Full Report
Wallarm honeypot research finds potentially exposed APIs are being discovered within half a minute
Analysis Summary
This summary is based on the provided article describing research on rapid API discovery and exploitation conducted using an API honeypot by Wallarm.
# Tool/Technique: API Discovery and Exploitation Methodology (Wallarm Honeypot Research)
## Overview
This entry describes the threat actor methodology observed via a specialized API honeypot deployed by Wallarm, highlighting the extreme speed (under 30 seconds) at which newly deployed, potentially unprotected APIs are discovered and targeted by attackers. The findings detail common attack vectors, frequently probed endpoints, and the cost-effective means actors use to launch large-scale reconnaissance and data exfiltration.
## Technical Details
- Type: Technique / Methodology Observation (Research Framework: API Honeypot)
- Platform: Web APIs (Platform agnostic for the API itself, attack observations are server-side focused)
- Capabilities: Rapid discovery, low-cost high-volume probing, targeted exploitation.
- First Seen: November 2024 (Observation period)
## MITRE ATT&CK Mapping
Since this entry focuses on adversary behavior observed via a honeypot rather than a specific piece of malware or established tool, the mapping covers the observed adversarial techniques:
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application**
- *Note: CVE Exploitation was 40% of observed attack types.*
- **TA0005 - Defense Evasion**
- **T1070.007 - Indicator Removal: Web Session Cookie** (Implied by bulk request scanning/testing for endpoint validity)
- **TA00010 - Collection**
- **T1589.003 - Gather Victim Identity Information: Credentials** (Relevant to authentication checks)
- **TA0009 - Collection**
- **T1595.002 - Active Scanning: Vulnerability Scanning** (Relevant to discovery attempts)
## Functionality
### Core Capabilities
- **Rapid Discovery:** Identifying new API endpoints within seconds (29 seconds average for initial reach).
- **Port Probing:** Scanning common ports for API services, with 80 (19%) being the most common ingress point, followed by 26657, 443, 8080, and 8443.
- **Endpoint Enumeration:** Identifying common, often insecure endpoint names like `/status`, `/info`, `/health`, or `/metrics`.
### Advanced Features
- **Cost-Effective Scalability:** Attackers can launch high-volume attacks (50 requests/second per IP) distributed across 50 IP addresses using minimal cloud infrastructure ($50-$150 per month per IP).
- **High-Volume Exfiltration:** Capable of stealing 10 million records in approximately one minute using batching or single-request techniques, making detection difficult due to minimal bandwidth usage.
- **Target Shift:** APIs now account for over 54% of total requests observed, exceeding web applications (45%).
## Indicators of Compromise
*Note: The research focuses on behavior and naming conventions, not specific compromise artifacts from a single malware instance.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (No specific C2 indicators were published for defanging, only observation of access methods.)
- **Behavioral Indicators:**
- High-frequency requests targeting API endpoints.
- High volume of requests targeting default or common endpoint names (e.g., `/status`).
- Observation of CVE exploitation attempts (40% of traffic).
- Observation of authentication checks (26% of traffic).
## Associated Threat Actors
The observation describes general threat actor behavior targeting the API surface; no specific named threat actor groups were identified as utilizing this honeypot.
## Detection Methods
- **Signature-based detection:** Ineffective against rapid, diverse scanning/probing until a specific exploit signature is hit.
- **Behavioral detection:** Essential for detecting high-volume, low-bandwidth scanning activity directed at API endpoints.
- **YARA rules:** Not applicable based on the context.
## Mitigation Strategies
- **Endpoint Renaming:** Avoid using common or sensitive keywords for *public, unauthenticated* API endpoints (e.g., do not use `/status`, `/info`, `/health`, `/metrics`).
- **Strong Naming Convention:** Use less common names, or preferably, random UUIDs or SHA256 hashes for public-facing, non-authenticated endpoints (similar to webhooks).
- **Security Refresh:** Organizations must adapt existing security practices and adopt new security tools specifically for API security, as APIs are now a primary target.
- **Rate Limiting/Anomaly Detection:** Implement strict rate limiting and anomaly detection on API endpoints to counter the observed 50 reqs/sec per IP attack pattern.
## Related Tools/Techniques
- Attacks Targeting APIs (General trend indicating a 400% increase in reports).
- Exploitation of Web Application Infrastructure (Related, but the focus here shifts predominantly to APIs).