In Part 1 of ‘2023 The Cybersecurity Year in review’, a few memorable cybersecurity events of 2023 were recalled. In some cases, in order to appreciate the events of the first six months of the year, a look farther back in time was warranted. This was seen in the reminiscence of the decade-anniversary of the Snowden revelations. In the remaining six months of the year, at least one event reached a partial conclusion, as seen in a concession by Meta over the fines levied at it in May, while another, such as the impact and future of Artificial Intelligence still remains to be seen.
While we reflected upon the significance of privacy, coupled with the Snowden revelations in June, the security community was shaken in July with the sad news of the passing of one of its most noteworthy pioneers, Kevin Mitnick. Kevin’s adventures as one of the original “hackers” (in the truest sense of the word) inspired many who followed. He may not have been the only hacker of his time, but his ability to retell his story, most notably in the memoir, Ghost In the Wires, gives us better insights into the rise of the entire field of cybersecurity. As stated in Mitnick’s obituary: “Kevin was an original; much of his life reads like a fiction story. The word that most of us who knew him would use – magnificent.”
Also in July: In its continued quest to achieve communication supremacy, Meta released its Threads application in direct competition with Twitter. While Elon Musk and Mark Zuckerberg bickered over intellectual property, the security community emphasized that the new app was as much of a privacy nightmare as all other Meta offerings. Over the course of the month, it seemed that engagement in Threads waned considerably. From a cybersecurity perspective, July was a relatively quiet month.
August began with a scene echoing so many other attacks against health care facilities in recent years. A What is Ransomware?Ransomware is a type of cyberattack in which the attacker infects a computer with malicious software that encrypts the victim's data. The computer usually becomes locked, presenting a... More event forced the owner of 16 US hospitals and 165 outpatient clinics to take its national systems offline while it addressed the breach. Details of the event were horribly lacking, forcing one to wonder about the state of cybersecurity awareness in the health care system. Zach Whittaker astutely observed that a search of the website of the latest targeted healthcare company’s website “doesn’t appear to mention ‘cybersecurity’ anywhere.”
August concluded with an announcement by the FBI, indicating that, as part of a multinational effort, the QakBot network was dismantled. In doing so, more than 700,000 computers worldwide became untethered from the botnet. QakBot was responsible for many ransomware events over its fifteen-year existence. While the details are not clear, one of the interesting points of the report was that the FBI gained legal access to the servers that controlled the botnet, rather than using a brute-force approach. Time will tell if this takedown has any noticeable impact on the ransomware problem.
Is it possible that there were no notable security events worth mentioning in September? Sure, there was the news report about the massive breach at MGM Resorts, which disrupted casino and hotel operations in Las Vegas. There was also the news that LastPass is now requiring all its customers to use a password that is at least 12 characters long. Other than that, September seemed to be the month where the majority of stories were about ransomware events. As this trend seems to grow, it would seem that the upcoming Cyber Security Awareness Month (CSAM) needs a serious boost, as the hope for a secure internet is still falling short of its goal.
One cybersecurity-adjacent event worth mentioning is that the appeal filed by Meta back in May has resulted in the announcement that Meta “will rely on the new Data Privacy Framework (DPF) for the transfer of certain types of data, including Facebook user data and data relating to Meta business tools, from the EU to the US.” Meta also stated that it will continue its appeal against the decisions of the Irish What is Data Protection?Data protection refers to the practice of safeguarding sensitive information from unauthorized access, disclosure, alteration, or destruction. It involves implementing policies, procedures, and technologies to ensure that... More Commission and European Data Protection Board. This remained an open issue through the end of 2023.
October was the 19th anniversary of Cybersecurity Awareness Month, which was initially declared in 2004. This event has enjoyed higher publicity than Safer Internet Day of February. We should pause for a moment to think of the implications of this initiative that now has existed for a full generation. Those who were born at the inception of Cybersecurity Awareness Month are now entering adulthood. Not only has this generation always known technology, but they have also been continually exposed to security for as long as they have been alive. Could some of these cybersecurity natives become the moxie crime fighters who can ultimately change the face of cybersecurity?
Cisco Systems announced that a vulnerability was being actively exploited in devices running IOS XE that have the web UI feature enabled. It was first reported that as many as 10,000 devices were vulnerable. Later in the month, that total was revised to 50,000 devices. Security researchers were able to track the implant, but the attackers modified their attack, effectively hiding the implant from detection. Cisco quickly posted detailed information about how to determine if a device is affected, as well as workarounds, and a patch for the vulnerability.
