Organizations were grappling with a myriad of challenges in 2023 due to unfavorable economic conditions and global geopolitical tensions. Unfortunately, this turbulent environment became a fertile ground for cybercriminals, who worked around the clock to exploit these instabilities to launch sophisticated cyber attacks.
While data theft and ransomware remained the go-to strategies for many attackers, the origins and impacts of attacks varied widely. From simple human errors to the more sinister workings of state-sponsored hacker groups.
Let’s embark on a short journey through the most significant cybersecurity incidents of 2023 to understand their implications and the valuable lessons they can bring to small and medium-sized organizations.
1. Large-Scale Data Breaches
In 2023, data breaches continued to be one of the most common and damaging forms of cyberattacks, leading to financial losses and eroding customer trust with potentially long-term reputational impact. According to the Verizon 2023 Data Breach Investigations Report, a staggering 83% of breaches involved external actors, predominantly driven by financial motives. Perhaps more alarmingly, 74% of these breaches featured a human element, indicating a high prevalence of social engineering attacks, errors, or misuse.
The most significant breach of the year was the DarkBeam data leak, where over 3.8 billion records were left unprotected. The leak, discovered by Bob Diachenko, CEO of SecurityDiscovery, on September 18, was a result of an unsecured Elasticsearch and Kibana data visualization interface. DarkBeam, a digital protection firm, had been compiling this data to alert its customers about potential breaches. Ironically, the leak primarily contained information already exposed in previous cyberattacks, including millions of login credentials.
It wouldn’t be a review of major cybersecurity incidents without T-Mobile joining the party. The telecommunications giant suffered not one but two data breaches in 2023, with the second one alone affecting data from 37 million accounts, including such sensitive information as full names, birth dates, addresses, and social security numbers. The company is no stranger to data breaches—it has suffered nine of them since 2018—which goes to show that if the doors are left even slightly ajar, cybercriminals will continue to come back.
One last large-scale data breach that we need to highlight is the 23andMe incident. This breach compromised the personal data of approximately 6.9 million users. About 14,000 accounts were directly breached, which then allowed the attackers to exploit the DNA Relatives feature. This feature, designed to connect users with potential genetic relatives, became the gateway for accessing millions of additional profiles.
Lesson Learned: Data Is a Precious Asset That Must Be Protected Accordingly
The above-described trio of large-scale data breaches that occurred in 2023 highlight that data is a highly coveted commodity. Cybercriminals are increasingly sophisticated and relentless in their pursuits to acquire this valuable asset, so all organizations should reevaluate whether they protect their own data sufficiently well. This is especially true for SMBs, which are targeted at a growing rate but often don’t have as strong existing cybersecurity measures in place as larger corporations.
2. City Infrastructure Held Hostage
The digital transformation of public infrastructure and local governments, while bringing numerous benefits in terms of efficiency and accessibility, has also made them more lucrative targets for cybercriminals. Last year’s ransomware attack on the City of Oakland serves as a great example of this.
In February 2023, the City of Oakland found itself grappling with a ransomware attack that encrypted key files and systems. As a result, the ransomware paralyzed many non-emergency services, including its online permit application system and 311 line. The attackers demanded ransom for decrypting the files, a common tactic in such cybersecurity incidents. In response, Oakland’s Interim City Administrator, G. Harold Duffey, declared a state of emergency.
Adding to the city’s woes, the ransomware group known as Play, responsible for the attack, later decided to release approximately 600 gigabytes of stolen municipal data, containing potentially highly sensitive information on the city’s employees. The legal fallout from the initial ransomware attack and the subsequent release of stolen data was significant.
Lesson Learned: Disaster Recovery and Business Continuity Planning Is Essential
The ransomware attack on the City of Oakland highlights the importance of comprehensive disaster recovery and business continuity plans. When such plans are in place, they can greatly reduce the impact of a cybersecurity incident and prevent a challenging situation from escalating into a catastrophe by providing a structured approach to responding to unforeseen events, minimizing downtime, and preserving critical data and functions.
3. Mass Exploitation of a Zero-Day Vulnerability
Many zero-day vulnerabilities are identified every day, but only some of them have a profound impact on a global scale. The MOVEit Transfer vulnerability was one such case. This critical flaw in a widely-used file transfer software opened the door to extensive data breaches and theft, impacting more than 120 organizations around the world and exposing data of approximately 15 million people.
Discovered by cybersecurity firm Mandiant in May 2023 and cataloged as CVE-2023-34362, this vulnerability was caused by a SQL injection flaw, a type of vulnerability caused by inadequate input validation. It allowed attackers to deploy web shells for unauthorized access and data exfiltration.
Initially, victims of the MOVEit Transfer vulnerability did not face immediate ransom demands. The severity of the situation escalated when the cybercriminal group CL0P^_-LEAKS claimed responsibility and began using the stolen data for extortion, threatening to release it unless a fee was paid. This approach can be seen as a shift in cybercriminal tactics from immediate financial extortion to strategic data access and long-term exploitation.
Lesson Learned: Vulnerability Management Buys Precious Time
Organizations can’t stop zero-day vulnerabilities from being discovered and exploited, but they can be as prepared as possible to respond quickly when they are by implementing effective vulnerability management, which is the process of identifying, prioritizing, and mitigating vulnerabilities in an organization’s systems and networks. Many of the 120+ organizations impacted by the MOVEit Transfer vulnerability wouldn’t have been breached at all if they had responded to the vulnerability faster than the cybercriminals.
4. US Government Email Systems Compromised
When the proliferation of cybersecurity incidents is discussed, the often-mentioned reason is the lowered barrier to entry, thanks to developments like ransomware-as-a-service and other similar offerings. These tools have enabled even those with limited technical skills to launch significant attacks against poorly defended targets or competition.
However, from time to time, we are powerfully reminded that nation-state actors now play a substantial role in the threat landscape. In July 2023, Microsoft disclosed that a China-based hacking group, identified as “Storm-0558,” targeted US government email systems, along with other organizations in Western Europe and individual consumer accounts.
This sophisticated attack was primarily focused on intelligence collection, and it exploited a vulnerability that made it possible to forge authentication tokens and use them to access accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com. Microsoft was informed by the vulnerability by the US government and promptly completed mitigation of this attack for all of its customers.
Lesson Learned: Cybersecurity Continuous Monitoring Allows for Early Detection
The attack on US government email systems is one of many examples of how service providers and cloud platforms can become targets of sophisticated cyber attacks. The good news is that their customers are not powerless. They can—and should—continuously monitor all their digital activities and interactions with these providers to detect any anomalies and enable a faster response. It was precisely this kind of monitoring by the US government that enabled the detection of the attack.
5. Record-Breaking DDoS Attack
Multiple large-scale distributed-denial-of-service (DDoS) attacks happen every year, but 2023 saw the biggest one yet—an attack that was seven times larger than the previous record holder. This unprecedented DDoS attack targeted major internet infrastructure providers, including Google Cloud, Cloudflare, and Amazon Web Services, affecting a multitude of organizations and services globally.
The attack utilized a novel HTTP/2 “Rapid Reset” technique, which allowed it to peak at 398 million requests per second (rps). During a typical DDoS attack, malicious actors send a high volume of requests to a target server or network, with each request requiring a response from the target before another request can be sent. However, the “Rapid Reset” technique used in the 2023 attack doesn’t require waiting for a response before sending another request.
Despite the scale of the DDoS, Google and other internet infrastructure providers were able to mitigate most of it at the network edge, so customers’ services remained largely operational. Soon after the initial detection and response in August, providers implemented additional mitigation strategies and spearheaded a collaborative effort with other cloud providers and software maintainers to address the new attack methodology and bolster the resilience of a wide range of commonly used open-source and commercial internet infrastructure tools.
Lesson Learned: DDoS Protection Is Always a Good Cybersecurity Investment
The average organization may not be a prime target for large-scale, sophisticated DDoS attacks, but it is still vulnerable to smaller-scale attacks by cybercriminals and competitors. Such attacks have been made easily possible thanks to the growing availability of DDoS-for-hire services. DDoS protection is, therefore, an essential investment for ensuring business continuity.
Conclusion
The digital world continued to be a battleground in 2023, and we can expect the same in 2024. That’s why the defense strategies and other lessons learned must be carried into this year and beyond. The ability to protect sensitive data, implement comprehensive disaster recovery and business continuity plans, proactively manage vulnerabilities, continuously monitor for threats, and more will separate the resilient and secure from easy prey.
Contact us to discuss your business’s technology and cybersecurity systems: