Application and API attacks on the rise - Akamai report
Akamai Technologies has released a new State of the Internet report, titled 'Slipping Through The Security Gaps: The Rise of Application and API Attacks Against Organisations'.
The report reveals that the financial services sector in Asia-Pacific and Japan (APJ) continues to be the most attacked industry in the region, and has seen record growth in web application and API attacks, with a 248% increase in attacks from the previous year.
The 248% growth in web application and API attacks against finance in APJ, is significantly higher than the nearly 169% growth in attacks globally, revealing that financial services organisations in this region are actively targeted and at severe risk as threat actors increase the volume, frequency, and sophistication of their attacks, the company states.
Reuben Koh, Security Technology and Strategy Director (APJ), Akamai, comments, “The nearly 250% surge in attacks correlates with the significant investment APJ financial services organisations are continuing to make in digital transformation and the expansion of customer-centric digital products and services.
"This is a critical concern for financial services organisations, as increasing digitalisation will expand their overall attack surfaces, giving threat actors even more opportunities to launch cyber attacks."
Across the region, APJ experienced a steady growth in overall web application and API attacks across the past 24 months, averaging around 10 million attacks per day. Akamai also observed days that went above 60 million in attack count, which indicates that regional organisations continue to face the risk of high intensity, targeted attacks.
Local File Inclusion (LFI) attacks were found to be the most common attack vector in APJ, growing around 154% year-over-year, surpassing XSS and SQLi attacks. LFI attacks exploit insecure coding practices or actual vulnerabilities on a web server to execute code remotely or gain access to sensitive information stored locally.
PHP-based web servers are particularly vulnerable to LFI due to existing methods of bypassing its input filters. A large majority of popular websites, including Facebook, WordPress, and Wikipedia, run PHP - which increases the likelihood of LFI being used.
The growth of LFI attacks in APJ shows how threat actors are constantly evolving their techniques and shifting targets toward consumer behavior in order to get the most return on investment.
Akamai’s report also revealed differentiated trends in web and API attack patterns across APJ’s local markets. Specifically:
- The top three industries in APJ facing the greatest number of web application and API attacks in 2022 were financial services (2 billion), commerce (980 million), and digital media (393 million).
- Both Australia and Japan, recognised as notable financial hubs within APJ, saw the largest growth of web application and API attacks against their financial sectors, growing at 259% and 1,635% year-over-year.
- However, Australia experienced patterns of persistent and consistently increasing web application and API attacks in 2022 with several big-bang attacks, while Japan saw mostly big-bang attack types. This is indicative that specific verticals and organisations in these countries were being actively targeted, Akamai states.
- Attacks against Japan’s high-tech sector also grew more than 116% year-over-year in 2022, most likely due to the country’s significant investment in R&D and advanced technologies.
- India experienced more persistent and consistent attack campaigns focused on the retail and commerce sector, with web application and API attacks growing to almost 90% growth year-over-year in 2022.
- The large presence of online retailers and growing e-commerce spend in India makes this sector a lucrative target for cyber criminals. In financial services, India experienced a 56% increase in attacks year-over-year.
- The top three industries in APJ facing the highest growth of attacks from 2021 to 2022 were financial services (248%), manufacturing (162%), and the public sector (139%).
Koh says, “Cyber criminals are constantly exploiting web applications and APIs and will continue to use new attack techniques to maximise their return on investment. The finance, manufacturing, and commerce sectors in APJ are hubs for digital innovation, and therefore, are very lucrative targets for attackers.”
“The threat landscape indicates a shift toward remote code execution, with emerging attack vectors, including Server-Side Request Forgery (SSRF), Server-Side Template Injections (SSTI), and Server-Side Code Injection. As organisations continue to face relentless attack attempts, they need to stay updated on the latest attack trends and best practices to adapt their mitigation strategies,” he concludes.