Getty Images/iStockphoto

VMware: The threat of lateral movement is growing

The majority of incident response professionals surveyed for VMware's 'Global Incident Response Threat Report' observed lateral movement in at least some attacks in the past year.

Lateral movement was observed in 25% of all attacks that VMware tracked for its annual "Global Incident Response Threat Report," released Monday.

VMware's 2022 "Global Incident Response Threat Report" summarized the findings of a survey the virtualization vendor gave to 125 IR professionals regarding engagements they were part of during the previous 12 months. Released during the Black Hat USA 2022 conference, the report has findings that covered a range of topics, including ransomware -- 57% of respondents experienced an attack last year -- as well as deepfakes and emerging attack vectors.

One of the key findings in the report involved lateral movement, referring to a threat actor's ability to move across different parts of a target organization's environment. The report found that the "majority of respondents witnessed instances of lateral movement in the past year, reporting that they appeared in 25% of all attacks."

One in 10 respondents said lateral movement was present in more than half of their engagements, and telemetry from threat intelligence cloud VMware Contexa found that in April and May of this year, almost half of all intrusions included a "lateral movement event."

Attackers significantly leveraged dual-purpose tools -- legitimate software used as a common entry point for attackers -- with script hosts (seen in 49% of attacks involving lateral movement), file storage providers such as cloud (46%), PowerShell (45%), business communication platforms (41%) and .NET (39%) among them. Script hosts and file storage in particular saw increases of more than 10 percentage points over 2021.

VMware's report referred to APIs as a "promising new endpoint" for cyber attacks. Among attacks the respondents engaged with, 23% involved a compromised API. Data exposure was the most common type of API compromise this past year, seen by 42% of respondents, followed by SQL injection (37%), API injection (34%) and DDoS attacks (33%).

VMware principal cybersecurity strategist Rick McElroy told SearchSecurity that while attacks against APIs aren't new, attackers treating APIs as a primary target is.

"Given that APIs underpin technology stacks and ensure things like integrations, automations and orchestrations, the attackers understand the weaknesses in APIs and have been targeting them more frequently as a result," he said.

McElroy said lateral movement is also changing as threat actors target IT resources such as containers and virtualized workloads, which might not generate the same kind of visibility as traditional network devices.

"The idea of island hopping -- using a connected partner or resource -- to pivot into the environment is a modern form of lateral movement," he said. "Secondarily, attackers know there are tons of systems that don't use a switch, which gives the opportunity for defenders to see the traffic and stop the movement -- one example of this is communications amongst virtualized hosts. Hence, the opportunity to defend against a hypervisor attack isn't there like it would be with typical systems communicating across a router or switch."

One of the more notable data points in the "Global Incident Response Threat Report" involved deepfakes, which are AI-generated media intended to deceive the audience typically through imitating a real person's likeness. The report said 66% of respondents witnessed deepfakes being used as part of an attack in some fashion, up 13% from last year.

Respondents said deepfakes took the form of video 58% of the time, with audio representing the other 42%. Despite the data, McElroy said that generally speaking, audio deepfakes are more popular. The means of delivery for deepfake attacks varied. Email was the most common delivery method, followed by mobile messaging, voice and social media. Third-party meeting applications and business collaboration tools also became an increasingly common means of delivery, the report claimed.

Although deepfakes are by no means a flawless technology, they serve as an additional utility for threat actors in social engineering attacks, with 60% of attacks involving deepfakes being used for scams. McElroy said the other 40% "seems to be associated with tricking individuals into taking an action," such as getting someone to reset a password or click a link for access.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing