As APIs have become a cornerstone of modern business, they also are increasingly becoming a favorite target of threat actors looking to gain initial access to sensitive data or to disrupt services. A report this week by API security vendor Wallarm illustrates just how aggressive the hackers are.

Wallarm, using an API honeypot to attract attackers, found that it took bad actors an average of 29 seconds to discover a newly deployed API and under a minute to exploit an unprotect API. The vendor also found that APIs have overtaken web applications as targets of attacks.

The San Francisco-based company launched its honeypot in November and researchers were so startled by the results that they issued their first report after only 20 days of activity.

"We expected that it might take longer to have compelling data to report, but the speed at which our fake APIs were discovered and access surprised us," Wallarm CEO Ivan Novikov wrote in the report. "Instead of waiting for months of data, we decided to collect and report our immediate findings quickly."

APIs are increasingly being used by businesses to more easily enable applications to communicate and share data, a key capability in a rapidly digitizing world. Given that, it shouldn't be surprising that bad actors would want to target and exploit them, according to Tim Erlin, vice president of product at Wallarm.

"APIs are popular targets for all the same reason they're being implemented by businesses," Erlin told Security Boulevard. "APIs are designed to deliver data and functionality in a standard format easily, and at velocity. And there are simply more services delivered as APIs without any web application frontend today."

He noted tools like Docker, Kubernetes, and similar cloud-native tools, adding that "as an attacker, I'd rather interact with an API that's designed as a programmatic interface than go through a web application designed for point-and-click interactions from a human being. APIs are easier for business, and they're easier for attackers."

Wallarm's report dovetails with what some other cybersecurity firms have discovered. Salt Security researchers in a report earlier this year said that the number of attacks on APIs more than doubled year-over-year as the use of APIs in business continued to shoot up. They found that 61% of the attacks were launched by unauthenticated hackers, indicating they are using a broad array of tactics to bypass authentication protocols.

The researchers said that 95% of respondents to their survey "are struggling to contain incidents relating to their APIs, and 23% of organizations have experienced a breach -- which means that their sensitive data and critical systems have been compromised."

Wallarm's Erlin said the company's first API honeypot was a simple one, with the company creating a mock API written in the Golang programming language with a self-signed SSL certificate. It was positioned at 14 locations around the world and listened for requests by using various API protocols on any port. It also provided a reasonable response in the detected protocol.

"Interactions are limited, and it uses self-signed certificates for encryption," he said. "This version also uses only IP addresses; no domain names were assigned."

The researchers wanted to see how quickly new APIs - which are often less secure and protected and are unmanaged - would be discovered. The longest time for discovery was 34 seconds, from the time the port was opened to the first API request to the any endpoint.

"Attackers have a list of the most common API endpoints and port discovery is constantly running," Erlin said. "Keep in mind that continuous discovery is being run by multiple attackers in parallel. There's essentially competition for who can get there first."

Port 80 was the targeted most frequently - at 19% - and the endpoints most at risk had fairly common names, such as /status, /health, and /info, with the researchers wrote that such endpoints will be discovered in less than two minutes.

"Endpoints like these will be discovered in well under two minutes," they wrote. "If your service absolutely requires public, unauthenticated endpoints, it would be better to use less common names, or even better, use a random UUID or SHA256 hash, similar to the approach for webhooks."

The most common type of API attack captured by the honeypot were attempts to exploit CVEs, at 40%, followed by discovery at 34% and authentication checks, at 26%.

The researchers also found that APIs are now slightly more popular targets of attacks than web applications, with 54.5% of requests targeting APIs and 45.6% zeroing in on web apps. That said, web apps were the target of unique exploits; APIs 48%. In its API threat report earlier this year, the vendor found that 70% of attacks were on APIs.

"This is particularly interesting because APIs only emerged as significant attack targets in recent years, whereas web applications have been a focal point for attackers for decades," they wrote. "This shift underscores how quickly APIs have risen in prominence within the threat landscape, demanding more attention from security teams despite their relatively recent entry into the spotlight."

One point that surprised Erlin was that attackers are "figuring out how to find the closest locations to their target APIs. It appears that these API scanners and vulnerability checkers are simply everywhere already. There is no significant difference between, say, Japan and the United States."

He added that the report should serve as a warning to organizations.

"Developers and security practitioners alike need to set their expectations that any API they expose on the Internet will be discovered and attacked in minutes," Erlin said. "This is a reality and organizations need to plan for that reality. If you're expending more resources on protecting web applications than APIs, it's time to make a shift. You're already behind the attackers."