X-Industry

A look back - All has not been quiet on the malicious cybersecurity front over the past 12 months.  Innovation, cyberattacks and cyberespionage, and data breaches, malicious or inadvertent, have remained a constant.  At the same time, defenders have scored notable victories, including in Ukraine as well as by disrupting some big-name ransomware players.[1]  GovInforSecurity provides 12 notable incidents and trends of 2023 and their implications for the bigger cybersecurity picture:

Clop's MOVEit Mass Attack - The Russian-speaking ransomware group Clop, or Cl0p, in late May targeted a zero-day vulnerability in Progress Software's MOVEit secure file transfer software.  While the vendor quickly warned customers and patched the flaw, Clop's blitzkrieg allowed it to nab voluminous amounts of data being stored by organizations on their servers. The latest victim count stands at about 2,700 organizations affected and more than 91 million individuals' personal details exposed, according to security firm Emsisoft. Ransomware incident response firm Coveware estimated Clop earned $75 million to $100 million from large victims who paid quickly to keep their victimhood quiet.

Target: Secure File-Transfer Software - Clop has been on the vanguard of ransomware groups seeking easier and faster ways to extort victims, and secure file transfer software remains a top target. In late January, Clop exploited a flaw in Fortra GoAnywhere MFT software to steal data from hundreds of users. While Clop prefers zero-days, many attackers instead exploit unpatched file transfer software. In March, ransomware-wielding attackers targeted unpatched versions of IBM's Aspera Faspex file exchange application. In September, after Progress Software patched its WS_FTP server software and a researcher published a proof-of-concept exploit, attackers quickly came calling.

Patch or Perish: VMware Edition - Ransomware-wielding attackers aren't picky; they'll use whatever tactics reliably work.  Beyond exploiting known flaws in secure file transfer software, another repeat target is VMware hosts.  In February, researchers tracked two highly automated campaigns that used ESXiArgs ransomware to infect thousands of servers.  VMware said attackers appeared to be exploiting already-patched flaws to gain access to hosts, including via the heap overflow vulnerability designated CVE-2021-21974, which it fixed in February 2021.

US Government Hacked via Microsoft 365 - Cyberespionage operations continue in force, as exemplified by suspected Chinese hackers gaining surreptitious access to 25 organizations, including senior US officials' emails, in May by exploiting a zero-day flaw in Microsoft's cloud environment.  The US government said a federal civilian executive branch agency spotted unusual activity in its audit logs, confirmed the attack and reported it to Microsoft and the Cybersecurity and Infrastructure Security Agency. CISA urged all users to carefully monitor and review their own logs.  The attack is a reminder: The US ranks China as a top national security threat in part due to its continuing willingness to use cyber operations to achieve its objectives, bolstered by its proficiency with targeting supply chains.

Rip and Replace: Backdoored Barracuda Gear - Barracuda Networks in May issued a patch for a zero-day vulnerability in its Email Security Gateway appliances. At the time, it warned that attackers had already been exploiting the flaw for up to eight months to gain "persistent backdoor access" to vulnerable appliances and exfiltrate data. The vendor later warned users that once attackers had installed the backdoor, the only way to safeguard themselves was to physically replace the hacked device, leading to the FBI urging the immediate removal of hacked devices. Incident responders tied the attacks to a nation-state group aligned with Beijing.

Making Citrix Gear Bleed - Attackers allegedly tied to Beijing struck again in late August by exploiting a zero-day flaw in NetScaler Application Delivery Controller and Gateway devices, formerly known as Citrix ADC and Citrix Gateway, to access those devices and steal existing, authenticated sessions.  Even after users had patched the flaw, known as Citrix Bleed, attackers still used stolen session data to evade multifactor authentication and access the devices.  All of this only came to light over the course of several weeks in October, leading researchers to warn users to patch and also terminate all active sessions. In the interim, multiple attackers began using the flaw to target organizations large and small, including Comcast.

Russia's Noisy 'Hacktivist' Groups - Moscow's war of conquest against Ukraine wasn't the easy victory supposedly envisioned by Russian President Vladimir Putin, thanks in no small part to Kyiv's preparation and assistance from allied nations and the private sector.  As the war drags on, Russia occasionally scores a major disruption, such as against mobile operator Kyivstar, while restoring to a much greater degree misinformation and disinformation.  This appears to include self-proclaimed hacktivist groups such as KillNet, which may be run or funded by the state.  While such groups often report having disrupted notable targets in Ukraine and allied countries, experts say such claims are often overblown or completely false and designed to make adversaries and their leadership look weak.

