The cyber security challenges faced by organisations last year can give hints towards the way cyber crime is evolving this year. Ransomware has established itself as a constant threat, and is now available on demand through ransomware-as-a-service models, phishing events have increased, with more sophisticated landing pages, and widespread flaws such as Log4j continue to affect unpatched systems. Based on the threats and attacks experienced in 2022 these are the cyber crimes we can expect to see in 2023: 

 

Ransomware 

One of the biggest threats in cyber security at the moment is ransomware, accounting for 40% of cyber crime reported in Cymulate’s 2022 Data Breaches Survey. This type of threat is likely to continue to grow in the coming year. According to statistics recently published by Emsisoft, 106 local governments, 44 universities and colleges, 45 school districts, and 25 healthcare organisations were targeted by ransomware attacks in 2022 in the US alone. Government, education, and healthcare are often targeted for ransomware attacks, because they hold highly confidential data, and provide essential services that cannot handle large periods of downtime. This makes these organisations much more likely to pay the ransom in order to restore their services as quickly as possible. However, ransomware attacks are not limited to these industries, with 73% of UK organisations dealing with a ransomware attack over a 12-month period 2021-2022, it is clear all types of organisations could be targeted.  

2023 has already seen its first disruptive ransomware attack on the UK postal service Royal Mail. Despite Royal Mail’s international export services being the only area directly affected, the service disruption was severe. The attack resulted in Royal Mail being temporarily unable to despatch any items to overseas destinations. This cyber attack is believed to have been performed by the ransomware operator LockBit, who claim to have encrypted files and stolen data, and will provide a decryptor and delete the stolen data only after the ransom is paid. The National Cyber Security Centre (NCSC) released a statement to confirm they are aware of the incident, and are working with Royal Mail and the National Crime Agency to “fully understand the impact”. The LockBit ransomware group were also credited for the 2022 attack on the NHS 111 service, in a ransomware-as-a-service attack. 

In a joint advisory, the Cybersecurity & Infrastructure Security Agency (CISA) from the United States, the Australian Cyber Security Centre (ACSC), and the NCSC “strongly advise” against paying the ransom in the event of a ransomware attack. This is because criminals will often re-target an organisation they have proven will result in a successful pay-out. This means that an organisation paying the ransom will actually increase the likelihood of it falling victim to another attack. Instead, organisations should report any ransomware attacks immediately to local authorities, who can aid in the response and recovery process. CISA have released a Ransomware Readiness Assessment, which is a free tool that can be used to determine the preparedness of your organisation for the event of a ransomware attack. 

 

Supply Chain Threats and International Espionage 

Critical technological infrastructure has already been targeted in the conflict between Russia and Ukraine. This conflict is still ongoing, which means more attacks are likely in this coming year. Russian hackers have also been credited for the supply chain attacks on SolarWinds back in 2020, which is one of the biggest supply chain attacks ever experienced. The threat actors accessed development builds of SolarWinds’s Orion software, the network monitoring program used by multiple US government agencies including the US Treasury Department, the Department of Homeland Security, and the US Department of State. This breach led to approximately 18000 networks being compromised, with Russian agents having access to private and confidential data such as user IDs, passwords, financial records, and source code. 

The SolarWinds supply chain attacks also targeted Microsoft software, specifically accessing their internal network through multiple internal accounts, allowing the attackers to view source code repositories. In a security blog released at the time of the attack, Microsoft confirmed that although malicious activity was detected, no evidence of the threat actors accessing their production services or customer data was found.  

It is unlikely that the number of state-backed supply chain attacks, where the threat actors are often well funded and resourced, will diminish in the coming year. Dependence on software libraries and -as-a-service systems also leaves opportunity for attackers to find and exploit the next Log4j style vulnerability in supply chain attacks. Organisations can best protect themselves from such threats by keeping high standards for their cyber security, including applying updates as soon as possible to eliminate vulnerabilities, and not using end-of-life software or any unpatched systems in the supply chain. 

 

Internet of Things – IoT 

As technology progresses, the amount of IoT devices in any given office or home has increased, presenting a large and easy target for cyber criminals. IoT devices are often installed in configurations that leave them exposed and their software updates are forgotten about, leaving them unpatched for long enough for attackers to use them to easily access your network. When setting up these devices, users may also leave default configurations, usernames, and passwords in place, or use otherwise weak credentials to secure them.  

At the end of 2022, Microsoft reported on Zerobot, a botnet that targets and spreads through IoT devices and web application vulnerabilities. This Go-based botnet is known to be used in malware-as-a-service and DDOS-as-a-service attacks, making this high-level threat available to unsophisticated attackers for the right price. The Zerobot malware gains access to IoT devices through brute force attacks, using only 8 usernames and 130 passwords common to these devices to gain access over SSH and telnet ports 23 and 2323. Additional attacks also attempted to connect to ports 80, 8080, 8888, and 2323 by port-knocking.  

 Zerobot attacks were also found to exploit many known vulnerabilities in IoT devices, firewall devices, and routers, such as CVE-2022-30023, a command injection vulnerability in Tenda ONT GPON AC1200 routers. Once initial access was established, Zerobot could then carry out DDoS attacks on the compromised networks and set up persistence mechanisms for future access. Enforcing high security standards across all devices on a network, including IoT devices, can help prevent attackers from gaining initial access. Segmentation of networks to keep IoT devices such as cameras and doors separated from the rest of the network environment can also prevent lateral movement of attackers if they do manage to compromise your devices. 

 

Identity Compromise 

Average monthly events of password-based attacks have increased 26% between 2018 and 2022, to what Microsoft now describe as 1287 password attacks every second, equivalent to more than 111 million attacks every day. A ‘defence in depth’ approach including strict password policies, no shared credentials or guest accounts, and MFA across the board can help increase identity security and prevent the likelihood of a breach. Having MFA on all systems means that even if passwords are compromised or stolen, such as through the recent LastPass attacks, your accounts will remain inaccessible to attackers.  

Phishing attacks have also increased by 35% between 2018 and 2022. With landing sites becoming more sophisticated, it is easier for even well-informed individuals to be scammed. Keeping a high cyber literacy amongst your team by having regular cyber security training can help educate staff on how to deal with a malicious email and help prevent security breaches through phishing attempts. 2022 saw attacks on the NHS, where legitimate accounts compromised by phishing were used in a widespread campaign against external targets. Phishing scams are likely to continue to rise in 2023, so training staff to spot and report malicious messages is the best defence to protect your network from compromise.