Report Warns of Deepfake Attacks and Cyber Extortion

Burned out security teams fight back against geopolitically motivated attacks and lateral  movement inside networks 

At Black Hat USA 2022, VMware, Inc. (NYSE: VMW) released  its eighth annual Global Incident Response Threat Report, which takes a deep dive into the  challenges faced by security teams amid pandemic disruptions, burnout, and geopolitically motivated cyberattacks. Sixty-five percent of defenders state that cyberattacks have increased  since Russia invaded Ukraine, according to report findings. The report also shines a light on  emerging threats such as deepfakes, attacks on APIs, and cybercriminals targeting incident  responders themselves. 

“Cybercriminals are now incorporating deepfakes into their attack methods to evade security  controls,” said Rick McElroy, principal cybersecurity strategist at VMware. “Two out of three  respondents in our report saw malicious deepfakes used as part of an attack, a 13% increase  from last year, with email as the top delivery method. Cybercriminals have evolved beyond  using synthetic video and audio simply for influence operations or disinformation campaigns.  Their new goal is to use deepfake technology to compromise organizations and gain access to  their environment.” 

Additional key findings from the report include: 

Cyber pro burnout remains a critical issue. Forty-seven percent of incident  responders said they experienced burnout or extreme stress in the past 12 months,  down slightly from 51% last year. Of this group, 69% (versus 65% in 2021) of  respondents have considered leaving their job as a result. Organizations are working to  combat this, however, with more than two-thirds of respondents stating their workplaces  have implemented wellness programs to address burnout. 

Ransomware actors incorporate cyber extortion strategies. The predominance of  ransomware attacks, often buttressed by e-crime groups’ collaborations on the dark  web, has yet to let up. Fifty-seven percent of respondents have encountered such  attacks in the past 12 months, and two-thirds (66%) have encountered affiliate programs  and/or partnerships between ransomware groups as prominent cyber cartels continue to  extort organizations through double extortion techniques, data auctions, and blackmail. 

APIs are the new endpoint, representing the next frontier for attackers. As  workloads and applications proliferate, 23% of attacks now compromise API security.  The top types of API attacks include data exposure (encountered by 42% of respondents  in the past year), SQL and API injection attacks (37% and 34%, respectively), and  distributed Denial-of-Service attacks (33%).  

Lateral movement is the new battleground. Lateral movement was seen in 25% of all  attacks, with cybercriminals leveraging everything from script hosts (49%) and file  storage (46%) to PowerShell (45%), business communications platforms (41%), and  .NET (39%) to rummage around inside networks. An analysis of the telemetry within VMware Contexa, a full-fidelity threat intelligence cloud that’s built into VMware security  products, discovered that in April and May of 2022 alone, nearly half of intrusions  contained a lateral movement event. 

“In order to defend against the broadening attack surface, security teams need an adequate  level of visibility across workloads, devices, users and networks to detect, protect, and respond  to cyber threats,” said Chad Skipper, global security technologist at VMware. “When security  teams are making decisions based on incomplete and inaccurate data, it inhibits their ability to 

implement a granular security strategy, while their efforts to detect and stop lateral movement of  attacks are stymied due to the limited context of their systems.” 

Despite the turbulent threat landscape and rising threats detailed in the report, incident  responders are fighting back with 87% saying that they are able to disrupt a cybercriminal’s  activities sometimes (50%) or very often (37%). They’re also using new techniques to do so.  Three-quarters of respondents (75%) say they are now deploying virtual patching as an  emergency mechanism. In every case, the more visibility defenders have across today’s  widening attack surface, the better equipped they’ll be to weather the storm. 

For more information on the evolving threat landscape as well as actionable guidance and  recommendations for incident responders and security teams, download the full report here. 


VMware conducted an online survey about trends in the incident response landscape in June  2022, and 125 cybersecurity and incident response professionals from around the world  participated. Percentages in certain questions exceed 100 percent because respondents were  asked to check all that apply. Due to rounding, percentages in all questions may not add up to  100 percent. To read last year’s report, please visit Global Incident Response Threat Report:  Manipulating Reality.