Content, Content

VMware Warns of Deepfakes, Geopolitics in New Incident Response Report

Man stands in a room looking at a clone or avatar of himself. The clone is shown as a hologram. Concept image of future living where cloning becomes normal.

Man stands in a room looking at a clone or avatar of himself. The clone is shown as a hologram. Concept image of future living where cloning becomes normal.

Cyber crews are increasingly using deepfakes as part of an attack, with two out of three participants in VMware's eighth annual Global Incident Response Report offering that the tactic had increased by 13% from last year, with email as the preferred delivery method.

While geopolitics is often overlooked for its impact on data breaches, about two in three of the security pros surveyed also said that cyberattacks have increased since Russia invaded Ukraine.

“Cybercriminals have evolved beyond using synthetic video and audio simply for influence operations or disinformation campaigns. Their new goal is to use deepfake technology to compromise organizations and gain access to their environment,” said Rick McElroy, principal cybersecurity strategist at VMware.

What the VMware Study Found

VMware debuted the study at the Black Hat USA 2022 conference.

Key findings from the report include:

  • 47% of incident responders said they experienced burnout or extreme stress in the past 12 months, down slightly from 51% last year. Of this group, 69% (versus 65% in 2021) of respondents have considered leaving their job as a result.
  • Organizations are working to combat burnout, with more than two-thirds of respondents stating their workplaces have implemented wellness programs to address burnout.
  • 57% of respondents have encountered ransomware attacks in the past 12 months, often backed by cyber collaborations on the dark web.
  • Two-thirds (66%) have encountered affiliate programs and/or partnerships between ransomware groups as prominent cyber cartels continue to extort organizations through double extortion techniques, data auctions and blackmail.
  • As workloads and applications proliferate, 23% of attacks now compromise API security. The top types of API attacks include data exposure (encountered by 42% of respondents in the past year), SQL and API injection attacks (37% and 34%, respectively), and distributed Denial-of-Service attacks (33%).
  • Lateral movement was seen in 25% of all attacks, with cybercriminals leveraging everything from script hosts (49%) and file storage (46%) to PowerShell (45%), business communications platforms (41%), and .NET (39%) to rummage around inside networks. In April and May 2022, nearly half of intrusions contained a lateral movement event.
  • Nearly nine in 10 (87%) said they are able to disrupt a cybercriminal’s activities sometimes (50%) or very often (37%).
  • Three-quarters of respondents (75%) say they are now deploying virtual patching as an emergency mechanism. In every case, the more visibility defenders have across today’s widening attack surface, the better equipped they’ll be to weather the storm.

VMware Tips for Security Pros

Chad Skipper, global security technologist at VMware, offered his advice on the current situation:

“In order to defend against the broadening attack surface, security teams need an adequate level of visibility across workloads, devices, users and networks to detect, protect, and respond to cyber threats. When security teams are making decisions based on incomplete and inaccurate data, it inhibits their ability to implement a granular security strategy, while their efforts to detect and stop lateral movement of attacks are stymied due to the limited context of their systems.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.

Related