2023 breaches in review

2023 wasn’t a good year for cybersecurity, with high-profile breaches continuing to impact people’s day-to-day lives. They’ve been a source of frustration for regulators, who are becoming more pointed with their requirements and enforcement, and this trend is expected to continue.

This is only going to increase pressure on the already pressured Security departments within organizations: something must change, quickly. We see compromises falling into 3 categories:

• Genuinely sophisticated attacks by well-resourced adversaries
• Human-operated attacks with some skill needed by the adversary
• Opportunistic automated attacks that should not be happening

All three types can be mitigated, and opportunistic attacks should not be successful for companies with mature cybersecurity practices. Getting to that maturity when facing increasing scrutiny and calls on security time is non-trivial.

Opportunistic automated attacks typically leverage well-known Tactics, Techniques, and Procedures (TTPs), often using potentially long-standing vulnerabilities that are known to be exploited in the wild. Knowing your assets, and the status of security controls and vulnerabilities, is key – which is easy to write, more difficult to achieve at scale. An exploited vulnerability often turns into a mechanism for reconnaissance, then lateral movement across networks, then privilege escalation. Controls need to be in place to identify when such things are happening.

Human-operated attacks similarly use common, well-known TTPs but require the attacker to be persistent and work a kill chain manually. Again, understanding your attack surface and the control status of your various assets will be your strongest defense. Similar to opportunistic attacks, there will likely be multiple controls across the various points of the kill chain that need to be validated regularly.

Sophisticated attacks can be mitigated by a defense in depth with zero trust strategy, particularly a mindset to assume breach which should minimize any blast radius. Well-known TTPs seemingly always form part of these attacks but will be combined in innovative ways or leverage new (z*ro d*y) attacks. Strong audit, compliance, and testing are needed, preferably with an automated audit against security policy showing defenses are in place and working as expected across all assets.

The Sophisticated

Microsoft Email Hack
One of the most tenacious attacks in 2023 was suffered by Microsoft. which ultimately allowed the adversary access to pretty much any email hosted on Microsoft 365. This included many government and defense departments globally as well as businesses large and small. The threat actors accessed the official email accounts of many of the most senior U.S. government officials managing the USA’s relationship with the People’s Republic of China.

Microsoft’s explanation published in September 2023 involves the steps below:

• A machine in an isolated production network crashing and includes a consumer signing key in a crash dump.
• Automated systems fail to identify the key being present, despite actively looking for it with the intention of removing it from the crash dump.
• The crash dump is being moved to a debugging environment, with scanners again Failing to recognize the key’s presence despite looking for it.
• Attackers gain access to the key somehow via a compromised engineer’s account, find the crash dumps, and find the key within the dumps.
• A fault in the email authentication system meant key validation was not being properly performed when granting access.
• Adversaries ultimately use the stolen key to sign access requests to corporate resources with consumer rights due to bugs in the authentication system.

However, they have admitted in the last couple of weeks that they have no evidence to support the hypothesis proposed months ago and do not know how the attack happened, updating their article in March 2024. My initial response to this was that the chain of events seemed incredible, and it appears that they do stretch the credulity of people, including at the DHS, and CISA.

I’m still astonished that this succeeded as so many things had to come together for it to work, no matter how it was performed. It shows that a determined, well-resourced attacker will compromise even the biggest organizations that pride themselves on their security.

Due to the global significance of this hack, the US Department of Homeland Security has released its Cyber Safety Review Board (CSRB) findings into the incident. It is damning of Microsoft, concluding there were a series of failures and that this never should have happened. They find that “throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management”.

For a company that has prided itself on its security and used it as a differentiator against the competition, that is an incredibly hard pill to be forced to swallow.

Ensuring your zero trust strategy is being followed, and checking your controls at every point via audit and automation is the best mitigation.

The Human Operated

MOVEit
Around 2,800 organizations and nearly 100 million people have been impacted by the fallout from the MOVEit vulnerability according to EMSISoft (who maintain a running tally), with ransomware groups typically being behind the attack.

The root cause was a SQL injection vulnerability within MOVEit itself, exploitable no matter whether MySQL, SQL Server or Azure SQL was used as underlying database.

It seems Bobby Tables has graduated:

That cartoon is from the wonderful XKCD, and was first published on in 2007. I highlight that as we were at the point of laughing about injection attacks 17 years ago, and I don’t think there’s much funny about this breach.

The SQL injection exploit was used to gain a foothold to deploy ransomware. This did exploit a “zero day” vulnerability, however, I refuse to call SQL injection a zero day so instead class this as tenacious human effort.

This human effort was then industrialized by cl0p – and others – to deploy their ransomware far and wide, using the vulnerability to install a web shell and execute commands on the server, exfiltrate data and continue further attacks.

Depressingly, it seems education and healthcare providers were the most impacted by this, again according to EMSIsoft.

The SEC has launched an investigation into Progress software, the makers of MOVEit – ironically this was disclosed by Progress in an SEC filing, which also revealed customers and insurers are looking to Progress for indemnification and expenses in some cases.

