Ransomware, email compromise are top security threats, but deepfakes increase

While ransomware and business email compromise are leading causes of cybersecurity threats, geopolitics and deepfakes play an increasing role, according to reports from VMware and Palo Alto.

Cybersecurity

While ransomware and business email compromise (BEC) are leading causes of security incidents for businesses, geopolitics and deepfakes are playing an increasing role, according to reports from two leading cybersecurity companies.

VMware’s 2022 Global Incident Threat Response Report shows a steady rise in  extortionary ransomware attacks and BEC, alongside fresh jumps in deepfakes and zero-day exploits.

A report based on cases involving clients of Palo Alto Unit 42's threat analysis team echoed VMware’s findings, highlighting that 70% of security incidents in the 12 months from May 2021 to April 2022 can be attributed to ransomware and BEC attacks.

VMware, in its annual survey of 125 cybersecurity and incident response professionals, noted that geopolitical conflicts caused incidents with 65% of respondents, confirming an increase in cyberattacks since the Russian invasion of Ukraine.

Deepfakes, zero-days, API hacks emerge as threats

Deepfake technology—AI tools used to create convincing images, audio, and video hoaxes— is increasingly being used for cybercrime, after previously being used mainly for disinformation campaigns, according to VMware. Deepfake attacks, mostly associated with nation-state actors, shot up 13% year over year as 66% of respondents reported at least one incident.

Email was reported to be the top delivery method (78%) for these attacks, in sync with a general rise in BEC. From 2016 to 2021, according to the VMware report, BEC compromise incidents cost organizations an estimated $43.3 billion.

VMware also noted that the FBI has reported an increase in complaints involving “the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions.”

In the 12 months to June this year, at least one zero-day exploit was reported by 62% of the respondents, up by 51% year over year, said VMware. This surge can also be attributed to geopolitical conflicts and thereby nation-state actors, as such attacks are fairly expensive to carry out and mostly useful just once, according to the report.

Meanwhile, more than a fifth (23%) of all attacks experienced by respondents compromised API security, with top API attack types including data exposure (42%), SQL injection attacks (37%), and API injection attacks (34%), according to the VMware report.

“As workloads and applications proliferate, APIs have become the new frontier for attackers,” said Chad Skipper, global security technologist at VMware, in a press release. “As everything moves to the cloud and apps increasingly talk with one another, it can be difficult to obtain visibility and detect anomalies in APIs.”

Seventy-five percent of VMware’s respondents also said they had encountered exploits of vulnerabilities in containers, used for cloud-native application deployment.

Fifty-seven percent of the professionals polled by VMware also said they had experienced a ransomware attack in the past 12 months, while 66% encountered affiliate programs and/or partnerships between ransomware groups.

Ransomware uses known exploits to maintain offense

On its part, the Unit 42 study also noted that ransomware continues to plague cyberspace, with a handful of evolved tactics. LockBit ransomware, now in 2.0 release, was the top offender, accounting for almost half (46%) of all the ransomware-related breaches in the 12 months to May.

After LockBit, Conti (22%), and Hive (8%) led the ransomware offensive for the year. Also, finance ($7.5 million), real estate ($5.2 million), and retail ($ 3.05 million) were the top segments, with respect to the average ransom demanded.

Known software vulnerabilities (48%), brute force credential attacks (20%), and phishing (12%) were the leading initial access means, acording to the Unit 42 report. The brute force credentials attacks typically focused on the remote desktop protocol (RDP).

Apart from zero-day exploits, a handful of common vulnerabilities contributed significantly (87%) to this year’s tally, including Proxyshell, Log4j, SonicWall, ProxyLogon, Zoho ManageEngine, ADSelfService, and Fortinet, according to the Unit 42 report.

While insider threats were not the most common type of incidents Unit 42 handled (only 5.4%), they posed a significant threat considering that 75% of the threats were caused by a disgruntled ex-employee with enough sensitive data to become a malicious threat actor, the security group said.

On its part, VMware reported that 41% of respondents to its poll said they encountered attacks involving insiders over the past year.

Top cybersecurity predictions and recommendations

Unit 42 report made a few key predictions from the observations made from its incident report cases. The predictions include:

  • Time from zero-day vulnerability reveal to exploit will continue to shrink
  • Unskilled threat actors will be on the rise
  • Cryptocurrency instability will increase business email and website compromises
  • Difficult economic times may lead people to turn to cybercrime; and
  • Politically motivated incidents will rise

VMware’s conclusion from the study recommends sanitary practices such as focusing on cloud workloads holistically instead of segmenting and quarantining affected networks; inspecting in-band traffic to eliminate imposters; integrating network detection and response (NDR); continuous threat hunting; and zero trust implementation.

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)