After a year that saw massive ransomware attacks and open cyber warfare, the biggest question in cybersecurity for 2023 will likely be how much of those attack techniques get commoditized and weaponized.
“In 2022, governments fought wars online, businesses were affected by multiple ransomware gangs, and regular users’ data was constantly on hackers’ radars,” said NordVPN CTO Marijus Briedis.
2023, he predicted, “will not be any easier when it comes to keeping users’ data safe and private.”
Here, then, are the threats, targets and attack vectors likely to be popular with cyber criminals in the next year — along with the ways that cyber defenses are evolving to thwart those threats.
Wiper Malware, Critical Infrastructure Threats Unleashed by War
Russia’s invasion of Ukraine unleashed a concurrent cyberwar, with wiper malware and threats to critical infrastructure just two of the consequences that have spread to other nations.
Wiper malware was considered an old and time-worn attack method until it made a comeback in 2022, as attackers introduced new variants. It’s now back with a vengeance, and 2023 should see it begin to appear in more headlines.
The increase in data-wiping malware was seen in the buildup to the war in Ukraine, but has since spread into dozens of additional countries, not just in Europe.
There’s even been growing evidence that data destruction could replace ransomware, as ransomware groups seek leverage to force victims to pay.
The new year will also likely bring an increase in catastrophic attacks on critical infrastructure, resulting in a major outage of some kind. The ongoing war in the Ukraine has led to more nation-state sponsored attacks that tend to have societal and economic impacts. Because of the urgency of the threat, the Biden Administration plans to regulate the cybersecurity of critical infrastructure, according to a new Washington Post report.
There may also be digital civil disobedience cropping up in 2023, as people attack their own government sites or national infrastructure as a form of protest against rising inflation or political turmoil. The U.S., for example, has recently seen a spate of attacks on power substations; capabilities unleashed by the war in Ukraine create the potential for much worse.
RaaS and CaaS Continue to Grow
Beyond threat actors combining a computer worm with wiper malware and ransomware for maximum impact, there is growing concern about the possible commoditization of wiper malware for cyber criminals due to the maturation of Cybercrime as a Service (CaaS).
It becomes increasingly likely that malware developed by nation-state actors could be picked up and reused by criminal groups and spread through the CaaS model. Given its broader availability combined with the right exploit, wiper malware could cause massive destruction in a short period of time, said Derek Manky, chief security strategist and VP of global threat intelligence at FortiGuard Labs.
2022 was notable for the spread of ransomware as a service (RaaS). Cyber gangs evolved their supply chains to the point where RaaS kits could allow those lacking technical skills to hold enterprises to ransom. The RaaS developers gain a cut of any successful heists.
That success has given rise to additional attack vectors being made available as a service through the Dark Web to fuel a significant expansion of cybercrime as a service. Seasoned cyber criminals can create and sell attack portfolios as a service to receive simple, quick, and repeatable paydays.
The LockBit threat group is the biggest source of ransomware and RaaS attacks, accounting for 44% of successful ransomware attacks in 2022, according to Trustwave SpiderLabs in a new report released today. Black Basta — with alleged connections to Conti, REvil and Fin7 — and Hive were the next most active ransomware groups. Whatever form they take, expect them to continue to make headlines in 2023.
Reconnaissance and Laundering as a Service Emerge as Threats
Expect subscription-based CaaS offerings and reconnaissance as a service offerings. As attacks become more targeted, threat actors will likely hire “detectives” on the Dark Web to gather intelligence on a particular target before launching an attack, said Manky.
Like insight from a private investigator, reconnaissance as a service can serve up attack blueprints to include an organization’s security schema, key cybersecurity personnel, the number of servers, known external vulnerabilities, and even compromised credentials for sale to help a cyber criminal carry out a highly targeted and effective attack.
Another new attack service, laundering as a service (LaaS), enables cyber criminals using machine learning (ML) to identify potential money mules to launder cash, reducing the time it takes to find recruits. This includes the deployment of automation to move money through layers of crypto exchanges, making the process faster and more challenging to trace.
