Changelog: A look back at 2023 and ahead to 2024
愚木混株 cdd20 / Unsplash
Welcome to Changelog for 12/21/2023, published by Synack! README senior editor Nathaniel Mott here with a special installment looking back at the year that was.
The end of the year is a time for reflection. We think about the preceding 12 months—our trials, our tribulations, our troubles—as we start to make plans for the upcoming year. The trick is making plans informed by our experiences rather than self-delusions that will be abandoned in January.
When it comes to the cybersecurity industry, I suspect the self-delusions will make it much farther into 2024. We’ll continue to hear company after company proclaim that artificial intelligence (by which they mean large language models that are riddled with vulnerabilities, inaccuracies and outright lies) will finally give organizations the edge they need to defend themselves from elite hackers. We’ll still be told that cybersecurity merely has a staffing problem; that hundreds of thousands of jobs are waiting to be filled. And we’ll probably see more government-led efforts to address “the ransomware problem.”
But it’s hard to believe that 2023 will be followed by the year generative AI, SANS courses and feel-good declarations from world governments finally make us more secure. It’s been a hell of a year—and I’m pretty sure most of us don’t even know the half of how bad things have actually been. (Sorry to deliver a lump of coal.)
Let’s recount the industries most targeted by government-backed threat actors, ransomware gangs and cybercriminals throughout 2023: All of them. We published back-to-back reports on increased attacks on the healthcare and legal fields. I’ve been covering attacks on critical infrastructure, public schools, financial service firms, casinos and many other kinds of organizations week in and week out. The numbers back this up: NCC Group, Chainalysis and Corvus Insurance all said 2023 would set ransomware records.
Which isn’t to say ransomware was the only problem we faced in 2023. The biggest campaign of the year was Cl0p’s exploitation of a zero-day in MOVEit Transfer that has led to the mass compromise of millions of people’s data. Emsisoft has reportedly confirmed that more than 2,600 organizations were hacked via this vulnerability, leading to the exposure of information about more than 77 million people. All that from a security flaw in a product that many organizations weren’t even aware they were using. (To say nothing of the tens of millions of people who couldn’t care less about file transfer software.)
The disclosure of that vulnerability prompted researchers around the world to poke and prod at MOVEit Transfer in search of other flaws. They found them, and Progress Software fixed them, so that’s a plus. The problem is that nobody cared before Cl0p identified a potentially valuable target, discovered a critical vulnerability in it and then quietly exploited it on a massive scale before it was finally caught. Which seems more likely: that Cl0p and its compatriots were content with pulling off this kind of campaign once, or that they’re already looking to repeat the feat with some other software most of us have never heard of?
A common refrain throughout the security industry is that “attackers only have to get it right once.” I don’t necessarily agree with that, and the increased frequency with which security companies are talking about “defense in depth” and “zero trust all the things” suggests they don’t, either. The exploitation of a single vulnerability shouldn’t be game over for any organization. But I do think attackers have the advantage in that they only have to care about finding one vulnerable application, while defenders have to worry about the security of everything in their tech stack. The MOVEit Transfer saga is the perfect example of that.
All of this is concerning enough in the abstract. But the consequences of these hacks can be devastating. AlphV / BlackCat published examination photos of breast cancer patients after Lehigh Valley Health Network refused to pay its ransom, for example, and the Medusa ransomware gang published “allegations of teacher abuse and students’ psychological reports” after it hacked Minneapolis Public Schools. Nobody should have to worry about their private lives being made public by cybercriminals, but it seems like more and more of us are going to have to nonetheless.
We’ve been told throughout 2023 that AI will be the solution to these problems. Yet these tools have themselves been plagued by issues. Sometimes they merely spread inaccurate information; sometimes they can be tricked into revealing personally identifiable information that was included in their training sets. The AI industry’s also rife with ethical and legal concerns. Are we really to trust unpredictable, unreliable and unaccountable systems with securing the networks of the few companies that can afford to use them?
Another proposed solution—hiring more cybersecurity professionals—also seems unlikely to help in 2024. We’re planning to cover this more in-depth next month, but for now, I’ll simply point out that it’s interesting to see all of these initiatives devoted to training up the next generation of infosec practitioners while security companies themselves go through repeated rounds of layoffs while demanding multiple years of experience for entry-level positions. (A problem that’s been pointed out since at least 2015.) Are these companies expected not only to reverse the layoffs but also to grow those teams with new hires?
So here’s my prediction for 2024: it’s going to be like 2023 but worse. Unless drastic actions are taken (two of the most common recommendations being a ban on paying ransomware gangs and Microsoft implementing technical safeguards in Windows to make attacks harder to carry off) there doesn’t seem to be a case to be made for optimism. Ransomware attacks are lucrative and deceptively easy to pull off. Vulnerabilities are simply waiting to be found in quiet ubiquities like MOVEit Transfer. Neither of those realities are likely to change simply because of the rise of spicy autocomplete.
That doesn’t necessarily mean defenders should be conceding defeat heading into 2024. The willingness to keep fighting is central to the cybersecurity industry, and continued efforts to improve the status quo despite the rising number of ransomware attacks and seeming impossibility of securing critical software show that many in the community aren’t willing to wave the white flag quite yet. We’ll see what the months ahead have in store for us. Until then, hope you enjoy the holidays. Happy New Year!