2023: The Cybersecurity Year in Review (Part 1)
Technology moves so rapidly, that one can hardly remember what happened over the course of a full year. In this two-part series, we thought it would be good to take a look back at 2023 to see if the threat landscape had any notable shifts. We also wanted to see how the defensive posture has changed in the cybersecurity world. We will mention some of the more notable breaches and ransomwareWhat is Ransomware? Ransomware is a type of cyberattack in which the attacker infects a computer with malicious software that encrypts the victim's data. The computer usually becomes locked, presenting... attacks, but those were so numerous that, if you are a follower of such details, there are other sites dedicated to those events. Our aim is to review some of the other newsworthy cybersecurity events that took place over the year. 2023: The Cybersecurity Year in Review (Part 1) will guide you from January through until June.
As you read along, see how much of it already feels like ancient history and how much of it makes you wonder where we are today, as well as what the future holds. While it is a serious, and sometimes sobering exploration of the year’s events, we also hope that parts will make you smile.
January
January got off to a slow start, with no major events reported in the first half of the month.
Of course, the memory and after-effects of some of the notable attacks of 2022 were still stuck in our minds, and while we would like to think that the cyber-criminals were at the gym, diligently trying to keep their New Year’s resolutions of personal wellness, that quickly proved untrue, as mobile service provider, T-Mobile announced a breach of more than 37 million accounts. In late January, there was also a loss of 20 million records by a firm that enables people to perform background screenings on potential mates.
By the end of January, major “Tech Giants” had shed more than 40,000 jobs worldwide. Other technology companies also made notable cuts to their staffing levels. While this was not specifically cyber-centric, it would be foolhardy to ignore the ripple effects in the cybersecurity community.
February
February featured one of the big celebrations in cybersecurity: Safer Internet Day, which started in Europe 20 years ago, and is now observed in more than 100 countries. This year’s observance featured relevant pre-recorded videos with experts from leading tech companies and nonprofits teaching about apps, issues, and how parents can help kids stay safe and thrive online. There was also a live virtual educational event for parents. Given the long history of this annual event, it is somewhat surprising that it is not more popular.
Artificial Intelligence, specifically ChatGPT continued to dominate the international psyche. Microsoft announced that it would incorporate ChatGPT capabilities into its Bing search engine, as well as its Edge browser. One could detect the faint murmur of a collective chuckle resonating within the cybersecurity community as they awaited similar announcements from America Online, and Ask Jeeves. When was the last time you used Bing as your preferred search engine?
February also saw the most devastating earthquake in centuries impacting Turkey and Syria. Cybercriminals wasted no time setting up fraudulent charities to take advantage of those who wanted to help the victims.
In the daily breach news, the tactic that is gaining popularity in the cybercrime world is to create “MFAWhat is Multi-Factor Authentication? Multi-Factor Authentication (MFA) is a robust security method that enhances digital identity verification by requiring users to provide multiple authentication mechanisms before gaining access to a... Fatigue” through a method known as MFA bombing, whereby a targeted person is worn down by repeated MFA prompts. Reddit fell victim to this, but it was quickly reported by the victimized staff member. This emphasizes the need for companies to accelerate their plans to implement a zero trustWhat is Zero Trust? Security measures and tools have historically been focused on fortifying defenses in an effort to keep outsiders from gaining access to an organization’s network, but this... architecture, as well as the need for more assertive awareness training.
February wrapped up with a disturbing new twist in ransomware tactics. A ransomware gang now entices victimized organizations to anonymously share the maximum coverage of their cyber insurance policy. The warped logic supporting this is that “Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction.”
Few things are more distasteful than criminals wanting to be thanked for their part in the crime. We could only hope that no one will take them up on this criminal collusion scheme to defraud the insurance provider.
March
March started with the announcement of the US National Cybersecurity Strategy. The initiative, consisting of five “pillars” advances the cybersecurity efforts of the current, as well as prior administrations, and aims to:
“make fundamental changes to the underlying dynamics of the digital ecosystem, shifting the advantages to its defenders and perpetually frustrating the forces that would threaten it. Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
Its most resolute directive calls for legislation to shift liability for the sale of insecure software products and services to the vendors of these goods. It also calls for better communication and collaboration between the public and private sectors to combat cybercrime. The strategy document optimistically states that “By the end of this decade, we will achieve these outcomes so we can confidently take bold leaps into a digitally-enabled future that benefits us all.”
In late March, we also learned that if you bang hard enough on a keyboard at a water treatment facility, it can result in a Presidential response. It was disclosed that the infamous Water Treatment Facility attack at Oldsmar, Florida, in 2021 was not as it seemed. The original story told the tale of attackers gaining remote access to the facility, and attempting to raise the level of lye in the water supply. The attack was prevented by an attentive engineer. The real story is a bit more embarrassing:
“The FBI concluded there was nothing, no evidence of any access from the outside, and that it was likely the same employee that was purported to be a hero for catching it, was actually banging on his keyboard.”
This story was originally reported by major news outlets, and cited fairly frequently by infrastructure security analysts. The attention and fear arising out of this story resulted in President Biden issuing new cybersecurity regulations for the water sector, as well as the CISA Director using it to justify a $1 billion grant for state and local governments to improve cybersecurity at these vulnerable targets. While we should not minimize the importance of protecting critical infrastructureWhat is Critical Infrastructure? Critical infrastructure refers to the fundamental systems, assets, and facilities that are essential for the functioning of a society and its economy. These are the foundational..., and while we are glad that this was a false alarm, it underscores the importance of training, as well as ethics in breach reporting.
The continued frenzy over recent developments in Artificial Intelligence resulted in the posting of an open letter, calling for a 6-month pause on large, open experiments with artificial intelligence. The letter was signed by notable researchers and academics in the field of AIWhat is AI? Artificial Intelligence (AI) refers to the simulation of human intelligence processes by computers in an aim to mimic or exceed human cognitive abilities across a range of domains..... One humorous commenter pondered whether the letter was written by ChatGPT as a clever ploy to obtain its hit list for the eventual AI takeover.
April
For those who enjoy a good countdown timer, April marked the start of the 12-month countdown to the new PCI DSS version 4.0 Standard. The updated Standard was released in 2022, and while some of the updates are noted as “best practices” until 2025, the prior release of PCI DSSPCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security best practices developed to ensure the secure handling of credit and payment card data. 3.2.1 is no longer valid as of April 1st, 2024.
In early April, the FBI and a consortium of 16 international law enforcement agencies seized domains for Genesis Market, an online marketplace that bought and sold stolen user data. According to one news source, “while the FBI and international law enforcement may have taken down Genesis, it’s unclear whether they’ll be able to detain Genesis’ owners and administrators, who are likely located in Russia, or a Russian-speaking region.” It is encouraging to see such broad international law enforcement collaboration in cybersecurity.
April also delivered a combined example of using technology carelessly, and the perils of artificial intelligence. Workers at Samsung used ChatGPT to assist them, and unwittingly uploaded confidential company information, as well as source code. OpenAI clearly states that that it “may use Content to provide and maintain the Services, comply with applicable law, and enforce our policies”, which could potentially mean that it will use some of what it learned from the Samsung information in some of its responses to similar questions. In defense of OpenAI, they also state that “We do not use Content that you provide to or receive from our APIWhat is an API? An Application Programming Interface (API), is a set of definitions and protocols for building and integrating application software. They allow disparate products or services to communicate with... More (“API Content”) to develop or improve our Services.” They also provide a form to opt-out of non-API data use.
May
We often hear how important it is to protect private encryptionWhat is Encryption? Encryption converts readable data (plaintext) into a scrambled and unreadable format (ciphertext) using an algorithm and a key. The primary purpose of encryption is to ensure the... keys. A stolen key gives the possessor full access to all of the encrypted information. While this alone is enough to damage a business, it can actually be worse. If the firmware signing key of a hardware manufacturer is stolen, it places every customer in peril, as it presents an opportunity for an attacker to craft malicious firmware code that appears to originate from the compromised company. This is what happened to the popular gaming computer manufacturer Micro-Star International, which is more commonly known as MSI. The compromise that led to the discovery of the stolen private key took place in March, and MSI issued a statement in April. However, the analysis that indicated the key compromise was first revealed in May. The simple solution for a company is to issue new keys, however, in this case there is no way to revoke the old keys, which puts all previously released firmware at risk.
In the realm of it-was-only-a-matter-of-time, the European Data ProtectionWhat is Data Protection? Data protection refers to the practice of safeguarding sensitive information from unauthorized access, disclosure, alteration, or destruction. It involves implementing policies, procedures, and technologies to ensure... Board levied the largest GDPRWhat is GDPR? The General Data Protection Regulation (GDPR) is widely regarded as the world's strictest security and privacy law, promulgated by the European Union (EU) to regulate any organization... fine to date against Meta Platform’s Ireland Limited (Meta IE). According to Andrea Jelinek, EDPB Chair, the 1.2 Billion Euro fine was issued as a result of “systematic, repetitive and continuous” data transfers in violation of Chapter V of the regulation. In a blog post, Meta indicated that it will appeal the decision, stating, amongst other arguments, that “there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer.” Considering that the original complaint was filed a decade ago, one should not expect the wheels of justice to move any quicker to settle the case.
June
June started off with a major announcement from security vendor Barracuda Networks. A broad series of their Email Security Gateway products were vulnerable to a zero-day flaw that was so damaging, as to render the devices irreparable. Consumers were advised to decommission the devices, and replace them. Initial reactions to this ranged from stunned disbelief, to suspicions of forced obsolescence, to loss of confidence that any of the Barracuda products were safe. On the opposite side, some applauded Barracuda’s honesty and full disclosure. It was unclear if affected customers would be charged a fee for the replacements. One has to wonder if an affected organization could claim damages within the terms of a cybersecurity insurance policy?
As the year reached the half-way mark, the Clop ransomware group continued its nefarious mission, attacking numerous sites through a vulnerability in some of the most popular file transfer software products. The list of targets includes government agencies, banks, and educational institutions.
Does anyone remember what happened ten years ago in early June? This was the tenth anniversary of the then shocking release of government surveillance documents by Edward Snowden. While reviled by some (mostly politicians and government officials), and exalted by others, (mostly privacy advocates, and cybersecurity professionals), his revelations shifted the public’s awareness of the true meaning of privacy, or lack thereof, in our internet interactions. In remembrance of the event, Bruce Schneier offered a detailed account, along with some interesting new information about the Snowden event.
Microsoft’s patch release included the official end to Internet Explorer, removing all visual references, such as the IE11 icons on the Start Menu and taskbar.
This concludes part 1 of our two-part ‘2023: The Cybersecurity Year in Review’. Can you tax your memory and predict some of what’s to come in the next installment?