North Korea's Atomic Wallet Love - Attacks launched by North Korea continue.  The Pyongyang-affiliated hackers hit cryptocurrency exchanges and decentralized finance services to help the regime fund its long-range missile and weapons of mass destruction programs.  Over the past five years, hackers tied to the Democratic People's Republic of Korea have stolen more than $3 billion, US officials say.

One big hit this year happened in early June, when security researchers said North Korea's Lazarus group hacked Atomic Wallet - a noncustodial decentralized wallet - and stole $100 million in cryptocurrency from over 4,000 wallets, which they quickly began laundering. "The nature of the attack on Atomic Wallet indicates that the exploit was most likely carried out through a phishing or supply chain attack," said blockchain analytics firm TRM Labs.

Okta's Customer Support Data Heist - Like Microsoft, Okta got hacked and learned about it from its customer base, which in this case included BeyondTrust, 1Password and Cloudflare.  Belatedly, Okta confirmed the September attack, reporting that it had traced to an attacker who apparently stole valid access credentials an Okta employee had been storing in their personal Google account - saved in their Chrome browser.  In early November, Okta said, the attacker had stolen data pertaining to 134 customers.  By the end of November, the vendor revised the breach tally and reported that the attacker had stolen information pertaining to every user of its primary customer support system.

Capita Customers' Data Breach Nightmare - Numerous organizations suffered breaches this year, and many of them have already come to light.  What sets some incidents apart from others is the clarity of communications a breached organization offers to victims.  Arguably falling short: British outsourcing giant Capita, which suffered a ransomware attack in March and in May learned from a security researcher that the attack had left a massive Amazon Web Services bucket unsecured since 2016.  Victims included Britain's largest pension fund and potentially hundreds more organizations.

For the breach, Capita attempted to downplay the data exposure, creating a nonsense statistic and saying hackers had only accessed "less than 0.1% of its server estate."  Subsequently, victims said they found more information was stolen than Capita admitted, or perhaps realized.  Britain's data protection watchdog, the Information Commissioner's Office, subsequently reported "receiving a large number of reports from organizations directly affected by these incidents."  The ICO's probe continues.

UK Police Forces Leak Personal Data - Responding to a Freedom of Information Act request in August, the Police Service of Northern Ireland inadvertently posted a spreadsheet containing the first initials and surnames, roles and locations of all officers and staff.  Described as being "the most significant data breach that has ever occurred in the history of UK policing," the breach has left serving officers and staff at risk from dissident Irish republicans.  Shortly thereafter, the PSNI disclosed another data breach, as did London's Metropolitan Police Service and two constabularies in England.

Major Disruptions Hit Hive, BlackCat - The year has been bookended by two notable disruptions: first of the Hive ransomware collective in January and earlier this month of the Alphv/BlackCat group.  In between, in April, law enforcement seized Genesis, the world's largest market for stolen browser cookies and other types of credentials used to facilitate account takeover.  Speaking at RSA Conference later that month, US Deputy Attorney General Lisa O. Monaco said the Department of Justice has updated its approach to combating cybercrime by adding a "disrupt and prevent" focus to impose economic costs on attackers, even if arrests don't result.

In 2024, for cybersecurity, we are entering an era where advanced AI tools and intricate social engineering tactics (especially during election years) are changing the game.  To avoid potential cyber threats, businesses, governments and individuals must grasp these emerging trends.[2]

1. Rise of Cybersecurity AI - In 2024, AI's role in cybersecurity will expand to encompass automated responses and predictive analytics. It is about taking preventive measures in advance, using AI to anticipate future cyber threats by analyzing historical data and current trends.  Integrating AI into cybersecurity applications can improve threat detection and incident response.  For instance, AI can identify anomalies or deviations that may indicate potential security threats.  Previously unseen attacks can be detected.  With cyberattacks becoming more sophisticated, AI's ability to analyze vast datasets and identify patterns will be pivotal. Since AI has become a major part of cyber criminals' toolkit, AI is expected to become a mainstay in cybersecurity solutions.

2. Election Year Disinformation - Election years provide fertile ground for social engineering and disinformation campaigns, and there's no reason to believe 2024 will be an exception. As political tensions rise, so do efforts to manipulate public opinion and undermine democratic processes.  Cybercriminals exploit societal divisions, using sophisticated social engineering tactics to spread misinformation.  The FBI also warned of cybercrimes against election officials during the last election cycle.  Americans lost $10.3 billion to online scams in 2022, which also emphasizes the need for ongoing employee security awareness training that includes exercises to help identify social engineering tactics and phishing attempts.  The use of open-source intelligence tools (OSINT) to root out network vulnerabilities is recommended as a preventive measure to combat threat actors.

