While ransomware and business email compromise are leading causes of cybersecurity threats, geopolitics and deepfakes play an increasing role, according to reports from VMware and Palo Alto. While ransomware and business email compromise (BEC) are leading causes of security incidents for businesses, geopolitics and deepfakes are playing an increasing role, according to reports from two leading cybersecurity companies.VMware’s 2022 Global Incident Threat Response Report shows a steady rise in extortionary ransomware attacks and BEC, alongside fresh jumps in deepfakes and zero-day exploits.A report based on cases involving clients of Palo Alto Unit 42’s threat analysis team echoed VMware’s findings, highlighting that 70% of security incidents in the 12 months from May 2021 to April 2022 can be attributed to ransomware and BEC attacks. VMware, in its annual survey of 125 cybersecurity and incident response professionals, noted that geopolitical conflicts caused incidents with 65% of respondents, confirming an increase in cyberattacks since the Russian invasion of Ukraine. Deepfakes, zero-days, API hacks emerge as threatsDeepfake technology—AI tools used to create convincing images, audio, and video hoaxes— is increasingly being used for cybercrime, after previously being used mainly for disinformation campaigns, according to VMware. Deepfake attacks, mostly associated with nation-state actors, shot up 13% year over year as 66% of respondents reported at least one incident.Email was reported to be the top delivery method (78%) for these attacks, in sync with a general rise in BEC. From 2016 to 2021, according to the VMware report, BEC compromise incidents cost organizations an estimated $43.3 billion. VMware also noted that the FBI has reported an increase in complaints involving “the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions.”In the 12 months to June this year, at least one zero-day exploit was reported by 62% of the respondents, up by 51% year over year, said VMware. This surge can also be attributed to geopolitical conflicts and thereby nation-state actors, as such attacks are fairly expensive to carry out and mostly useful just once, according to the report.Meanwhile, more than a fifth (23%) of all attacks experienced by respondents compromised API security, with top API attack types including data exposure (42%), SQL injection attacks (37%), and API injection attacks (34%), according to the VMware report. “As workloads and applications proliferate, APIs have become the new frontier for attackers,” said Chad Skipper, global security technologist at VMware, in a press release. “As everything moves to the cloud and apps increasingly talk with one another, it can be difficult to obtain visibility and detect anomalies in APIs.”Seventy-five percent of VMware’s respondents also said they had encountered exploits of vulnerabilities in containers, used for cloud-native application deployment.Fifty-seven percent of the professionals polled by VMware also said they had experienced a ransomware attack in the past 12 months, while 66% encountered affiliate programs and/or partnerships between ransomware groups. Ransomware uses known exploits to maintain offenseOn its part, the Unit 42 study also noted that ransomware continues to plague cyberspace, with a handful of evolved tactics. LockBit ransomware, now in 2.0 release, was the top offender, accounting for almost half (46%) of all the ransomware-related breaches in the 12 months to May.After LockBit, Conti (22%), and Hive (8%) led the ransomware offensive for the year. Also, finance ($7.5 million), real estate ($5.2 million), and retail ($ 3.05 million) were the top segments, with respect to the average ransom demanded.Known software vulnerabilities (48%), brute force credential attacks (20%), and phishing (12%) were the leading initial access means, acording to the Unit 42 report. The brute force credentials attacks typically focused on the remote desktop protocol (RDP). Apart from zero-day exploits, a handful of common vulnerabilities contributed significantly (87%) to this year’s tally, including Proxyshell, Log4j, SonicWall, ProxyLogon, Zoho ManageEngine, ADSelfService, and Fortinet, according to the Unit 42 report.While insider threats were not the most common type of incidents Unit 42 handled (only 5.4%), they posed a significant threat considering that 75% of the threats were caused by a disgruntled ex-employee with enough sensitive data to become a malicious threat actor, the security group said.On its part, VMware reported that 41% of respondents to its poll said they encountered attacks involving insiders over the past year. Top cybersecurity predictions and recommendations Unit 42 report made a few key predictions from the observations made from its incident report cases. The predictions include:Time from zero-day vulnerability reveal to exploit will continue to shrinkUnskilled threat actors will be on the riseCryptocurrency instability will increase business email and website compromisesDifficult economic times may lead people to turn to cybercrime; andPolitically motivated incidents will riseVMware’s conclusion from the study recommends sanitary practices such as focusing on cloud workloads holistically instead of segmenting and quarantining affected networks; inspecting in-band traffic to eliminate imposters; integrating network detection and response (NDR); continuous threat hunting; and zero trust implementation. Related content news Spam blocklist SORBS shuts down after over two decades The service was unsustainable but those in the email deliverability industry expressed mixed feelings about the closure. By Evan Schuman Jun 07, 2024 4 mins Email Security Antispam news analysis New RansomHub ransomware gang has ties to older Knight group File encryption malware used by RansomHub appears to be a modified variant of the Knight ransomware, also known as Cyclops. By Lucian Constantin Jun 07, 2024 4 mins Hacker Groups Ransomware Hacking feature Whitelisting explained: How it works and where it fits in a security program Whitelisting locks down computers so only approved applications can run. Is the security worth the administrative hassle? By Josh Fruhlinger and CSO Staff Jun 07, 2024 10 mins Email Security Application Security Data and Information Security interview How Amazon CISO Amy Herzog responds to cybersecurity challenges Amazon CISO for devices and advertising products and services describes how her team works with product and devops teams to ensure products are cybersecure. By David Strom Jun 07, 2024 5 mins Security Practices Vulnerabilities Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe