January 30, 2024

Takeaways from some of the major cyber incidents of 2023

2023 had a significant number of large and important cybersecurity incidents. Each event could provide many key learnings covering different facets of cybersecurity including preparation and prevention, security in-depth, monitoring, end-user training, incident response, management responsibilities, and more. So, even though there are many things we can learn from these events, we are going to look for one quick hit takeaway from each.

MOVEit – Hackers took advantage of at least two vulnerabilities in the SaaS application, and there have been over 2,600 organizations and 90 million people affected by breaches related to these vulnerabilities. Healthcare, U.S. government, and financial services have been some of the largest groups attacked. MOVEit is a secure file transfer application which some organizations also use to store files; however, MOVEit wasn’t built with the purpose of long-term data storage and therefore, the data storage functionality was not encrypted and secured as much as it could have been. Takeaway – Use a tool for its purpose and not more.

MGM Resorts – A cyberattack that impacted slot machines, ATMs, door access and reservations was reportedly started when “hackers found an employee’s information on LinkedIn and impersonated them in a call to MGM’s help desk to obtain credentials.” Takeaway – Help desk employee training and prioritization is important. Too often, the priority for help desk engineers is quick problem resolution. The help desk may be too focused on getting the user off the phone instead of following procedures or security protocols, so make sure that your help desk team is well trained and that they prioritize security as job number one.

National Guard data leak – Highly classified national security documents were leaked by a National Guard airman, reportedly to show off to his friends. On at least three occasions his superiors were aware that he was taking “deep dives” into classified information that was outside of his job focus. Takeaway – Enforcing the practice of least privilege can be difficult and time consuming but it is required if data is to be secured.

3CX compromise – The 3CX attack was the first recorded double supply chain attack. Krebs on Security described it as if from a spy novel: “North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.” Takeaway – It can be tough to protect against multi-layer supply chain attacks but consider whether you could benefit from enhancing your supply chain analysis efforts. The CISA has some information here: https://www.cisa.gov/information-and-communications-technology-supply-chain-risk-managementa>

Infrastructure attacks - State sponsored and quasi-state sponsored organizations are increasingly deploying destructive cyberattacks. One example occurred in February when pro-Russia hackers breached a Canadian gas pipeline and claimed they were able to increase valve pressure, disable alarms, and make emergency shutdowns. Throughout 2023, there was an increasing number of attacks on government, healthcare, utilities, and financial infrastructure. Takeaway – When developing your disaster recovery and business continuity plans and developing your business impact analysis, you will need to consider potential scenarios (critical infrastructure) that you may have considered to be outside the scope in past.

Microsoft Exchange Online email compromise - A China-based threat actor compromised the cloud email for approximately 25 organizations, including government agencies, utilizing forged Azure AD authentication tokens. This was a very sophisticated attack that required a high level of technical skill and coordination. Takeaway – With enough time, money, and focus, any system can be compromised. Have your incident response and communication plans prepared you for when you must have difficult conversations with your customers, board of directors, or regulators.

23andMe data leak – Data (including some genetic data) on 6.9 million users was stolen and is being sold online. The hackers gained access through a method called “credential stuffing”, where credentials from one site that has previously been hacked, are then used to compromise the accounts on another site. Takeaway – Cyber security basics are still critically important. Proper password management (including using unique passwords) needs to be continuously trained.

Cisco IOS XE vulnerability – Within days of identifying this zero-day vulnerability with the maximum severity rating of 10/10, the number of compromised Cisco devices jumped from 10,000 to 60,000. Takeaway – Be prepared and act quickly when zero-day vulnerabilities are identified.

Okta breach – Okta is an identify management service that can manage accounts and passwords for employees of other companies to access applications and devices. Initially, Okta disclosed that they believed a “very small subset” of customers were compromised. A month later, they acknowledged that 134 customers were impacted. Later that month, they changed their story to say that all their support customers had some information compromised. Takeaway – Organizations that have been breached may be slow to provide the full story, either because they are still investigating or because it is in their best interest to delay.

Cybersecurity fatigue - Ransomware incidents hit record numbers in 2023. IT professionals, management, businesses owners and government organizations are all at risk of losing focus and energy to fight the ransomware war because of the increasing frequency of headlines, alerts, and incidents. Security fatigue can result in reduced attention to training, inconsistent security practices and processes, bypassing security measures in the interest of ease, and ignoring new vulnerabilities as they arise. Takeaway – Don’t let the bad actors win. Instead, increase your efforts to prevent and mitigate these incidents. Invest in your security and your people so that we can all be proper custodians of our customers’ data.