Firms continue to fall victim in 2024 due to unpatched versions of MOVEit. Ensuring known exploitable vulnerabilities across the totality of your estate, and demand the same from your third-party suppliers, is critical. Panaseer is actively helping customers ensure that they are finding and mitigating every vulnerable MOVEit server.

Caesar’s casino (see also: MGM)
Caeser’s had their loyalty program information stolen in an attack that used social engineering on a subcontractor’s employee to get to the data. Caesar’s claimed they have taken steps to mitigate the release of the information, but can’t guarantee that this won’t happen: in other words, they paid some ransom.

Ensuring least privilege access as part of your zero trust strategy is critical, and checking that the controls you think are in place are actually in place is an often ignored part of this strategy.

Okta
Okta experienced a hack due to stolen credentials. Yes, Okta. Yes, stolen credentials. In 2023. But no, not their production system but rather a support system. As a result, Okta released no new updates for 90 days to prioritize security(!)

Once again, the lesson here is that every system must be considered as an entry point, even if it’s “just the support portal”.

Controls must be checked across every system, and policies should align with the risk represented not only technically, but reputationally.

Activision
Activision first found out they were hacked from screenshots posted on X (formerly Twitter) showing internal data, which is not a pleasant experience.

An employee was phished, despite using MFA (Multi-Factor Authentication) . Activision claimed to have stopped the breach, however it appears that adversaries did have copies of internal data, validated by Insider Gaming.

Was this MFA alert fatigue? Potentially. The same happened to Uber.

Ensuring least privilege access and identity controls are in place and as strong as possible for privileged users remains key.

Vulnerable Venerable British Institutions: The British Library and Royal Mail
It was a bad year for long-standing bastions of the British Establishment, with Royal Mail falling victim to a Ransomware attack in January that stopped international shipments in their tracks. The criminal gang involved was Lockbit, whose TTPs are well known. The impact of this hack contributed to the financial woes of the Royal Mail, costing tens of millions of pounds.

The British Library suffered a ransomware attack that first surfaced on 28 October 2023. They managed to get a searchable version of their online catalog available on 15 January 2024, but parts of their services are still impacted at the time of writing in April 2024.

They have published a helpful and detailed report on what happened. It’s a tale that will be recognized by security professionals globally. One phrase that hit home with me was that they could not bring back major software systems in their pre-attack form as they are “no longer supported by the vendor, or will not function on the new secure infrastructure ”. The detailed explanations paint a picture of tech debt and, occasionally, things are done for expediency at the cost of security or policy adherence.

The Initial point of compromise was “identified at the Terminal Services server. This terminal server was installed in February 2020 to facilitate efficient access for trusted external partners and internal IT administrators, as a replacement for the previous remote access system, which had been assessed as being insufficiently secure”. Despite its importance, and the library rolling out MFA in 2020, this server did not require it.

Remote access for IT admins and third parties that give the keys to the kingdom. It’s easy to be wise with hindsight.

If you read one thing, do read the incident review.

Controls need to be applied everywhere. Turning off MFA for systems that give admin access when MFA is required everywhere else in the name of admin productivity, does seem a glaring mistake but one I daresay many have taken.

The Opportunistic

Log4j
The Log4J vulnerability allowing remote code execution (due to unsanitized inputs, not just MOVEit) was first disclosed in late 2021. And yet here we are with organizations still being breached due to it, with 1 in 3 applications currently using a vulnerable version of Log4J, according to Veracode.

Veracode also found that 79% of developers never update third-party libraries after including them in the code base.

Check for the vulnerabilities and know where they are in your code base. Again, Panaseer can help here with both our AppSec module and our vulnerability module.

Microsoft Exchange
Those still running Microsoft Exchange themselves must fear opening the news, as

Exchange continues to provide a happy hunting ground for automated attacks. Looking at data provided by CVEdetails.com is depressing. Just last month a vulnerability with 9.8 CVSS base score allowing privilege escalation was released, and it is now on the Known Exploited Vulnerabilities list.

Data from the ShadowServer dashboard finds that at the time of writing, there are over 88,000 publicly accessible exchange servers that possibly have critical vulnerabilities. These may have been mitigated, but all the same, it’s a shocking figure.

If you must run Exchange yourself, ensure you’re constantly applying patches. Unlike the UK Electoral Commission.

The Takeaway

Every organization has policies around their cybersecurity. Larger organizations are already feeling the heat from regulators and are spending too much of their time responding to audits and reporting. This is a trend that the Panaseer Security Leaders Peer Report has highlighted over the past five years it has conducted.

In summary:

• The complexity of an organization’s digital estate is rising.
• Technology is decentralizing whilst security remains central.
• Audit demands are only going up.
• Resource availability is only going down.

It’s time to change your thinking. Stop spending all your time on detecting, responding, and recovering, and focus more on identifying, protecting, and governing.

Talk to Panaseer. We can help you.