3. Escalation of Ransomware Attacks - Ransomware remains a formidable threat in 2024, with tactics becoming increasingly complex and negotiations more aggressive. According to Cybersecurity Ventures, damages from cybercrime are projected to exceed $10.5 trillion globally by 2025.  This alarming escalation calls for robust backup strategies, employee training, cyber insurance, negotiation expertise and incident response plans.  Companies can follow the example of external threat hunters by performing tasks such as penetration testing, validating network integrity, identifying unauthorized activity and monitoring for suspicious behavior.

4. AI-Based Predictive Social Engineering - 2024 will likely see a rise in AI-based predictive social engineering and a disturbing convergence of AI and social manipulation techniques. Leveraging AI, cybercriminals can prey on human weaknesses such as impulsiveness, greed and curiosity to more convincingly create personalized phishing campaigns at scale. AI-facilitated social engineering attacks have been reported to the FTC.  This emerging trend underscores the need to perform AI risk assessments and to consider outsourcing expertise to a virtual AI officer who can step into the role and run AI-resistant security protocols.
5. National US Data Privacy Act - The progression of data privacy regulations—beginning with the European Union's General Data Protection Regulation (GDPR) and extending to California's Consumer Privacy Act (CCPA)—is paving the way for establishing a national data privacy act in the US called the American Data Privacy and Protection Act. With five states' privacy acts becoming effective in 2024 and other data breaches costing companies an average of $4.45 million, legislating a national data privacy standard is more urgent than ever.
6. Cyberattacks on Cannabis Retailers - The burgeoning cannabis industry, particularly retailers, is increasingly vulnerable to cyberattacks as they transition to digital platforms. Banks and credit card services could begin to accept electronic payments and ACH transfers from cannabis businesses, thanks to pending legislation making its way through Congress, and the gap between point of sale (PoS) systems and potential data breaches narrows significantly.  Human error and complacency are major risk factors, and the industry's nascent adoption of digital technologies makes it an attractive target for cybercrime. Retail dispensaries must prioritize cybersecurity to protect their client data and financial transactions, as the sector's so-called “green rush” also attracts the unwanted attention of threat actors.

7. Zero Trust Elevates to Boardroom Status - The concept of zero trust in cybersecurity, akin to the rise of anti-virus software in the 1990s, is set to become a staple topic in boardroom discussions in 2024. Gaining steady momentum, the implementation of zero trust is no longer a technical nicety but a business imperative.  Rooted in the principle of "never trust, always verify," the widespread adoption of zero-trust architectures signifies a paradigm shift in security strategies, emphasizing continuous verification of every user and device, regardless of their location or network.  This strategic move elevates cybersecurity from a technical concern to a core business function, crucial for protecting organizational assets.

8. FEMA Cyber Insurance - To make a bold and unprecedented prediction, FEMA, the federal agency known for last-resort flood insurance, may eventually be called upon to serve as a model and backstop for cyber insurance policies not covered by commercial carriers. With traditional insurance carriers withdrawing from high-risk regions like Florida due to severe climate events, there is a growing need for federal intervention. A FEMA initiative could potentially underwrite essential services like airports, hospitals, energy and water treatment plants as commercial insurance options become limited.

Conclusion - The increasing complexity of cyber threats underscoring the security trends of 2024 highlights the need for advanced mitigation strategies.  Organizations will need to understand these trends, ensure they enable best practices and consider collaborating with outsourced cybersecurity expertise to navigate the security environment and ensure a robust, future-ready cyber defense.

In another look at 2024 from InfoSecurity, cybersecurity professionals usually hate being asked to get their crystal ball out and predict the future of cyber.  With cyber threat actors constantly evolving, cyber defenders regularly need to change their posture, which makes the cybersecurity landscape highly unpredictable.  However, we can make some educated guesses as to what will impact the cybersecurity world in the year ahead.[3]

At InfoSecurity, we invited a panel of seasoned cybersecurity experts to make some predictions and highlight some of the trends they think will emerge in cyber over the next few months.  Below is a selection of the top ten predictions they made during our Autumn Online Summit 2023.

