Newly deployed and potentially unprotected APIs are being discovered in under half a minute, at extremely low cost to threat actors, according to new research from Wallarm.
The security firm designed what it claims to be the first ever API honeypot, in order to compile its new report, Gone in 29 Seconds: The World’s First API Honeypot. Its findings are taken from the first 20 days of activity, which took place in November 2024.
Wallarm warned that newly deployed APIs in particular represent a security risk, as many are unmanaged and may be less-well protected than they should be.
A plurality were reached via port 80 (19%), followed by port 26657, port 443, port 8080 and finally port 8443.
Read more on API threats: Attacks Targeting APIs Increased By 400% in Last Six Months.
The most common attack types were CVE exploitation (40%), discovery (34%) and authentication checks (26%). The most frequently probed API endpoint was named “/status,” according to the report.
“It’s clear that you should not name your public and non-authenticated API endpoints with common names like /status, /info, /health or /metrics,” warned the report. “If your service absolutely requires public, unauthenticated endpoints, it would be better to use less common names, or even better, use a random UUID or SHA256 hash, similar to the approach for webhooks.”
The report also revealed that APIs are now a more attractive target than web applications, accounting for over 54% of total requests versus a little over 45% for web apps. However, in terms of diversity of unique exploits, those targeting web infrastructure accounted for 52%.
Of more concern is the fact that Wallarm calculated threat actors are able to launch attacks of 50 requests per second, distributed across 50 IP addresses with minimal cloud infrastructure ($50-$150 per month per IP).
By employing batching or single-request techniques, they could steal 10 million records in this way in around a minute or less at relatively low cost and, thanks to minimal bandwidth, in a hard-to-detect manner.
“There is no dispute that the API attack surface is growing. API adoption is fuelling business growth and attackers follow the money,” the report concluded. “The conclusions [of this report] should drive organizations to adapt existing security practices and adopt new security tools.”