Financial services in APJ take barrage of web app, API attacks

The financial services sector in Asia-Pacific and Japan (APJ) continues to be the most attacked industry in the region and has seen record growth in web application and API attacks, with a 248% increase in attacks from the previous year.

According to the new State of the  Internet Report from Akamai Technologies, this growth is  significantly higher than the nearly 169% growth in attacks globally. It reveals that financial services organisations in APJ are actively targeted and at severe risk as threat actors increase the volume, frequency, and sophistication of their attacks.  

Reuben Koh, security technology and strategy director  at Akamai APJ, said the in attacks correlates with the significant investment financial services organisations in the region are continuing to make in digital transformation and the expansion of customer-centric digital products and services. 

“This is a critical concern for financial services organizations, as increasing digitalisation will expand their overall attack surfaces, giving threat actors even more opportunities to launch cyber-attacks,” said Koh.

Across the region, APJ experienced a steady growth in overall web application and API attacks across the past 24 months, averaging around 10 million attacks per day. 

Akamai also observed days that went above 60 million in attack count, which indicates that regional organizations continue to face the risk of high intensity, targeted attacks. 

Local File Inclusion (LFI) attacks were found to be the most common attack vector in APJ, growing around 154% year-over-year, surpassing XSS and SQLi attacks. 

LFI attacks exploit insecure coding practices or actual vulnerabilities on a web server to execute code remotely or gain access to sensitive information stored locally. 

PHP-based web servers are particularly vulnerable to LFI due to existing methods of bypassing its input filters. A large majority of popular websites, including Facebook, WordPress, and Wikipedia, run PHP – which increases the likelihood of LFI being used. 

The growth of LFI attacks in APJ shows how threat actors are constantly evolving their techniques and shifting targets toward consumer behavior in order to get the most return on investment.

The top three industries in APJ facing the greatest number of web application and API attacks in 2022 were financial services (2 billion), commerce (980 million), and digital media (393 million).

The top three industries in APJ facing the highest growth of attacks from 2021 to 2022 were financial services (248%), manufacturing (162%), and the public sector (139%).

“Cyber criminals are constantly exploiting web applications and APIs and will continue to use new attack techniques to maximize their return on investment,” said Koh. “The finance, manufacturing, and commerce sectors in APJ are hubs for digital innovation, and therefore, are very lucrative targets for attackers.”

He said that the threat landscape indicates a shift toward remote code execution, with emerging attack vectors, including Server-Side Request Forgery (SSRF), Server-Side Template Injections (SSTI), and Server-Side Code Injection. 

Koh added that as organisations continue to face relentless attack attempts, they need to stay updated on the latest attack trends and best practices to adapt their mitigation strategies.