Early in November, it was revealed that the United States Securities and Exchange Commission (SEC) filed a notice indicating that they were charging SolarWinds Corporation, as well as CISO Timothy G. Brown with fraud and internal control failures. More specifically, as noted in the complaint: “SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”
As stated in the SEC complaint, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, stated, “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: “We’re so far from being a security minded company.”
The complaint against SolarWinds and Brown seeks “permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.” Despite those specialized legal terms, what this all signals, is firm proof that a CISO cannot rely on the legal shield of the corporation, plausible deniability, or any of the other comfortable hiding places that once protected individuals from legal responsibility.
Also in November, in the most bizarre twist in SEC complaint filings, the BlackCat ransomware operation filed a notice with the Commission, complaining that one of their ransomware victims had not complied with the rule to disclose the attack within the required four-day reporting period. The SEC reporting rule was not in effect at the time of the filing, but it will be interesting to see if this new pattern of the criminals reporting against their victims will be a new tool in the ransomware crime playbook.
Two major events occurred in November that, while not directly related to cybersecurity, have strong implications for the cybersecurity community.
Sam Altman, CEO of OpenAI was fired from his position by the OpenAI Board of Directors. The ensuing backlash, including the resignation of President of OpenAI, as well as most of the staff threatening to quit, resulted in the rehiring of Altman, and replacement of members of the Board of Directors. From a cybersecurity perspective, will anything change under the new Board membership, i.e., will there be better guardrails put in place for the development of What is AI? Artificial Intelligence (AI) refers to the simulation of human intelligence processes by computers in an aim to mimic or exceed human cognitive abilities across a range of domains.... More?
The second event of note was the multi-billion dollar fine imposed against cryptocurrency exchange Binanace. According to the story:
“Binance Chief Executive Changpeng Zhao, also known as CZ, … stepped down and pleaded guilty to violating U.S. anti-money-laundering laws. Binance also pleaded guilty and agreed to pay fines totaling $4.3 billion to settle claims from multiple agencies. The fines include $3.4 billion to be paid to FinCEN over violations of U.S. anti-money-laundering laws and another $968 million to the Office of Foreign Assets Control (OFAC) for violations of U.S. sanctions laws. Both penalties are the largest in each unit’s history, eclipsing fines that were imposed on major financial institutions in the past.”
Since all ransomware is paid through cryptocurrency, it will be interesting to see if any ransomware operations become disrupted in light of these fines. What would happen if crypto-exchanges were required to carefully vet their clientele? This event looks like an early attempt at governmental regulation of the cryptocurrency market.
Here’s a game to play with your security friends: What is the cumulative total of Microsoft patches that have been released over the last 12 Patch Tuesday events? According to the SANS InfoSec diary, by the time we reached patch Tuesday in December, the total number of software patches released for the entire year was as sobering as ever, with Microsoft releasing 1,001, of which 87 were listed as critical, and 25 were given the alarming “Exploited” status. While Microsoft attracts the most attention for its patch numbers, it should be noted that Apple was not immune to vulnerabilities, releasing many patches for its various products as well.
Only a few of the events of the past year had the “internet melting” alarm of previous years. The attack vectors may have varied, but the ultimate goal has been to deliver the same old ransomware. This answers the question posed way back in August as to whether the dismantling of the QakBot ransomware group would impact the number of continued ransomware events.
While this is not intended to diminish the harm caused by ransomware, it should be noted that, contrary to the characterizations as “sophisticated”, the majority of these attacks still rely on the simple process of catching a human at a vulnerable period. With the right approach, even the advances in artificial intelligence as an attack tool can be prevented.
It remains that the best defense against these attacks is based not only on solid technical controls, including system hardening, identity and access control, monitoring, and testing, but most importantly, knowledge; knowledge of those in the cybersecurity profession, as well as sharing that knowledge to the general public as often, and as vociferously as possible. One thing that is certain from all the events of the previous year is that the work of our dedicated cybersecurity professionals is not done.
It would be a grave injustice to overlook all those who made this year in review piece possible. These are some of the folks and sites that generously offer their services free of charge. They should be in every cybersecurity professional’s bookmarks and “required reading” lists (shown alphabetically):
Cybersecurity & Infrastructure Security Agency (CISA): https://www.cisa.gov/
Firewall Times: https://firewalltimes.com/
Brian Krebs: https://krebsonsecurity.com/
National Institute of Standards and Technology: https://www.nist.gov/
SANS Internet Storm Center: https://isc.sans.edu/index.html
Bruce Schneier: https://www.schneier.com/
Tripwire State of Security blog: https://www.tripwire.com/state-of-security
Zack Whittaker’s weekly security newsletter: https://this.weekinsecurity.com/
We hope you enjoyed the second part of our 2023 – Cybersecurity Year In Review. For more informative industry-related content please check out our blog back catalog.