In the first month of 2024, the frequency of API attacks has escalated, affecting on average 1 in 4.6 organisations every week — a 20% increase from January 2023. This upward trend, observed by Check Point Research in the Check Point ThreatCloud AI data, underscores the critical need for robust API security strategies.
The report states that the landscape of cyber security is continuously evolving, with Web Application Programming Interfaces (APIs) becoming a focal point for cyber attackers. APIs, which facilitate communication between different software applications, present a broader attack surface than traditional web applications.
The impact of these attacks is widespread across various industries, with education being the most targeted. The telecommunications sector saw the most significant increase in attacks (+46%), although most sectors also experienced a double-digit increase from last January, emphasising the urgent need for enhanced security measures across all sectors. Interestingly, a significant drop of 18% was seen in the Information Technology sector, who might have exercised more precautions as major providers and users of API services.
Moreover, as the cloud threat landscape evolves, cloud-based organisations face a growing threat of cyber attacks over web APIs. This January showed a 34% increase in attacks on cloud-based organisational networks compared to the previous year, almost double the increase seen in on-premises networks.
The impact of these attacks on cloud-based networks is now also higher overall than in on-prem environments, fueled by organisations shifting their operations to the cloud along with web application APIs, making it an attractive attack vector.
This exposure is due to the inherent vulnerabilities within Web APIs that can lead to authentication bypasses, unauthorised data access, and a range of malicious activities. Despite the implementation of security measures by organisations, the existence of “shadow” APIs—those not officially created or secured by the organisation—poses additional risks, as does the adoption of third-party APIs, which may later reveal vulnerabilities that jeopardise all using entities.
Cloud vs. On-Premises:
| Network Type | Weekly Impacted Organisations | Change from Jan. 2023 |
| Cloud | 1 in 4.2 | +34% |
| On-Prem | 1 in 4.6 | +20% |
API Attacks Impact by Industry:
| Industry | Weekly Impacted Organisations | Change from Jan. 2023 |
| Education | 1 in 4 | -7% |
| Telecommunications | 1 in 4.2 | +46% |
| Software | 1 in 4.2 | +32% |
| Government | 1 in 4.3 | +6% |
| Business Services | 1 in 4.4 | +41% |
| Financial Services | 1 in 4.6 | +21% |
| Healthcare & Medical | 1 in 4.6 | +23% |
| Hardware & Semiconductors | 1 in 4.7 | +14% |
| Hospitality, Travel, & Recreation | 1 in 4.7 | +40% |
| Wholesale & Distribution | 1 in 4.9 | +29% |
| Energy & Utilities | 1 in 5.2 | +23% |
| Industrial Manufacturing | 1 in 5.5 | +8% |
| Information Technology | 1 in 5.6 | -18% |
| Transportation & Logistics | 1 in 6.7 | +3% |
API attacks Impact by Region:
North America is the most impacted region with 1 in 4.3 organisations suffering such attacks on average per week. Africa had the largest rise in attacks compared to January last year, with an 85% increase equating to 1 in 4.9 organisations impacted weekly.
| Region | Weekly Impacted Organisations | Change from Jan. 2023 |
| North America | 1 in 4.3 | +39% |
| Latin America | 1 in 4.4 | +39% |
| Europe | 1 in 4.5 | +1% |
| APAC | 1 in 4.7 | +71% |
| Africa | 1 in 4.9 | +85% |
Known Vulnerabilities related to API attacks:
Key vulnerabilities identified include serious security flaws in products from Fortinet, Joomla!, and ownCloud, which have facilitated unauthorised access and information disclosure. Furthermore, Ivanti’s recent encounter with zero-day vulnerabilities has resulted in significant breaches, including unauthorised access and crypto-mining malware deployment, demonstrating the sophisticated nature of modern cyber threats.
- Fortinet Multiple Products Authentication Bypass (CVE-2022-40684) – 9.8 CVSS. Disclosed in October 2022, this is a security vulnerability that allows unauthorised users to bypass authentication measures in various Fortinet products. During 2023 this vulnerability impacted on average 1 in every 40 organisations worldwide per week.
- Joomla! Authentication Bypass (CVE-2023-23752) – 5.3 CVSS. Disclosed in February 2023, this is a security vulnerability that allows unauthorised access to Joomla! websites, potentially compromising user authentication measures. During 2023 (after it was disclosed) this vulnerability impacted on average 1 in every 42 organisations worldwide per week.
- ownCloud Graph API Information Disclosure (CVE-2023-49103) – 7.5 CVSS. Disclosed in November 2023, this is a security vulnerability that could potentially expose sensitive information in ownCloud instances. During 2023 (after it was disclosed) this vulnerability impacted on average 1 in every 86 organisations worldwide per week.
Ivanti’s API Cyber Attacks attempts – zero-day API attack use case:
A publicly exposed vulnerability in a web API can allow attackers to perform many actions on the affected systems. An attacker may use a vulnerable API to exfiltrate data, download malicious files, and run arbitrary commands with potential consequences such as unauthorised access to personally identifiable information (PII).
In July 2023, a significant cyber security incident involving Ivanti Endpoint Manager Mobile (EPMM) was reported. The attackers exploited a zero-day vulnerability, identified as CVE-2023-35078, which allowed unauthorised access to API endpoints. This affected all supported versions of the affected Ivanti products with the ability to manipulate EPMM servers. This vulnerability impacted on average 1 in every 31 organisations worldwide per week during 2023 (after it was disclosed).
The affected products included software used by the Norwegian government, potentially leading to unauthorised access, manipulation of data, and exposure of sensitive information.
In January 2024, Ivanti disclosed two zero-day vulnerabilities affecting web API components of “Ivanti Connect Secure (ICS)” and “Ivanti Policy Secure gateways.”
- CVE-2023-46805: An authentication bypass vulnerability exploited through directory traversal.
- CVE-2024-21887: A command injection vulnerability that also leverages directory traversal, enabling the execution of various payloads.
These vulnerabilities, observed to be actively exploited, led to cyber attacks, including the deployment of crypto-miner malwares and reverse shell scripts.
In addition, on January 31st CISA directed all the American federal agencies running Ivanti Connect Secure or Ivanti Policy Secure solutions to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.
Check Point Customers Remain Protected
Check Point’s Intrusion Prevention Systems blocks attempts to exploit weaknesses in vulnerable systems or applications, protecting users in the race to exploit the latest breaking threat. Check Point IPS protections in our Next Generation Firewall are updated automatically. Whether the vulnerability was released years ago, or a few minutes ago, your organisation is protected.
Conclusion
Organisations rely on hundreds of APIs to support their technologies, but with the proliferation of APIs they have become a massive attack surface for malicious actors. The number of API attacks has increased greatly over the past year.
Vulnerable Web APIs are susceptible to various threats and data breaches. API security must focus on protecting organisation’s data, rather than protecting individual applications.
Also Read: A Look into Kenya’s Cyber Security Landscape with Check Point
