Ransomware, Email Compromise Are Top Security Threats While Deepfakes Increase

While ransomware and business email compromise (BEC) are the most common causes of security incidents for businesses, geopolitics and deepfakes are becoming more prevalent, according to reports from two leading cyber security firms.

Source: Reseller News | Published on August 12, 2022

BEC attacks

According to VMware's 2022 Global Incident Threat Response Report, there is a steady increase in extortionate ransomware attacks and BEC, as well as new deepfakes and zero-day exploits.

A report based on cases involving Palo Alto Unit 42's threat analysis team clients echoed VMware's findings, highlighting that ransomware and BEC attacks were responsible for 70% of security incidents in the year from May 2021 to April 2022.

In its annual survey of 125 cyber security and incident response professionals, VMware discovered that geopolitical conflicts were the cause of incidents for 66% of respondents, confirming an increase in cyber attacks since Russia's invasion of Ukraine.

Deepfakes, zero-day exploits, and API hacks emerge as threats.

According to VMware, deepfake technology — AI tools used to create convincing images, audio, and video hoaxes — is increasingly being used for cybercrime after previously being used primarily for disinformation campaigns. Deepfake attacks, mostly associated with nation-state actors, increased 13% year on year, with 66% of respondents reporting at least one incident.

Email was reported to be the most popular delivery method (78%), in line with a general increase in BEC. According to the VMware report, BEC compromise incidents cost organizations an estimated $43.3 billion between 2016 and 2021.

The FBI has also reported an increase in complaints involving "the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions," according to VMware.

According to VMware, 62% of respondents reported at least one zero-day exploit in the 12 months ending June this year, an increase of 51% year on year. According to the report, this increase can also be attributed to geopolitical conflicts and thus nation-state actors, because such attacks are relatively expensive to carry out and mostly useful only once.

According to the VMware report, more than a fifth (23%) of all attacks experienced by respondents compromised API security, with top API attack types including data exposure (42%), SQL injection attacks (37%), and API injection attacks (34%).

In a press release, Chad Skipper, global security technologist at VMware, stated, "As workloads and applications proliferate, APIs have become the new frontier for attackers." "As everything moves to the cloud and apps increasingly communicate with one another, obtaining visibility and detecting anomalies in APIs can be difficult."

75% of VMware respondents said they had also encountered exploits of vulnerabilities in containers, which are used for cloud-native application deployment.

In addition, 57% of professionals polled by VMware said they had experienced a ransomware attack in the previous 12 months, and 66% had encountered affiliate programs and/or partnerships between ransomware groups.

Ransomware maintains its offense by utilizing known exploits.

The Unit 42 study, for its part, noted that ransomware continues to plague cyberspace, with a variety of evolved tactics. LockBit ransomware, now in version 2.0, was the worst offender, accounting for nearly half (46%) of all ransomware-related breaches in the year to May.

Following LockBit, Conti (22%), and Hive (8%), led the ransomware offensive for the year. In terms of average ransom demanded, finance ($7.5 million), real estate ($5.2 million), and retail ($3.05 million) were the top three segments.

According to the Unit 42 report, the most common initial access methods were known software vulnerabilities (48%), brute force credential attacks (20%), and phishing (12%). Typically, brute force credentials attacks targeted the remote desktop protocol (RDP).

Apart from zero-day exploits, a handful of common vulnerabilities, such as Proxyshell, Log4j, SonicWall, ProxyLogon, Zoho ManageEngine, ADSelfService, and Fortinet, contributed significantly (87%) to this year's tally, according to the Unit 42 report.

While insider threats were not the most common type of incident handled by Unit 42 (only 5.4%), they posed a significant threat because 75% of the threats were caused by a disgruntled ex-employee with enough sensitive data to become a malicious threat actor, according to the security firm.

VMware, for its part, reported that 41% of respondents to its poll said they had encountered insider attacks in the previous year.

Top cyber security predictions and advice

Unit 42's report made a few key predictions based on its observations from incident report cases. Among the predictions are:

  • The time it takes to exploit a zero-day vulnerability will continue to shorten.

 

  • Unskilled threat actors will proliferate.

 

  • The volatility of cryptocurrency will increase business email and website compromises.

 

  • People may resort to cybercrime in difficult economic times; and

 

  • Politically motivated incidents will become more common.

The study's conclusion recommends sanitary practices like focusing on cloud workloads holistically rather than segmenting and quarantining affected networks; inspecting in-band traffic to eliminate imposters; integrating network detection and response (NDR); continuous threat hunting; and zero trust implementation.