A new report from Kaspersky details what their digital forensics and incident response teams predict as the main 2023 threats to corporations and government agencies. Learn more about it.
A new report from Kaspersky details what will be the most challenging threats for corporations and government agencies in 2023.
SEE: Mobile device security policy (TechRepublic Premium)
Data leaks increase
Data leaks affecting both personal and professional data grew in 2022 and will continue into 2023. Huge data leaks impacting millions of users occurred in 2022, such as the WhatsApp leak and more recent Twitter leak exposing more than 200 million users’ information.
Those data leaks are often sold privately in cybercriminals’ underground marketplaces, with price depending on several parameters such as the number of users, the types of users targeted, and whether the passwords are encrypted or clear text.
For example, a database containing 105 million Indonesian citizens’ records was sold in September 2022 for $5,000 on the dark web. The database seemingly came from the General Elections Commission of Indonesia and contained full names, places and dates of birth, and national identification numbers.
Corporate emails impacted
Corporate email addresses should never be used on any non-professional service, yet people tend to use it to register for third party web services. This greatly increases the attack surface for the corporate entity, as an attacker may collect that information. Should the employee use the same password on the service as his corporate email account, attackers may obtain a foothold inside the entity’s infrastructure. In addition, there is the single-sign on risk of compromising access across several entities.
“With many applications using SSO for authentication, it is crucial to supervise rights given to applications and websites to avoid any malicious ones having full rights on email accounts,” Marc Nebout, cyberthreat analyst at Sekoia.io, told TechRepublic. “It’s also important to educate users on good practices such as having a different password for all their accounts.”
Nebout continued by noting that companies shouldn’t just educate their employees.
“Companies should also enforce 2FA on all applications where the option is available,” he said. “Supervision of cloud applications should be done, and if any suspicious behavior is detected, such as a connection from a different country or at an unusual time, passwords should be reset.”
Using corporate email addresses on multiple third parties services also increases the risk of phishing and success of social engineering schemes.
The ransomware threat
Kaspersky observed that threat actors insist on the publication of their stolen data from companies. In each of the first ten months of 2021, they saw between 200 to 300 posts per month (Figure A) from ransomware actors showing their successful compromises. By the end of 2021 and the first half of 2022, that number grew to more than 500 per month.
However, in previous PR attempts, the LockBit group has published supposedly successful corporate compromises which were later found to be fake.
“There are cases of ransomware actors making misleading attack claims,” explained Livia Tibirna and Pierre Antoine Duchange, threat analysts at Sekoia.io. “We observe this on a regular basis, although it is not necessarily common to all ransomware groups.”
There are several possible reasons for these misleading claims:
- Improper analyses of the stolen data by the threat actors, whether intended or not.
- Attempting to monetize an intrusion, even if there was no encryption.
- Attempting to damage the reputation of an organization.
- Fabricating a higher level of intrusion activity by the ransomware organization.
- Seeking attention for their ransomware organization.
More cloud, more attacks
Cloud and virtualization technologies will be increasingly hit by attackers. While businesses often transfer parts of their data and operations to the cloud, they also often use partner services which may not be well configured or contain vulnerabilities.
Companies may not be aware of cloud infrastructure intrusions, as some cloud providers do not log important system events. This makes it interesting for attackers and makes proper investigation and incident response more difficult, according to Kaspersky researchers.
Malware-as-a-service model keeps growing
Malware-as-a-service models have gained popularity through the last years amongst cybercriminals and will keep increasing.
“Cybercriminals try to optimize their work efforts by scaling their operations and outsourcing certain activities, just as a legitimate business would,” Kaspersky said.
This model also lowers the barrier of entry for wannabe cybercriminals, as they can just rent efficient services to operate without needing too much cybersecurity knowledge themselves.
The increased use of this model may lead to less unique attacks due to different attackers using the same tools. These tools may subsequently increase in complexity to avoid being correctly analyzed by automated security systems.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.