Looking back at 2022, it is interesting to reflect on the trends that characterized the threat landscape and think about what we might expect in the coming year and where organizations should focus their protective efforts.
One way I’ve been doing this is by collecting information on mega breaches that characterized the past year. My criteria for a mega breach is a hack that compromises more than one million records. It’s also worth noting that mega breaches can have multiple root causes, including exploitation of vulnerabilities, double extortion attacks or even sensitive information simply being available on the internet because of misconfigurations of publicly-exposed or cloud storage servers. However, I have only focused my attention on cases where the victims admitted that data fell into the hands of the attackers or where the attackers explicitly published the stolen information. Through this analysis, I noticed three key trends, the misconfiguration of cloud services, insecure APIs and supply chain vulnerabilities.
The Impact of Misconfigured Cloud Services
In terms of scale, the largest breaches hit an unknown Chinese organization (initially it was believed the victims were TikTok and WeChat) and the Shanghai National Police. What both these breaches have in common, besides the geography, was that the threat actors claimed the data was exfiltrated from a cloud storage service.
For the record, the same cloud storage service compromised by these breaches was also involved in another mega-breach affecting Shanghai City mobile COVID app users. In this case, the threat actor claimed to have obtained the personal information of “only” 48.5 million users. While this might seem negligible compared to the billions impacted by the first two breaches, it’s worth noting that this number is roughly 70% of the UK population.
Attacks that abuse cloud misconfigurations are quite common, but we will likely see the number of mega breaches related to cloud storage services grow throughout 2023, given approximately 60% of corporate data is now stored in the cloud. LastPass, and its parent company GoTo, are another example of a company suffering the theft of customer data after the attackers breached an unspecified cloud storage service.
What exacerbates the situation is that there are now multiple ways for threat actors to monetize this stolen information. Whether the bounty is a trove of customer records providing a bonanza for phishers or threat actors eager to launch credential-stuffing attacks against other organizations or a collection of corporate data including intellectual property. Unless companies and organizations can securely configure their cloud infrastructure, the market for data gathered from cloud services will only mature over the coming year.
The Impact of Insecure APIs
In January 2022, six months after it was discovered, Twitter fixed an API vulnerability that allowed anyone, through the ‘discoverability’ function, to find the accounts associated with any phone number and email address. Unfortunately, before the security hole was closed, a threat actor managed to exploit the vulnerability, steal the profile data of 5.4 million users, and put it up for sale on a cybercrime forum.
To some, this breach may not be very surprising as the Cloud Security Alliance ranked ‘Insecure Interfaces and APIs’ at second place in its list of Top Threats to Cloud Computing just behind ‘Insufficient Identity, Credentials, Access, and Key Management,’ and above ‘Misconfiguration and Inadequate Change Control.’ It is easy to expect that more breaches exploiting insecure APIs will crop up throughout 2023. In fact, T-Mobile has already reported an API attack this year.
The Risk of the Supply Chain
In most cases, a cyber-attack became a mega breach because the attackers hit a company with a critical role in the supply chain; that is, an entity providing services to, and hence handling the data of, other organizations that ended up being indirectly compromised. Education and healthcare were two industry verticals primarily hit by breaches stemming from the supply chain.
In the education sector, a company providing student performance measurement tools was attacked in 2022, leaving dozens of schools and over three million students impacted by the breach. But it’s probably the healthcare sector that paid the highest toll. In December 2021, a ransomware attack on Eye Care Leaders, a provider of software solutions for eye care, impacted approximately three million patient records in over 30 organizations, with the inevitable class action lawsuit following shortly.
Shields Health Care Group also had two million records compromised, and there is an expected class action lawsuit looming. OneTouchPoint, a mailing and printing vendor, was another victim of a ransomware attack in April 2022 that compromised over 2.6 million patient records in at least 34 organizations. The corresponding class action case highlights that this was just an accident waiting to happen. These are just a few examples because the list is long, but it underlines the fact that with ransomware revenues dropping, threat actors are constantly looking for new ways to put more pressure on their victims and force them to pay.
By attacking companies in the supply chain, threat actors can compromise multiple organizations in a single shot and with a massive number of compromised records that justifies a higher ransom. This puts pressure on the victims that face a loss of reputation and customers and places additional pressure on their customers, which can make a class action lawsuit a near certainty. In some cases, the attacker can also blackmail the victims’ customers whose data fell into their hands after the attack on the supply chain company.
Even in this case, it is too easy to predict that similar breaches, not necessarily related to ransomware, will continue in 2023 because the recent attack on Google Fi has shown that it is already coming true!
Mega Breaches in 2023
As a security community, we have already seen the attack methods outlined above deployed to devastating effect. What security leaders must remember, however, is that many of these threats can be countered through fundamental cyber policies and practices.
The threat actor ecosystem is continuously maturing and becoming more entrepreneurial. The widespread harvesting of customer data and credentials not only brings punishment through regulatory fines and class action lawsuits, but we increasingly see these attacks as a first step in a multi-stage process in which an organization can be targeted. Threat actors are routinely profiting by selling credentials to other groups looking to gain access to cloud services and deploy ransomware or harvest confidential IP, potentially doing irreparable damage.
Failure to address misconfigurations of cloud services, identifying and fixing vulnerable APIs and thoroughly vetting vendors within the supply chain could prove a costly mistake.