“As cybercrime converges with advanced persistent threat methods (APTs), cyber criminals are finding ways to weaponize new technologies at scale to enable more disruption and destruction,” said Manky. “They are not just targeting the traditional attack surface but also beneath it, meaning both outside and inside traditional network environments.
“At the same time, they are spending more time on reconnaissance to attempt to evade detection, intelligence, and controls,” he added. “All of this means cyber risk continues to escalate and that CISOs need to be just as nimble and methodical as the adversary.”
Supply Chain Attacks, Dependencies Remain Issues
Software supply chain issues like the SolarWinds attack and the Log4j vulnerability have made supply chain security and software dependencies major issues in recent years. Expect the tangled combination of proprietary and open source software to remain a major threat in 2023 — with the hopeful note that we may see effective security solutions begin to emerge.
DigiCert predicts that 2023 will be “the Year of the SBOM,” as the software bill of materials framework moves from a federal requirement to the commercial market. By listing every software component and library that went into building an application, as well as services, dependencies, compositions and extensions, SBOMs provide critical visibility that will speed their adoption, DigiCert predicted.
“Because of the information and visibility it provides into software supply chains, we predict the SBOM will be widely adopted in 2023,” the digital security company said. “While most of the requirements are taking place at the federal level now, expect the SBOM to spread to commercial markets soon.”
Aqua Security, Endor Labs and Tanium are others positioning themselves to help clients detangle the application dependency mess to meet software supply chain security attestation, SBOM and Executive Order 14028 requirements.
Security Products Face Greater Scrutiny
Software and applications won’t be the only thing facing greater scrutiny this year. Economic headwinds and tighter IT budgets will mean that security products will get a much more rigorous evaluation by potential buyers.
Security buyers have long faced a lack of information on how well security products actually work, but Illumio CTO PJ Kirner predicts that 2023 will be the year buyers finally start to do something about it.
“When times are tough, test your products,” Kirner said. “With an economic downturn on the horizon, CISOs are making sure they are investing in the most effective tools to maximize cyber ROI. As a result, we’re seeing CISOs more proactively test core cyber tools using red teams, breach simulations, and other internal tools. This has led to an increase in solution testing, with products that can deliver measurable results winning out over products that don’t live up to their own claims.”
End Users Are Still the Trouble Spot
Despite the higher stakes and global threats, you can bet that the attack vectors will largely remain the same. The usual avenues such as email phishing, credential compromise, and exploitation of vulnerabilities will continue and even expand. Add social media scams and the growing use of convincing deepfakes and it becomes clear that users are under siege and constant vigilance is required.
Joanna Huisman, senior vice president of strategic insights and research at KnowBe4, believes the answer to attacks across so many channels lies in a shift in focus to creating a security culture within organizations across the globe, supported by security awareness training that covers these newer channels as well as the traditional avenues used by attackers.
“The need for security awareness training is now clear to most organizations, and they are starting to evolve from just training to additional emphasis on behavior and culture,” said Huisman. “There has been a positive momentum toward building a strong security culture globally that involves support from executives and the entire employee base.”
Automation and Services Grow in Importance
Given the complexity and volume of threats, automation and services may be the best hope for most organizations to protect themselves.
Whether in the form of services provided by managed security service providers (MSSPs), virtual executives to helm their security strategies, consultants brought in, or security operations centers (SOCs) provided on tap by big vendors and MSPs, 2023 is sure to see more and more companies bringing in external reinforcements.
SMBs, in particular, will be keen to shed the load, so that they can focus on core competencies instead of being mired in the latest virus or ransomware outbreak. Some will call on providers to guide them through the relentless cyber storm.
“As the cyber risk for small and medium size businesses keeps growing and more business owners see this as an actual threat to the existence of their business, the notion that every organization needs a CISO — or a professional that is accountable for cybersecurity — becomes more popular,” said David Primor, founder and CEO of Cynomi. “Organizations are realizing that security tools by themselves are insufficient and that strategy to coordinate and govern the usage of these tools is critical.”
More Companies Ditching Cookies
Google has promised to eliminate third-party cookies in Chrome browsers by 2024, and others are following suit. If Google eliminates them, others have little choice but to go along with it or face a backlash from users.
