In this round up, we reveal which threat vectors cyber security experts believe will rise to prominence in 2023, and they offer their advice on how best to combat them.
When asked in mid-2022 by Cyber Security Hub which threat vectors posed the most dangerous threat to their organizations, 75 percent of cyber security professionals said social engineering and phishing. Since the survey closed, multiple organizations such as Dropbox, Revolut, Twilio, Uber, LastPass and Marriott International have suffered from such attacks further highlighting the importance to cyber security practitioners of staying aware of phishing threat.
Read on to find out which threat vectors businesses should be aware of and why it is important to ask those at the frontline of preventing and mitigating them, namely cyber security professionals, for their forecasts.
- Smart devices as a hacking target
- Phishing and social engineering
- Crime as-a-service
- Multiple threat vectors used in attacks
- Attacks on cloud security
- Third-party access risks
- Lack of cyber security knowledge
- Cyber attacks by nation states
- Smart devices as a hacking target
Market research and consulting firm Acumen Research and Consulting has predicted that the global market for artificial intelligence (AI)-based cybersecurity products is estimated to be worth US$133.8bn by 2030, a whopping 798 percent increase on the market’s $14.9bn value in 2021.
Research by Cyber Security Hub supports this prediction, with almost one in five (19 percent) cyber security professionals reporting that their companies are investing in cyber security with AI and automation. As automation and the use of artificial intelligence (AI) increases, however, so too will the use of cyber attacks against these digital solutions.
As AI and machine learning has developed, it has been integrated more fully into smart devices, from lightbulbs and speakers to cars. With a predicted 75.4 billion Internet of Things connected devices installed worldwide by 2025, it is no surprise that these smart devices are predicted to increase as a cyber attack target throughout 2023.
Tina Grant, quality assessor at UK-based aerospace company Aerospheres forecasts that cyber attacks targeting smart devices will predominantly affect autonomous devices with multiple points of attack, for example smart cars.
Grant says: “Today’s automobiles come equipped with automatic features including airbags, power steering, motor timing, door locks, and adaptive cruise control aid systems. These vehicles use Bluetooth and WiFi to connect, which exposes them to a number of security flaws or hacking threats.
“With more autonomous vehicles on the road in 2023, it is anticipated that attempts to take control of them or listen in on conversations will increase. Automated or self-driving cars employ an even more complicated process that demands stringent cybersecurity precautions,” she explains.
The dangers of this have already been explored by David Columbo, a cyber security researcher and founder of cyber security software company Columbo Tech.
So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…
— David Colombo (@david_colombo_) January 10, 2022
In a series of tweets in January 2022, Columbo explained that he had hacked into and gained remote access to “over 20 Tesla’s[sic] in 10 countries” allowing him to “remotely run commands on 25+ Tesla‘s[sic] in 13 countries without the owners’ knowledge”. While Columbo did not have “full remote control” – meaning he could not remotely control steering, acceleration or braking – he noted that even some remote-control access was dangerous.
To demonstrate this, Columbo joked about pranking the affected Tesla owners by playing Rick Astley’s ‘Never Gonna Give You Up’ through their speakers. He then acknowledged that while this may seem innocuous, the ability to remotely play loud music, open windows or doors or flash a car’s headlights repeatedly could put not only the driver’s but other motorists’ lives in danger especially if the car was driving at speed or in a busy area.
Even if malicious actors can only gain partial control of remote devices, it could have potentially devastating consequences.
Phishing and social engineering
Phishing attacks soared in 2022, with international consortium and fraud prevention group the Anti-Phishing Working Group recording a total of 3,394,662 phishing attacks in the first three quarters of 2022. There were 1,025,968 attacks in Q1, 1,097,811 attacks in Q2 and 1,270,883 attacks in Q3, with each quarter breaking the record as the worst quarter APWG has ever observed.
Ernie Moran, general manager of automated prepaid card fraud protection software Arden at financial protection service Brightwell, believes that 2023 will continue to see a rise in phishing attacks due to more people turning to cyber crime for financial gain.
“The downturn in the economy this year will almost certainly lead to an increase in individuals taking additional risks to commit fraud in 2023, but many financial organizations are still unprepared to identify and take action on a coordinated and targeted fraud attack,” he explains.
