Tales from the Front Lines: Attackers on Lockdown Focus on APIs

May 15, 2020 | by Jason Kent

While the world is battling a Pandemic, our customers are battling an increase in bot activity, as evidenced by traffic and attack patterns over the last four weeks. To an attacker, being in lockdown means they may have more time to focus on their malicious actions.

API endpoints seem to be taking more of the brunt of the attacks than normal; in one case, 24 million events occurred in total against web and API, representing 4.5 million events in legitimate traffic with 19.5 million events being attack traffic. The lion’s share of the attack traffic, 15 million events, was aimed at one login API endpoint for the android application. This attack has been ongoing since lockdown orders began going into place and has changed very little.

A timeline of attack increases we saw at one customer:

  • Week of April 17thsaw malicious traffic increase by 40% to 28M generated by several campaigns. One of the more significant campaigns targeted the Android Login API with traffic routed through Azure, as well as a Spectrum, Comcast, AT&T, and Turk Telekom.
  • Week of April 23rdsaw a massive spike of 279% to 78M with one attack campaign peaking at 100,000 requests per minute. The largest campaign targeted the Android login API with 21.5M requests over 13 hours. The attack rotated user agents with high frequency, delivering over 1M US variations. Additional attack characteristics include requests exhibited suspicious product parameters and z-device IDs. The activity was seen mainly coming from Indonesian and Chinese infrastructure, such as PT Telkom Indonesia and China Telecom.
  • As time moved on in April, the login API was heavily targeted as the attackers searched for ways to ensure more authentication attempts were successful. One such method was to vary the attacker fingerprint by changing IP addresses and User Agent (browser types). The latest campaign shows almost 1.5 million IP addresses using over 4 million different user agents attacking a single API endpoint.
  • Week of May 1st showed yet another increase in malicious traffic to 139M requests or an 85% week over week increase. This week, both the web login and the Android login API were hit hard. The web login attack was easily detected – a single UA, a small set of IP addresses – as 100% malicious and blocked with ease. The attack against the Android API was far more sophisticated. This campaign emanated from outside the in-place geofence rules. It exhibited the following characteristics: invalid device token, a missing time tracking token in the query params, or performing UA rotation for a given source IP.

From an operational perspective, organizations have to either take on the greater load from the attackers or their applications are going to start to perform poorly.  In several cases, the operations teams within our customer base are tuning for 90%+ of their traffic to be bot attacks, with only 10% being legitimate transactions. Expensive operational build-out for traffic that never generates revenue is hard to justify, and cutting the attack traffic out of the picture results in high-speed and highly responsive applications that users enjoy.

How does the attacker find all these places to attack?  API endpoints often aren’t published by an organization that has a mobile app but, rather, are used internally and known internally for application communication. One-way attackers can find out what API endpoints are available is to load an intercept proxy on a laptop or desktop and make a mobile device use the intercept proxy as the proxy for the mobile device. Another way is to take the mobile application apart and look for the API endpoints. Most android applications’ current and past versions appear on apkpure.com. Finding API endpoints and no longer used API endpoints is quickly done via enumeration that the victim organization has no idea is happening. In the case mentioned above, the attackers looked at old APK files for old Android Apps and figured out the API endpoints that used to be part of the app. They can then attack the API endpoints as the associated security is typically not as sophisticated as it is for web or other endpoints.

As the level of attacker sophistication increases, organizations must respond in kind. APIs are a readily available target and while the world is on lockdown, API attacks continue to increase. As a security community, we just need to ensure that the increased focus on APIs from attackers is at very least equally matched by our security teams’ attention and action.

Jason Kent


Jason Kent

Hacker in Residence

Additional Resources