1. Identity and Access Threats Will Drive Demand for Robust MFA - According to Jason Rebholz, CISO of Corvus Insurance, organizations' first cyber priority in 2024 will be to adopt robust, phishing-resistant multifactor authentication (MFA). CrowdStrike’s August 2023 Threat Hunting Report showed that identity theft has established itself as the primary initial access method for threat actors in 2023, with 80% of breaches now involving the use of compromised identities. Rebholz argued that this new trend has boosted MFA adoption.  “We’ve reached a point now where we know that MFA is important to protect our identity and access management (IAM) processes.  It’s true, but this high level of protection also comes down to the type of MFA you have.  When you’re adopting one of the weakest MFA options, such as SMS-base MFA or authenticator apps, attackers have now developed ways to bypass those,” he explained.  Among the many phishing-resistant MFA options that exist today, Rebholz said he was particularly eager to see passkeys be more widely adopted.  “Organizations shouldn’t even start adopting these methods in 2024, but today,” he insisted.

2. Elevated Focus on OT Security Amid Critical Infrastructure Targeting - One thing that worries Rockya Fofana, CEO of Elite CI Consulting and former director of cybersecurity of the government of Cote d’Ivoire, is the increased targeting of industrial systems and operational technology (OT), both in the public and private sectors. “In Africa, most critical infrastructure is operated by governments, so their increased targeting by threat actors was in my remit,” she said during Infosecurity’s Online Summit.  Margareta Petrovic, a global managing partner at Tata Consultancy Services, agreed.  “We keep talking about emerging threats that are coming up, but most of our organizations are still running very old pieces of infrastructure.  Keeping OT up and running while not introducing additional risks in the IT environment should certainly be a priority for the coming months.  Attackers are well aware of the deficiencies in those OT systems,” she said.  In November 2023, an unprecedented attack on Danish critical infrastructure was attributed to the Russian hacking group Sandworm.  A few weeks later, the US confirmed that Iran’s Islamic Revolutionary Guard Corps was behind a series of recent strikes against water plants across multiple states.  “These are only the attacks you hear about. It’s true that cyber-attacks targeting OT systems are not reported very frequently yet, but there are certainly many more happening that never get reported,” Petrovic insisted.   Furthermore, we’re looking at the best-case scenarios right now, Rebholz added. “These cases, as well as the 2021 attack on Colonial Pipeline, are usually maneuvers to try to shut down IT systems – imagine when attackers will manage to actually shut down the OT systems, just like with Stuxnet in 2010.  I don't think AI will greatly impact cyber defenses, at least for next year."

3. Accelerated Law Enforcement Collaboration, but Challenges Endure - Cyberlaw enforcement officers have been particularly busy in 2023, with several international operations succeeding in the arrest of individuals involved in cybercrime or the takedown of threat actors’ IT infrastructure. One of the most recent examples is Operation Duck Hunt, which resulted in the shutdown of some of the Qakbot botnet infrastructure in August. Rebholz said he hopes to see more such coordinated actions across the globe.  However, Mike Morris, a former FBI agent and current director of the Center for Cyber Education at Western Governors University, explained these collaborative efforts are very challenging.   “When the FBI is investigating a cell in the US and wants to crack them to the next country over, they have to sign a mutual legal assistance treaty (MLAT) with the other nation to share information. That’s a diplomatic document that requires a diplomatic exchange, which takes time.”  That’s why, the former FBI officer insisted, governments should build these diplomatic relationships before starting any investigations.  Fofana argued that another institution that could help build these collaborative efforts is the UN.  The organization is currently working on an international treaty on countering cybercrime.  However, with all the current kinetic and cyber conflicts, Petrovic said she was pessimistic about seeing even broader anti-cybercrime coalitions emerge in 2024.

4. AI to Have Limited Transformative Impact on Cyber Defenses - Our cybersecurity experts argued that threat actors will continue to weaponize AI in 2024 and beyond, but AI-powered attacks will probably not have a transformative effect on cyber defenses. Rebholz commented: “I don’t think AI will greatly impact cyber defenses, at least for next year. Yes, the threat is growing, and threat actors will leverage AI-powered tools, but the way to mitigate this risk is mainly by implementing traditional security measures.”
5. Deepfakes and Misinformation Will Be More Pressing AI-Related Threats - According to Rebholz, where generative AI really is a game-changer is in enabling disinformation at scale using deepfakes. “Imagine the impact that deepfakes, which are easier to develop than ever, yet still very difficult to detect, will have on disinformation campaigns around elections,” he warned.  In 2024 there are set to be 40 national votes occurring worldwide, making it the biggest election year in history.  “I also think these disinformation campaigns around political events will be an open door to cybercrime-oriented campaigns using similar tools,” Rebholz added.