Moran also predicts that ecommerce sites will be hit particularly hard by this, as they are vulnerable to Bank Identifying Number (BIN) attacks which see fraudsters take incomplete card details gained during phishing or social engineering attacks (i.e. the first six numbers of a bank card) and use software to randomly generate the rest of the information needed. The malicious actors will then use ecommerce sites to test whether the details are correct and/or if the cards are active.
Moran concludes that there is “no evidence” that those in the acquiring side of the payments ecosystem will make the changes needed in 2023 to limit the ability of fraudsters to take advantage of these vulnerabilities.
The cost of global cyber crime has been estimated by market and consumer data company Statista to reach $10.5tr by 2025. With blockchain analysis firm Chainalysis reporting that cyber criminals have stolen more than $3bn in crypto-based cyber attacks between January and October of 2022 alone, cyber crime is becoming an incredibly lucrative business for hackers.
As cyber crime becomes more established as a revenue source for malicious actors, some are pivoting to offer their services to a wider community for a fee. Crime-as-a-service allows bad actors to offer their hacking services to others for a fee. An example of this was seen in 2022 when a Meta employee was fired for allegedly using their employee privileges to hijack and allow unauthorized access to Facebook profiles, charging her ‘customers’ thousands of dollars in Bitcoin to do so.
Adam Levin, cyber security expert and host of cybercrime podcast What the Hack with Adam Levin, believes that platforms that allow hackers to offer their services will be the number-one security threat in 2023. Levin explains that this is because criminals are using “increasingly sophisticated software created by threat actors” and selling this software on a subscription-based model for use to scam both consumers and businesses. According to Levin, the most common as-a-service crimeware products are phishing and ransomware.
As-a-service software is so dangerous, he explains, as it “allows anyone, regardless how tech savvy, to conduct phishing, ransomware, distributed denial of service and other cyber attacks”. He further predicts that in 2023, “criminal software enterprises will continue to threaten enterprises of any size”, as seen in 2022 with the attacks levelled against Microsoft, Dropbox, Medibank, and Uber and Rockstar Games to name a few.
Levin forecasts that the cyber-crime syndicates behind current as-a-service platforms are set to grow over the next 12 months as “they can make more money enabling entry-level cyber criminals to commit crimes than they can directly targeting victims and with less risk”.
When considering how to defend against as-a-service attacks, Levin reassures that these types of attacks can be mitigated with “regular cyber security training, penetration testing, the use of multifactor authentication and implementation of zero-trust architecture”.
Multiple threat vectors used in attacks
On June 1, 2022, a Google Cloud Armour user was targeted with the biggest Direct Denial of Service (DDoS) attack ever recorded. The user was hit with HTTPS for a duration of 69 minutes in an attack that had 5,256 source IPs from 132 countries contributing to it. Google reported it as the biggest Layer 7 DDoS attack reported to date, saying that 76 percent larger than the previous record. In a blog post written by Emil Kiner, senior product manager for Cloud Armor, and Satya Konduru, technical lead, both at Google, the attack was likened to “receiving all the daily requests to Wikipedia…in just 10 seconds”.
With such large DDoS attacks now possible, hackers are taking advantage of the disruption caused to levy multi-vector attacks. While companies fight against one threat vector, they will be launching another against them.
Aaron Drapkin, senior writer at technology news site tech.co, explains that this will give way to rise in “triple extortion attempts” in 2023. In these attacks, he explains, ransomware gangs will “not only attempt to encrypt and then exfiltrate data and demand a ransom, but also orchestrate other types of attacks, such as DDoS attack or threatening victims’ associates with data leaks”.
Drapkin warns that these multi-attack vectors could become more dangerous if coupled with the threat vector prediction made by Adam Levin – cyber crime as-a-service. This is because “if the technology or instructions needed to orchestrate these additional cyber attacks are incorporated into commercially available Ransomware-as-a-Service packages” sophisticated attacks could be launched by a range of malicious actors, instead of a select few groups.
Attacks on cloud security
As the global workforce continues to work in an increasingly remote or hybrid capacity, the need for cloud migration has become clear. Research by video conferencing software company Owl Labs has shown that, globally, the amount of workers choosing to work remotely has increased by 24 percent.
