Administrators know that any public-facing endpoint should be monitored including APIs. For most infrastructure, administrators deploy applications with monitoring enabled. Many of today’s monitoring agents collect traffic data on infrastructure and aggregate it for data analysis. Monitoring is a critical component in threat detection, cybersecurity and compliance, but administrators need to know that infrastructure exists. It sounds like a simple challenge, but losing track of infrastructure in a fast-paced development environment is common.

Change management is often in place to overcome the challenge of tracking new infrastructure, but rules are sometimes broken for various reasons. Administrators work together to ensure that the new infrastructure is added to monitoring agents, but it’s usually a process included in strict procedures. In some environments, developers have more autonomy to deploy infrastructure with their new code. While this can lead to faster development performance, it can be a challenge for administrators to monitor their environment.

Typical Change Control Scenarios for New Development

Every organization has their own change control and management procedures, but the goal is to track infrastructure and any changes to the environment. Tracking changes lets developers and operations know that new infrastructure is active and available. From a cybersecurity standpoint, deploying new infrastructure increases an organization’s attack surface, so it must be monitored for any vulnerabilities and ongoing exploit attempts. 

When developers deploy an API, any new infrastructure is added to change control documentation. Depending on the organization, administrators might want to test the API infrastructure before it’s deployed. Quality assurance staff might run tests against the API to test for any API vulnerabilities. These tests are often automated but necessary to detect security vulnerabilities.

Most organizations must abide by compliance requirements, so an extra step in quality assurance might be to ensure that the new infrastructure configurations follow regulations. Monitoring is a requirement in many strict compliance regulations (e.g., HIPAA), so it’s essential for organizations to avoid hefty fines for violations.

How APIs Become Zombies

Ideally, all changes to the environment should follow change control operating procedures, but anyone who has worked in IT or development knows that emergencies happen or developers with access to production might deploy hardware to test new features or debug their software. Even organizations with strict change control procedures need emergency changes to the environment when infrastructure fails or special events require unique customizations. The changes might be necessary, but it can lead to forgotten or “lost” infrastructure.

Application Programming Interfaces (APIs) are often a component in mobile apps, internal applications, or remote tooling for your customers. Backend coding and logic performs most of the heavy lifting, so it often changes as developers add new features to applications. Developers might decide to split out an endpoint to two endpoints or retire an entire version of an API, changing the structure of the newer version. If changes in any of these scenarios aren’t documented properly, an API endpoint (or several endpoints) could be deployed without being added to monitoring agents.

Unmonitored endpoints means anyone who discovers them could make requests. It’s not uncommon for attackers to test endpoints for any data disclosure or scan them with vulnerability tests. If these endpoints are unmonitored, then an attacker could run vulnerability tests without being automatically blocked or exfiltrate unlimited data from endpoints that return information (e.g., customer contact information or internal proprietary data).

Zombie APIs can be the source of extensive and long-term data theft. In 2019, one of the largest local search services, JustDial, suffered from a data breach. A security researcher found that one of JustDial’s API endpoints allowed for unauthenticated requests for data. JustDial hosts sensitive data for over 100 million users, and the researcher was able to pull information on any user based on their mobile number.

It’s unknown if JustDial’s open publicly available endpoint was used to collect data on its customers, because the endpoint was unmonitored. The zombie API endpoint was available for years, so it’s possible that user data was continually stolen and transferred to a third-party server. For particularly sensitive data, an attacker could sell it on darknet markets or use it to compromise user accounts.

Replacing Traditional Zombie API Discovery with p0

To remediate zombie APIs, the first idea is to set an agent on the network to then analyze data using artificial intelligence and human reviewers. The idea is that traffic sent to an API endpoint can be captured, data aggregated to a central location, and then analytics provides information to operations staff. A currently unmonitored API endpoint could be discovered and added to monitoring solutions, but zombie APIs often sit unused for potentially months before they are discovered by a third party. By the time your organization discovers a zombie API, third-party threats could be using it for much longer and for malicious purposes.

Recent reports show that cyber-attacks against APIs grew 137% in 2023, proving that attackers have turned towards API vulnerabilities as an alternative to other threat strategies. Zombie APIs are easier for attackers to work with because they often disclose information with a simple web request rather than forcing attackers to work with malware or ransomware that steals data. Attackers need additional complex steps to inject malware onto a corporate environment, but an open publicly available zombie API can be much faster and more convenient to retrieve data. A simple script can make requests to an API and transfer data to the attacker’s own servers for future use. 

The p0 solution solves the problem of zombie API discovery by combining a code repository scanning solution with large language models (LLMs). LLMs in cybersecurity can help with analysis and identification of threats including the discovery phase. P0 uses an LLM to differentiate zombie APIs from active ones using your event logs. The solution scans your codebase for API references and uses event logs to determine if a reference is an active API or one that could be forgotten or unmonitored. 

After discovering unknown APIs, organizations can then decide what must be done with them. You could decide to deprecate, retire, and disable them, or administrators might add them to applications to keep them active but monitored. Further API security testing might be necessary to ensure that no data has been stolen and that the endpoint does not violate any compliance regulations.

As more organizations work with APIs either for customer integration or their own applications, just one missing endpoint undocumented and left in production can leave a zombie API available for anyone. API vulnerabilities are especially risky for organizations because anyone can make requests against them and retrieve data, especially if it has no authentication barrier.

If you have several APIs running your business or deploy API infrastructure using automation and code, you could have unknown API endpoints active on the public internet. Let p0 help you better secure your infrastructure and find unknown publicly available endpoints. Reach out to us using the form below.