6. Cyber and AI Regulations Set to Reshape the Global Security Landscape - A flurry of regulations will impact the cybersecurity industry in 2024. In the EU only, organizations across sectors must prepare for the NIS2 directive to be translated into national law.  At the same time, financial businesses will need to start exploring future security requirements introduced by the Digital Operational Resilience Act (DORA).  The Cyber Resilience Act and the AI Act have also been adopted and will soon introduce new security mandates for manufacturers and AI providers.  During Infosecurity’s Online Summit session, Petrovic predicted that some of these regulations will become the blueprint for similar ones in other jurisdictions. She believes that organizations from all industries should stay ahead of the curve and explore these laws, even when operating in countries that are not yet impacted by said laws.  "Organizations have many more pressing issues to deal with for next year than preparing for quantum threats."

7. Increased Pressure on CISOs - In an end-of-year blog post on the Tata Consultancy Services website, Petrovic wrote that the pressure on CISOs will increase in 2024. During our Online Summit, she explained the reason behind her prediction: “With cybersecurity getting an increasing level of attention from regulators, there are more and more requirements for the boards to demonstrate that they’re implementing appropriate security measures and that they’re allowing the right resources to meet those requirements. Who are they going to turn to? CISOs.”  She added that although CISOs traditionally come from technical roles, organizations will increasingly ask them, or some intermediary, to collaborate more with the board and “talk business as well as technical security issues.”  She said this will make “CISOs’ lives even more exciting.”  Morris added that CISOs could also be increasingly offered a seat at the C-suite table because boards will need to have someone with a technical background among them more than ever.  Fofana, who left her job as director of cybersecurity of the Ivorian government in October 2022, is living proof of that trend as she was asked in 2023 to join the board of an organization “because of my background in cybersecurity.”  Rebholz commented: “I hope we can use Rockya’s case as a success case study, but I would stay cautious.  Yes, it’s great to have people with a cybersecurity background joining boards, but is it really going to be enough to influence boards significantly?  I’m not sure.”

8. Quantum Readiness Shouldn’t Be a Priority for 2024 - All four panelists agreed that, while important to keep in mind for the future, quantum readiness should not be one of organizations’ top priorities for 2024. Morris developed: “Will quantum-proof cryptography eventually come? Certainly. Is it going to roll out next year? Probably not.  And if it does, it will be at state-level, and we’re not going to hear about it for the private sector before three more years.”  Rebholtz added: “If this is something that you’re prioritizing for next year, I would encourage you to re-evaluate your risk profile. You need to figure out the risks that are specific to your organization and are most likely to impact it – and the quantum risk is probably not on top of your list for 2024.”  Fofana nodded: “We have many more pressing issues to deal with for next year,” she said.

9. Insurance Firms Will Set a Bar of Minimum Cyber Requirements - Rebholtz said cyber insurance is “a requirement for any company with a computer.” However, he believes that cyber insurance firms will need to establish a clearer definition of the minimum requirements a company needs to fulfill in order to get insured before falling victim to a cyber-attack.
10. Innovative Hiring Strategies Well be Needed to Close the Skills Gap - In 2023, the global cybersecurity workforce gap reached four million people, a 12.6% increase compared to 2022, according to the ISC2 2023 Cybersecurity Workforce Study. To stop this gap from getting larger every year, Petrovic said that organizations should try new, innovative hiring strategies. “There must be a lot of investment in cross-training people and focus those training programs, not on technologies, but on solving problems.  This will help them get more efficient in the cyber defensive posture while opening the doors for people with different backgrounds to get into cybersecurity,” she said.  Fofana added: “Organizations should also think of re-training its workforce. With the increasing targeting of OT and the IT-OT convergence and the adoption of AI practices in IT systems, most of the cyber training manuals have become obsolete.”

Morris, who is director of the Center for Cyber Education at Western Governors University, said the average age of his students is 35 and that most of them are pivoting to cybersecurity after a career in another domain.  “What’s important, whatever background people have, is to make them face hands-on situations early on. To do that, we have a cyber club with 8000 students doing weekly defensive and offensive security exercises. Now, we have about 23000 trained people with actionable skills looking for a job in cybersecurity,” he concluded.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com   

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/

Website: https://www.redskyalliance.com/

LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

[1] https://www.govinfosecurity.com/cyber-badness-12-top-hacks-data-breaches-missteps-2023-a-23952

[2] https://www.forbes.com/sites/forbestechcouncil/2023/12/26/eight-cybersecurity-trends-to-watch-for-2024/

[3] https://www.infosecurity-magazine.com/news-features/top-ten-cybersecurity-predictions/