As companies migrate some or all of their assets to the cloud, the need for cloud security has increased. When surveyed by Cyber Security Hub, one in four (25 percent) of cyber security professionals said that their companies were investing in cloud security capabilities.
This investment will be needed in the year ahead, says founder and CEO of Abdul Rahim, founder and CEO of technology advice site Software Test Tips. He explains that while being its biggest selling point to businesses, the ability of cloud servers to allow users to access a company’s applications, files and resources from anywhere in the world is also its biggest vulnerability.
Matt Kerr, CEO and founder of appliance repair site Appliance Geeked, notes that while the cloud-based data storage can be equipped with cyber security measures to prevent data breaches, if a company hosts a large amount of valuable customer data, even a partial breach can have far-reaching negative effects. This is because a company’s cloud storage contains “enormous hoards of extraordinarily valuable data”, even if an attacker only gains access to a fraction of this data, they can do real damage with it.
An example of this is the Revolut data breach seen in September 2022. Despite Revolut reporting that the breach affected just 0.16 percent of its customers, in reality this translated into the personal data of more than 50,000 users being accessed.
Aerospheres’ Tina Grant explains that keeping cloud storage secure requires companies to regularly review and improve their security procedures. She says cloud storage programs like Google Cloud and Microsoft Azure may have strong security measures in place but mistakes on the client end can lead to dangerous malware and online scams, which can result in a cloud-storage breach.
Third-party access risks
With the advent of cloud migration, many companies are incorporating third-party software solutions into their company infrastructure. Many cyber security professionals are wary of the risks incurred by this decision, however, with more than a third (36 percent) of cyber security professionals reporting to Cyber Security Hub that supply chain/third party risks are a top threat to their organization’s cyber security.
David Attard, digital consultant, web designer and data handler at web design company Collectiveray, believes data breaches due to third-party access will rise in 2023. He explains that this will especially affect companies in the healthcare, education and manufacturing industries as they are especially vulnerable to these attack vectors because of their “lack of security around third-party accesses”, and this is not likely to change in 2023.
“These industries don’t have anyone assigned to manage third-party risk, still, only about 39 percent of the manufacturing industries have implemented third-party security. The number of cyber attacks is only to increase unless practices like ‘least privilege access’ are carried out,” he continues.
This was seen in October 2022, after the source code for car manufacturer Toyota was revealed to have been posted on GitHub. The code was posted following the mishandling of company data by a third-party development contractor and was visible between December 2017 and September 15, 2022. This may have led to malicious actors accessing the personal data of 296,019 customers.
Lack of cyber security knowledge
Human error is predicted to remain a major factor in cyber security threats for 2023. In 2022, research by the World Economic Forum found that 95 percent of cyber security issues could be traced back to human error. Likewise, almost a third of cyber security professionals (30 percent) told Cyber Security Hub that lack of cyber security expertise was the number one threat to cyber security at their organization.
Texas-based cybersecurity and national security expert Charles Denyer cited Verizon’s 2022 Data Breaches Investigations Report, noting that “one [in] four [82 percent] data breaches can be attributed to human error”.
As a result of this, Denyer says: “When ensuring the safety and security of an organizations digital assets”, cyber security awareness training “is still the very best and most valuable return on investment.”
He says that this is because the more knowledgeable and aware users are, the better the chances an organization has in protecting its assets.
Cyber attacks by nation states
Throughout 2022, a number of cyber attacks by nation states, including those of Iran against Albania, those of Russia against Ukraine and Montenegro, or the unidentified attack on the New Zealand government.
Ryan Kirkwood, CTO of investment company Freedom Dividend, says cyber attacks by nation-states, such as the Russian hacking of the Democratic National Committee in the US in 2016, are also a major threat to businesses.
In 2023, businesses should expect to see more cyber attacks by nation-states as these types of attacks become more common and more sophisticated.
To discover more about the threat vectors seen in 2022, read about the Top 10 hacks and cyber security threats of 2022 or The biggest data breaches and leaks of 2022.
What do you think will be the biggest cyber security threat of 2023? Let us know in the comments.