Top Security Stories of 2023

My office Christmas party took place last week. I made my round, wishing everyone happy holidays. One colleague caught me off-guard: "So, how was your year?" I stared, expressionless. "I have no idea. I keep grinding and don't look back..."

The conversation brought back hard memories; or rather, the lack thereof. I've forgotten long episodes of the early covid lockdowns. TikTok tells me this may be declarative memory dysfunction.

Nowadays, I write. This should help with remembrance.

This is why I'm reflecting on what mattered the most in the security world this week. There is value in taking lessons from the past to better ourselves and our organizations. Every security model must consider the threat landscape these events reveal. As a security representative, you must tailor your interventions to today's relevant trends.

So, which companies would rather forget 2023?

Supply chain attack against MOVEIt file transfer software is the largest hack of 2023

How do you break into a bank? As a cybercriminal, you can either try to breach each website individually or... hack a supplier that everybody uses. Sounds familiar? Probably. The biggest hack of 2021 was against SolarWinds, a firewall company, which gave hackers a backdoor into hundreds of companies' networks.

In 2023, it was a managed file transfer service - Progress software's MOVEIt - that opened the so-called backdoor. Criminals from the Cl0p group exploited a zero-day which allowed them to infiltrate over 1,000 organizations and ask for ransoms worth over $100 million.

What's the lesson? If you work for an enterprise software vendor (like I do!), then you have a target on your back.

If you work in a sensitive sector such as finance or government? Then things get complicated. You certainly need a strong third-party due diligence process. But, as I mentioned in 10 Harsh Truths About Cloud Security, Progress software had state-of-the-art security certifications and documentation. There was no telltale sign that this software was going to break.

The answer, as with almost everything in security, is layered defence: data governance, access controls, segmentation, data lifecycle, automated deletion procedures, incident response plans, etc.

In 2024, there will be another SolarWinds, MOVEIt, or LastPass. Don't play Russian roulette with your vendors: plan for the worst, and assume they might suffer a zero day.

China breaches the Pentagon's Microsoft Outlook Emails

Microsoft's partnership with OpenAI and its $70B Activision acquisition might have grabbed headlines. However, from a security standpoint, the giant had a dumpster fire of a year that ended with its 14-year veteran CISO getting fired.

In July, Chinese threat actors gained access to the Microsoft corporate network. They found debug files of Microsoft 365 customers which included credentials that Microsoft had failed to sanitize. They used the authentication tokens to breach over 25 email accounts belonging to the US government.

The Department of Homeland Security table flipped.

US cyber agencies, while investigating, stumbled because of paywalled security features.

The Department of Homeland Security table flipped, again. The Cybersecurity & Infrastructure Security Agency threw Microsoft under the bus a few days later, and Microsoft had its tail between its legs.

With the CISA and FBI's proactiveness, the 2021 Biden Executive Order on Cybersecurity and the new SEC rules for breach accountability, it does feel like cybersecurity is being treated as a critical national security matter. This major legislative push and execution might be the best news in of the decade in cybersecurity.

Speaking of the FBI...

Deepfakes have the FBI on edge

One of my most successful TikTok videos this year discussed deep fakes being used by cybercriminals for sextortion scams. Gangs would generate nude photos of young people and threaten to expose them publicly unless they paid.

Consumer-grade AI tools nowadays allow you to generate such fakes using a few pictures. With everybody posting pictures of themselves online, it's a piece of cake to create them.

In my video, I argued that the FBI's advice of "not posting images online" was naive. As I see it, our best solution probably lies within large image-sharing websites (Meta, Google, etc.) and security solutions (Microsoft Defender, Cloudflare) to use machine learning to detect AI-generated fakes and label or ban them accordingly.

That said, don't be surprised if a friend, colleague or family member receives such threats in the next year.

A bunch of kids with no technical skills take down Vegas

For nearly a week, the MGM and Ceasar's Palace were taken offline by a ransomware attack. What is so special about them? The attack was initially carried out by the "scattered spiders". This group shows no technical skills. They are native English speakers who specialize in "classic cons": calling customer support, impersonating IT agents, and gaining credentials with trickery.

Once the Spiders get the initial access, they sell the entry to another group, ALPHV, that weaponizes it.

This method should scare us. Humans can and will be manipulated. Cybercriminals might have found a better organization scheme that allows their most skilled hackers more time to do their hacking, while using cheap and abundant labour to complete the simpler task of "human hacking".