences across web and mobile applications is driving increased adoption. The Imperva Impact report noted that, in 2023, the average enterprise managed 613 API endpoints – and the number is set to increase as businesses further digitise operations.
Experts predict that, by 2025, 90% of all web-enabled applications will use APIs as their primary data exchange mechanism, up from 80% in 2024.
Imperva’s State of API Security in 2024 Report found 71% of internet traffic in 2023 was API calls. In addition, it was found that a typical enterprise site saw an average of 1.5 billion API calls in 2023.
APIs are being targeted by cybercriminals
Increasing use and functionality has made APIs attractive targets for cybercriminals. Many APIs have access to sensitive and critical data that they do not always adequately protect.
In fact, APIs are now a common attack vector for cybercriminals because they provide a direct pathway to access such data.
One of Australia’s biggest data breaches has been attributed to an API vulnerability. The Optus breach, which saw the personal information of 9.5 million customers exposed, has been blamed on a coding error that broke API access controls, and was left in place for years.
Cybercriminals use a variety of API attacks. According to Salt Security the most common types of API attacks include:
- Lack of visibility and governance exploitation – where attackers exploit unknown or unsecured APIs, including shadow or zombie APIs, to gain unauthorised access. In 2023, 45.8% of all account takeover attacks recorded by Imperva targeted API endpoints.
- Abuse and misuse of APIs – where attackers manipulate APIs according to their intended design to achieve malicious outcomes, such as data exfiltration. Imperva data for 2023 showed 8% of all DDoS attacks on APIs targeted sites in Australia.
- Business logic flaw exploitation – where attackers conduct reconnaissance to identify vulnerabilities in the unique business logic of each API enabling unauthorised access or data manipulation. In 2023, 27% of attacks targeting APIs were business logic attacks, according to Imperva.
- Stolen credentials and social engineering – where attackers use social engineering techniques to gain access to privileged API keys, allowing them to impersonate legitimate users.
According to cloud computing provider Akamai, the number of attacks on web applications and APIs is rising – having increased 49% between Q1 2023 and Q1 2024. A total of 108 billion API attacks were recorded from January 2023 through June 2024.
API abuse (where threat actors use APIs to obtain, steal or manipulate data) is a growing concern for businesses that rely on APIs to provide access to their data and services. The abuse can occur in various forms, including data breaches, unauthorised access, and distributed denial-of-service (DDoS) attacks.
Bot attacks are on the rise
A favoured way of exploiting APIs is the use of sophisticated bots, which automate many aspects of cyberattacks, enabling cybercriminals to exploit business logic vulnerabilities – often leading to significant financial and reputational damage.
CSO Online describes botnets as: “A collection of internet-connected computers – the ‘bots’ – that are under remote control from some outside party. Usually these computers have been compromised by some outside attacker who controls aspects of their functionality without the owners knowing. Because there are many bots, the controllers basically have access to a sort of hacked-together supercomputer that they can use for nefarious purposes and, because the bots are distributed over various parts of the internet, that supercomputer can be hard to stop.”
As APIs are built for automation, finding and exploiting insecure ones can be very profitable. Since APIs are specifically built to facilitate fast, easy access to large amounts of data, the potential impact of a successful exploitation is considerable. Automated attacks make it faster and easier for cybercriminals to exfiltrate data than with a web application.
In API abuse, bots can be used to exploit API endpoints to make mass requests, scrape data and launch damaging attacks.
Imperva notes: “Bot operators and attackers can conduct malicious activities such as web scraping, competitive data mining, personal and financial data harvesting, brute-force login attempts, scalping, digital ad fraud, denial-of-service attacks, spamming, and transaction fraud. These activities consume bandwidth, slow servers, and steal sensitive data, resulting in financial losses and reputational damage.”
The scale of API abuse is concerning. Traceable’s 2023 State of API Security Report found 74% of organisations experienced at least three API-related breaches in 2023, with 40% facing five or more. One study found that bots were responsible for 40% of global web traffic, most of it hitting vulnerable APIs to steal data, manipulate inventory, and take over accounts.
Imperva notes that 30% of global API security breaches in 2023 were caused by automated bot-driven attacks. Automated API abuse by bots costs organisations up to US$17.9 billion annually.
API and bot-related security incidents are becoming more frequent. In 2022, API-related security incidents rose by 40%, and bot-related security incidents spiked by 88%.
Mitigating the cyber threat
“Business leaders should take proactive measures to assess and interpret the potential risk to their bottom line and adopt a holistic solution that covers the entire application landscape without impacting the end-user experience”, notes Imperva.
To help mitigate the risk of API abuse and bot-driven cyberattack, businesses may consider:
- Ensuring accurate visibility
Conduct a full audit to discover, classify, and inventory all APIs, endpoints, parameters, and payloads. Compile an inventory of all APIs deployed and their access capabilities. Ensure complete visibility of each tool, how it integrates with the business’ system, and how it could be exploited in an attack. - Auditing APIs
Use continuous discovery to keep the API inventory up-to-date and disclose exposure of sensitive data. Remove any APIs that no longer serve a purpose. - Adopting an appropriate security approach
Identify and protect sensitive and high-risk APIs using appropriate security measures that integrate web application firewall (WAF), API protection, DDoS prevention, and bot protection. - Using strong authentication and authorisation
Implement multi-factor authentication (MFA) and robust authorisation mechanisms. Follow the principle of least privilege to restrict access. - Using encryption
Employ robust encryption protocols to secure data in transit. Use encryption for sensitive data stored within the API. - Performing risk assessments
Conduct thorough security testing, including vulnerability assessments and penetration testing, to identify potential weaknesses. - Establishing a robust monitoring system
Monitor API endpoints to detect and analyse suspicious behaviours and access patterns. - Maintaining security
Conduct regular API security assessments to identify vulnerabilities. Regularly review API code to ensure adherence to security best practices. - Preventing API threats
Use automated security validation to ensure security controls are effective and new vulnerabilities have not emerged. Keep all software components updated with the latest security patches. - Vetting third-party API security
Thoroughly vet and assess the security practices of third-party providers. - Fostering collaboration
Ensure developers and security personnel work together to deliver APIs. - Providing security training and awareness
Educate developers, system administrators, and other stakeholders about API security best practices. - Creating an incident response plan
Develop a comprehensive incident response plan outlining the steps to take in a security breach.
The adoption and use of APIs will continue to grow as businesses embrace digital transformation. To reduce the risk of your business falling victim to API abuse, be sure to understand existing API sets and implement effective security processes for future deployments. You should also talk to your EBM Account Manager about protecting your business with appropriate cyber insurance.