Akamai Technologies has released a new State of The Internet (SOTI) report which highlighted that businesses, especially manufacturers in Asia-Pacific and Japan (APJ), are at great risk as cybercriminals continue to exploit APIs to conduct attacks.
Lurking in the Shadows: Attack Trends Shine Light on API Threats highlights the array of attacks that are targeting APIs and finds that 15 percent of overall web attacks in APJ targeted APIs from January through December 2023. The manufacturing sector in APJ is most at risk, having suffered the most API-targeted attacks across industries, attracting nearly one out of three (31.2 percent) of all web attacks. Akamai expects attacks to spike as the demand for API use increases, and strongly urges organizations to prioritize properly accounting for and securing their APIs – or risk suffering breaches.
APIs enable software, systems, and devices to communicate with one another, and are vital to most organizations because they have improved both employee and customer experiences. APIs are highly valuable to manufacturers as they enable the use of Industrial Internet of Things devices to increase efficiency, accelerate production, and enable real-time management of factories and inventories. Unfortunately, this digital innovation and the rapid expansion of the API economy have presented cybercriminals with new opportunities for exploitation. Successful attacks against APJ manufacturers can cause serious repercussions worldwide, given Asia’s crucial role as a global manufacturing hub.
“APIs are increasingly critical to organizations, but they are also challenged with protecting APIs effectively, as security is often not properly baked into the rapid development and deployment processes of newer technologies like APIs,” explained Reuben Koh, Security Technology and Strategy Director (APJ), Akamai. “As manufacturers use more APIs to enable real-time production monitoring, predictive maintenance, and cost optimization, they need to be more aware of the risks they are exposed to.”
Lurking in the Shadows analyzes some of the most common problem areas regarding posture and runtime challenges. Other key findings of the report include:
- The top sectors suffering the highest percentage of web attacks that targeted APIs were manufacturing at 31.2%, followed by gaming at 25.2%, high tech at 24.4%, video media at 24.0%, and commerce at 22.3%.
- The top five regions with the highest percentage of web attacks targeting APIs were South Korea at 47.9%, Indonesia at 39.6%, Hong Kong SAR at 38.7%, Malaysia at 26.4%, and Japan at 23.4%. This was followed by India (19.0%), Australia (15.6%), Singapore (5.8%), the Philippines (5.5%), and New Zealand (4.8%).
- In APJ, top attack methods include Local File Inclusion (LFI) at 16.8%, Server-Side Request Forgery (SSRF) at 11.8%, and Web Attack Tool (WAT) at 10.4%. Attackers are also favoring the use of newly surfaced vectors, like CMDi at 9.1%, which underscores that adversaries are continuously finding new methods and avenues to exploit targets.
- Business logic abuse is a critical concern as it is challenging to detect abnormal API activity without establishing a baseline for API behavior. Organizations in APJ without solutions to monitor anomalies in their API activity are at risk of runtime attacks like data scraping — a new data breach vector that uses authenticated APIs to slowly scrape data from within.
- Bot requests are also concerning in APJ – nearly half of the more than two trillion suspicious bot requests were aimed at APIs.
- APIs are at the heart of most digital transformations today, so it is paramount for APJ businesses to understand their industry’s trends and relevant threats, like loyalty fraud, abuse, authorization, and carding attacks.
- Organizations in APJ need to think about compliance requirements and emerging legislation early in their security strategy process to avoid the need to re-architect. Examples include section 6 of the upcoming Payment Card Industry Data Security Standard (PCI DSS) v4.0 on new API standards.
“Companies in APJ must ensure that the APIs they use are properly discovered and documented – and have complete visibility into their purpose and the risks they bring.” said Koh. “Businesses also need to keep themselves updated on API threats – especially on emerging ones like API business logic abuse – and follow industry guidelines to protect against misconfiguration and vulnerabilities. Our new report provides key insights to help organizations leverage best practices to enhance security, as the use of APIs become more prevalent across all industries.”