While ransomware and business email compromise (BEC) are leading causes of security incidents for businesses, geopolitics and deepfakes are playing an increasing role, according to reports from two leading cyber security companies.
VMware’s 2022 Global Incident Threat Response Report shows a steady rise in extortionary ransomware attacks and BEC, alongside fresh jumps in deepfakes and zero-day exploits.
A report based on cases involving clients of Palo Alto Unit 42's threat analysis team echoed VMware’s findings, highlighting that 70 per cent of security incidents in the 12 months from May 2021 to April 2022 can be attributed to ransomware and BEC attacks.
VMware, in its annual survey of 125 cyber security and incident response professionals, noted that geopolitical conflicts caused incidents with 65 per cent of respondents, confirming an increase in cyber attacks since the Russian invasion of Ukraine.
Deepfakes, zero-days, API hacks emerge as threats
Deepfake technology — AI tools used to create convincing images, audio, and video hoaxes— is increasingly being used for cyber crime, after previously being used mainly for disinformation campaigns, according to VMware. Deepfake attacks, mostly associated with nation-state actors, shot up 13 per cent year-over-year as 66 per cent of respondents reported at least one incident.
Email was reported to be the top delivery method (78 per cent) for these attacks, in sync with a general rise in BEC. From 2016 to 2021, according to the VMware report, BEC compromise incidents cost organisations an estimated $43.3 billion.
VMware also noted that the FBI has reported an increase in complaints involving “the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions.”
In the 12 months to June this year, at least one zero-day exploit was reported by 62 per cent of the respondents, up by 51 per cent year-over-year, said VMware. This surge can also be attributed to geopolitical conflicts and thereby nation-state actors, as such attacks are fairly expensive to carry out and mostly useful just once, according to the report.
Meanwhile, more than a fifth (23 per cent) of all attacks experienced by respondents compromisedAPI security, with top API attack types including data exposure (42 per cent), SQL injection attacks (37 per cent), andAPI injection attacks (34 per cent), according to the VMware report.
“As workloads and applications proliferate, APIs have become the new frontier for attackers,” said Chad Skipper, global security technologist at VMware, in a press release. “As everything moves to the cloud and apps increasingly talk with one another, it can be difficult to obtain visibility and detect anomalies in APIs.”
Seventy-five per cent of VMware’s respondents also said they had encountered exploits of vulnerabilities in containers, used for cloud-native application deployment.
Fifty-seven per cent of the professionals polled by VMware also said they had experienced a ransomware attack in the past 12 months, while 66 per cent encountered affiliate programs and/or partnerships between ransomware groups.
Ransomware uses known exploits to maintain offence
On its part, the Unit 42 study also noted that ransomware continues to plague cyber space, with a handful of evolved tactics. LockBit ransomware, now in 2.0 release, was the top offender, accounting for almost half (46 per cent) of all the ransomware-related breaches in the 12 months to May.
After LockBit, Conti (22 per cent), and Hive (eight per cent) led the ransomware offensive for the year. Also, finance ($7.5 million), real estate ($5.2 million), and retail ($ 3.05 million) were the top segments, with respect to the average ransom demanded.
Known software vulnerabilities (48 per cent), brute force credential attacks (20 per cent), and phishing (12 per cent) were the leading initial access means, according to the Unit 42 report. The brute force credentials attacks typically focused on the remote desktop protocol (RDP).
Apart from zero-day exploits, a handful of common vulnerabilities contributed significantly (87 per cent) to this year’s tally, including Proxyshell, Log4j, SonicWall, ProxyLogon, Zoho ManageEngine, ADSelfService, and Fortinet, according to the Unit 42 report.
While insider threats were not the most common type of incidents Unit 42 handled (only 5.4 per cent), they posed a significant threat considering that 75 per cent of the threats were caused by a disgruntled ex-employee with enough sensitive data to become a malicious threat actor, the security group said.
On its part, VMware reported that 41 per cent of respondents to its poll said they encountered attacks involving insiders over the past year.
Top cyber security predictions and recommendations
Unit 42 report made a few key predictions from the observations made from its incident report cases. The predictions include:
- Time from zero-day vulnerability reveal to exploit will continue to shrink
- Unskilled threat actors will be on the rise
- Cryptocurrency instability will increase business email and website compromises
- Difficult economic times may lead people to turn to cyber crime; and
- Politically motivated incidents will rise
VMware’s conclusion from the study recommends sanitary practices such as focusing on cloud workloads holistically instead of segmenting and quarantining affected networks; inspecting in-band traffic to eliminate imposters; integrating network detection and response (NDR); continuous threat hunting; and zero trust implementation.