From a user perspective, this is great news, as it results in more online privacy. Marketing personnel won’t appreciate it so much since cookies have been used to gather a treasure trove of individual user data across sites, which typically ends up in advertisers’ hands to create personalized and intrusive ads.
“At the moment, Google is thinking of new ways to track its flow, such as through FLoC,” said Briedis. “Even though we cannot say that user tracking is gone, we can celebrate the era of intrusive tracking coming to an end.”
More Metaverse Means More Hacking
The proliferation of the metaverse means there are more opportunities for cyber criminals to perpetrate attacks. With developers creating virtual cities and vast online worlds, cyber criminals view these as a new set of attack surfaces to exploit.
The fully immersive experiences being made available online are growing so fast it is hard to keep up. Don’t expect security best practices to be fully in place during the early rollouts. History tends to repeat, and new technologies generally deploy security after attacks and breaches.
Retailers have begun to launch digital goods available for purchase in virtual worlds. As well as a world of new possibilities, this opens the door to an unprecedented increase in cybercrime in uncharted territory.
Avatars, as they are currently being implemented, could be used as a gateway to personally identifiable information (PII) by attackers. People can use their avatar to purchase goods and services in virtual cities. But that means they need fast access to digital wallets, crypto exchanges, NFTs, and various currencies and exchanges. Threat actors see this as yet another emerging attack surface.
“Biometric hacking could also become a real possibility because of the AR- and VR-driven components of virtual cities making it easier for a cyber criminal to steal fingerprint mapping, facial recognition data, or retina scans and then use them for malicious purposes,” said Manky. “In addition, the applications, protocols, and transactions within these environments are all also possible targets for adversaries.”
More Regulatory Scrutiny
With so many threats and so much consumer data exposed, more cyber regulation is a certainty. And with Elon Musk’s purchase of Twitter, expect content monitoring and hate speech to remain big issues too.
“Regulators like the SEC, FTC, and the DoD will demand more transparency and accountability,” said Igor Volovich, vice president of compliance strategy at Qmulos. “Business leaders at the highest levels, even CEOs, will be held accountable for negligence and asked to validate the state of their security programs, exposing themselves to personal and even criminal liability.”
A good portion of the laws coming down the pipeline will revolve around privacy. We already have the EU’s GDPR, which set a global precedent. California and New Zealand issued their own versions that are similar to GDPR in many ways. 2023 will bring more of the same — perhaps even a U.S. federal privacy statute.
“India will discuss its Personal Data Protection Bill — the Indian version of the GDPR,” said Briedis. “Similarly, the U.S. may be discussing its own American Data Privacy and Protection Act, which will help establish a framework for data protection at the federal level. 2023 will be a big year for privacy laws.”
See our comprehensive overview of Security Compliance & Data Privacy Regulations
Finally, Some Hope
Yes, things look dire, and dire things will indeed come for those that continue as before and fail to adapt to the new cyber reality. Those that heed these warnings, trends, and predictions, on the other hand, have taken the first step toward addressing imminent threats and lowering their risk profiles.
“I see the light at the end of the tunnel because people are starting to value their data, pushing businesses and governments to take action,” said Briedis.
Manky concurs. Although the world of cybercrime and the attack methods of cyber adversaries in general continue to scale at great speed, he thinks good news lies ahead. Many of the tactics cyber criminals are using to execute attacks are familiar, which better positions security teams to protect against them.
“Security solutions should be enhanced with ML and AI so they can detect attack patterns and stop threats in real time,” said Manky. “A broad, integrated, and automated cybersecurity mesh platform is essential for reducing complexity and increasing security resiliency. It can enable tighter integration, improved visibility, and more rapid, coordinated, and effective response to threats across the network.”
Broader security protections could also come in the form of solutions that better control data regardless of its location, such as the emerging category of data security posture management (DSPM).
“Every organization, regardless of the size, keeps their data in at least two to three cloud environments,” said Normalyze CTO Ravi Ithal. “The more the organization scales, the more proliferated its data becomes, making it harder to protect the data, keep it secure, and keep tabs on who has access to what. CISOs will turn to data security posture management (DSPM), or the ability to learn where sensitive data is anywhere in your cloud environment, who can access these data, and their security posture and deploy these solutions to start a new era of data security.”