Because security moves quickly, it’s important to stay abreast of new and emerging trends. 2023 saw a continuation of some popular attack methods, like ransomware, as well as new vectors spurred by rapid advancements in AI and similar technology.
In addition, Verizon’s 2023 Data Breach Investigations Report shows that cybercrime is becoming more diverse and innovative, with hackers attacking a higher variety of channels. As we continue to digitize more aspects of our lives, attack vectors are diversifying and compromising new and increasingly sensitive types of data, like genetic data, biometrics, and medical information.
In this blog, we’ll cover some of the top attack vectors and breaches in 2023.
Top Cybersecurity Attack Vectors of 2023
As artificial intelligence (AI) quickly makes its way into the workplace, it’s becoming an increasingly prevalent player in the cybersecurity scene. In some attacks, cybercriminals go after the AI tools themselves. By nature, AI tools receive a significant amount of data, which can make them particularly risky, especially for companies inputting or storing sensitive information in an AI tool. Case in point: ChatGPT already experienced its first breach when customer data was exposed earlier this year.
In other attacks, cybercriminals use generative AI to develop and mount attacks. WormGPT, for example, is a ChatGPT alternative designed without any safeguards in place so that people can use it to generate convincing phishing scams and similar malicious content.
Read more about AI and security in our blog, 3 Security Implications of ChatGPT and Other AI Content-Generation Tools.
However, not all AI is bad: AI is also helping companies shore up their security with intelligent SIEM systems, predictive analytics, and more.
Human error remains one of the top exploited factors in breaches. Because it is difficult to determine the exact nature and pathways of breaches, it’s hard to pin an exact number to the prevalence of social engineering attacks. However, Verizon’s 2022 Data Breach Investigation Report says that 74% of the attacks in 2022 exploited a human element, and Splunk attributes 98% of cyberattacks to social engineering. Anecdotally, it’s rare to meet a person who’s never received a phishing email in either their personal or professional life.
Regardless of the exact number, it’s clear that social engineering is a formidable factor in many of today’s cyberattacks.
Ransomware is malware that blocks access to devices or data until a specific demand (often a financial ransom) is paid. Ransomware accounted for 24% of cybersecurity attacks last year, maintaining its status as one of the most common attack vectors.
Third-Party Vulnerabilities and Supply Chain Attacks
Third-party vendors are often a weak link in an organization’s cybersecurity defenses. Often, these weak links are the entry point for supply-chain attacks, which target third-party vulnerabilities to reach a long list of affiliated customers, data points, and users.
The more we rely on specialized applications and services, the harder it becomes to ensure the security of each one. This becomes especially risky for companies with sprawled architectures and many point solutions from many different vendors.
Maintaining a clear understanding of all the vendors and solutions in your architecture, as well as only engaging with trustworthy vendors, can help defend against these attacks. In addition, compliance regulations, like SOC 2, can help you hold third-party vendors to rigorous security standards.
Personally identifiable information (PII) like name, date of birth, and address have been valuable attack targets for years. However, as attack vectors diversify and hackers find new routes to valuable information, the diversity and sensitivity of targeted PII has risen. This year, for example, some of the top attacks leveraged healthcare data, biometrics, and genetic information, to name a few.
As we continue to digitize more aspects of our lives, the security of affiliated data is called into question — as are the consequences of having such permanent PII compromised.
Top 5 Data Breaches of 2023
1. May – MOVEit File Transfer Breach Compromises Millions
A cybercriminal group called CL0P Ransomware Gang mounted a zero-day attack of Progress Software’s file transfer tool, MOVEit. Because MOVEit is a widely used tool, the ramifications of this supply-chain attack were sweeping.
The attack impacted a variety of organizations, from companies like Sony and IBM, to public sector organizations like the U.S. Department of Justice, the State of Maine, and the New York City public school system. According to Security Intelligence, this breach “could be the most devastating exploitation of a zero-day vulnerability ever.”
The exploit was of a previously unknown vulnerability in MOVEit Transfer, MOVEit’s file transfer service. The vulnerability infected MOVEit Transfer’s web applications with a web shell that allowed them to steal data from underlying MOVEit Transfer databases. CSO Online estimates that 2,620 organizations and 77.2 million were affected by the breach.
Progress Software issued a patch to address the vulnerability on May 31, about a week after the attack. It then implemented a third-party security audit and found and patched multiple other vulnerabilities in the following weeks. The company also formalized a “Service Pack” program to help their customers stay up to date with the most recent patches. You can read Progress Software’s statement about it here.
2. January, February-March, April, and September – T. Mobile Customer/Employee Data Is Breached
T. Mobile sustained four breaches in 2023. All of the breaches compromised customer or employee data, although they varied in scope and severity.
In the first, a bad actor exploited an API vulnerability to steal the data of 37 million customers in January.
The second had a much more limited scope: 836 customers’ data was compromised.
The third occurred in April but wasn’t shared until September: 90GB of personal employee data from an independently owned T-Mobile retailer was leaked on the dark web. Malware repository vx-underground said its researchers had been contacted by the hackers responsible for the leak, and vx-underground subsequently shared the information on X (formerly known as Twitter). According to vx-underground, “We do not know why it took the Threat Actor(s) several months to leak the data, we can only speculate, so we will not.”
Finally, a “system glitch” was responsible for leaking the personal data of fewer than 100 customers. T-Mobile refuted the notion that this was an attack, and clarified that “This was a temporary system glitch related to a planned overnight technology update involving limited account information or fewer than 100 customers, which was quickly resolved.”
3. September — MGM Resorts
MGM Resorts, a prominent owner of casinos and hotels around the world, fell victim to a ransomware attack on September 11 that compromised customer PII. The number of customers affected is still “unspecified,” but stolen information included names, dates of birth, driver’s license numbers, and, in some cases, social security numbers. MGM Resorts said passwords and payment details were unaffected.
The attack caused many customer-facing disruptions at the MGM properties, including shut-down slot machines and ATMs. Despite the fact that MGM did not pay the requested ransom, the company reportedly sustained $10 million in losses over the incident.
4. October — 23andMe Genetic Information Compromised
23andMe, a genetic testing company, reported in October that 14,000 of their users’ data was breached. Bad actors accessed the data by infiltrating users’ accounts and moving laterally to access additional accounts to mine their data.
23andMe works with a fairly unique type of information: genetic data. In an environment where most PII floating around is data points like name, address, passwords, etcetera, genetic information is particularly unique and permanent: you can change your address, but you can’t change your DNA. This makes it particularly sensitive to users and valuable to hackers.
In addition, genetic data add complications to judging who was affected: while 14,000 users were directly affected, the question still remains how many relatives of those users were subsequently affected.
5. October — Indian Council of Medical Research Breach of 815 Million Records
The Indian Council of Medical Research (ICMR) was breached on October 9th, where a COVID test database was leveraged to access PII. The compromised information, which was posted for sale on the dark web, included passport information, unique identity numbers, biometrics, names, phone numbers, and addresses. The breach was originally discovered by Resecurity, a U.S. cybersecurity company. You can read their summary of the event here.
According to Tech Informed, the ICMR has been a frequent attack target, having sustained 6,000 breaches in 2022 and many more in 2023. Tech Informed also notes that this breach is thought to be one of the biggest in India’s history.
Protect Your Environment with JumpCloud
JumpCloud helps organizations implement a Zero Trust security approach with an open directory platform that can protect users anywhere, and from any trusted device.
With JumpCloud, you can consolidate your resources and vendors, enforce security policies like MFA everywhere and phishing-resistant passwordless authentication, and maintain visibility and control over your infrastructure. Start your free trial today.