How to prevent a zombie API attack

13 Jul 2023

Image: © Romolo Tavani/

Barracuda’s application security expert, Stefan van der Wal, explains how to locate and secure APIs to prevent cyberattacks through these ‘amazing’ but potentially leaky software intermediaries.

The operating system runs the computer, but applications run pretty much everything else. Many of these applications rely on application programming interfaces (APIs).

APIs play a vital role in our automated, interconnected world because they enable applications to talk to each other and share data and functionality. APIs are a gateway to all the critical data stored by the application.

APIs can be internal, or external and public facing. They simplify software development and innovation. They are the power behind interactive websites such as travel booking comparison sites, mapping apps that also show fuel stations or speed cameras, and key business SaaS applications such as customer relationship management apps that integrate with email.

APIs are amazing.

‘What you can’t see, you can’t protect’

In an ideal world, IT security professionals know and manage every API in their IT environment. They know what data is accessible through each API, the commands that have been enabled, which developers can access the APIs, and the security and authentication controls that protect them and the data behind them.

This ideal world doesn’t exist. Many companies have no idea what part of their IT infrastructure is potentially exposing what data through APIs. IT environments are generally a patchwork of legacy, on premises and new, cloud-based systems, all functioning and held together by a web of internal and external applications.

Clear visibility across these applications and any associated APIs can be almost impossible. And what you can’t see, you can’t protect.

Do you know your known APIs from your zombies?

Barracuda has identified three categories of API, each of which has its own visibility and risk profile.

The first category includes all the known APIs. They may not be totally secure yet, but they will be managed and to some extent protected. And because you know where they are, you can inspect and secure them with web application firewalls, zero-trust access and other security measures.

The second category comprises all your shadow APIs – APIs that you don’t know about because you may not be aware that the applications that they feature in form part of your IT infrastructure.

The most high-risk are the zombie or legacy APIs. These can be found in older, dormant or deprecated applications. These APIs were likely activated when the application was first deployed, then never shut down or properly protected. Insecure or inadequate authentication measures can be easily leveraged by attackers to send commands to the application and exfiltrate data, for example.

The abuse of APIs

As the number of APIs in existence continues to rise, Gartner estimates that by 2025, no more than 50pc of enterprise APIs will be managed. This suggests that less than half of APIs will be known, secured and controlled. Taken together with the fact that APIs are a gateway to vast amounts of sensitive data and even the network beyond, you can see what a broad, unguarded attack surface they offer.

Examples of recent cyberattacks that took advantage of insecure APIs and exposed the data of millions of people include the T-Mobile API hack (37m customers were affected), the Optus attack (9m customers affected), and the Twitter API security breach that exposed the data of roughly 200m users.

Locating your APIs

A manual search for shadow and zombie APIs is as hard and time consuming as it sounds. There has to be a faster, easier way.

At Barracuda, we help organisations to search for hidden and unknown APIs by analysing the live traffic going into and out of applications and use machine learning to find known, partially known and completely unknown APIs. This allows the business to decide whether and how to protect those applications and to mitigate the potential risks they present.

Securing your APIs

The rising number of APIs and their direct access to high-value data makes them a prime target for attackers – and this risk will only increase as more API-based applications appear. Barracuda research found that just under two-thirds (63pc) of IT professionals have security concerns when implementing APIs, and 44pc worry they don’t know where all the APIs are deployed or used.

The critical step in securing API-based applications is to have visibility over all the APIs on your network and endpoints, regardless of whether they are internal or external, active or dormant. A web application security solution that includes machine-learning powered API discovery is ideal for locating and securing undocumented zombie and shadow APIs.

You also need to have full visibility of application traffic. Log every request made to your APIs. This will enable you to quickly spot suspicious commands or traffic patterns and troubleshoot any issues, such as an attempted denial-of-service (DoS) attack, or attackers trying to send a ‘download all your data’ command.

Set robust access controls for API-based applications to restrict API access to authorised users. And, wherever possible, integrate security tools into the application software development cycle as early as you can.

For deeper insight into the cyberthreats facing applications and how to defend against them, see Barracuda’s free guide on the ABCs of Application Security.

By Stefan van der Wal

Stefan van der Wal is a consulting solutions engineer at Barracuda, specialising in application security. With a background in incident response, consultancy and policy advice, Stefan is well-versed in the appsec challenges faced daily by organisations of all sizes and in all sectors.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.