The Arab Gulf region is well known for its predilection for the latest and greatest technology. As 2023 dawns, we see new innovations and technology being adopted by enterprises at scale. Blockchain has a range of applications inside and outside the FSI sector. IoT accelerates digital transformation in industries from retail and logistics to manufacturing and petrochemicals. The Metaverse appears set to transport us on a journey of discovery. Enterprises are looking to invest in tools that promise to drive innovation, scale and cost efficiencies.
Where investment in new technologies and enterprise platforms drives potential for organisations, this potential cannot be prioritised over ensuring applications and software have been well-vetted for security risk. Bad actors work by a simple calculus: more technology, more attack vectors. In 2022, we saw phishing continue to be a leading technique for threat actors. We saw the rise of Bazar Call campaigns targeting enterprises and threat actors using vulnerabilities in new and old software in new and novel ways.
As we look to 2023, here are cybersecurity predictions for the enterprise.
Skeletons in the software closet will multiply
In 2022 we saw a continued rise and attention brought to supply chain attacks and attack vectors. IBM included them in their annual breach report highlighting an impressive 19% of all breaches are a result of supply chain issues. While we continue to concretely define exactly everything that is classified under this umbrella, vulnerabilities in critical underlying frameworks are undisputedly part of the supply chain. If we consider what Log4J did in 2021 as just the beginning of building the appeal this attack surface presents to threat actors, we expect to see an increase in breaches related to supply chain issues in 2023.
It’s without surprise: hackers are lazy. They wish to incur the largest amount of financial gain or — especially in the case of nation states — inflict the most amount of damage with the least amount of effort. As much as big players like Microsoft and Apple get slammed with negative press for the number of vulnerabilities discovered in their products, the truth is, over the last several decades it has been increasingly harder to find and successfully exploit vulnerabilities on these platforms. This is one of many reasons why exploiting the human factor is still so crucial and executed by threat groups. However, this increase in difficulty also sends hackers looking for easier targets in other areas. Not all popular frameworks, libraries, and SDKs which have been around for a long time have kept pace with regular security audits and modifications required to ensure their security resilience, especially in the open-source community.
Both threat actors and security researchers are likely to heighten their study of the underlying frameworks which are part of the supply chain. As a result, we anticipate seeing more vulnerabilities discovered (or rediscovered) and exploited which have a wide impact, that won’t necessarily come in the form of a major Microsoft bug, but a framework you may have never heard of that everyone is using. Therefore, we must increase our visibility and in-depth understanding of exactly what code we have running within our organisation.
With more collaboration applications comes more phishing
In 2023 we expect to see weaponised phishing attacks spread their wings across commonly used business communication services and apps. Smishing, vishing, social media phishing and business email compromise attacks have traditionally been managed with anti-phishing toolbars and email security protections, but in the near future, phishing may scale beyond email and messages, spreading across communication channels in a much stealthier way.
Threat actors globally may boost and tweak their established methods to infiltrate and excavate into an organisations’ network. While hybrid work culture has expanded the attack surfaces to individual’s vulnerable and poorly managed home networks and devices, threat actors have benefitted by using this as a medium to easily target the corporate networks. This has driven increases in phishing attempts targeting companies, and in turn organisations have focused on strengthening their perimeters and email protection services. Keeping an eye on new tactics and techniques targeted towards other communication channels should not be overlooked and neglected in the new year.
Here’s my number, so call me, maybe?
We anticipate a significant increase in call-back phishing attacks, with less tech-aware users being the prime target.
We have seen that vishing cases (phishing that involves leaving a malicious voicemail) have increased by more than 500 percent since 2021 and it doesn’t seem to be going down. The tricky part of reverse vishing campaigns is that voice phishing does not contain any malicious entity like a URL or attachment which has been used in email-based attacks, but rather it contains a phone number which the user has to call and there onwards, the scammer has the stage now and its upon his act to convince the caller into installing a malware. This creates a challenge for security companies as there is no traditional element to scan in the initial attack vector.
It gets more troubling as adversaries have spread their claws to hit victims from different mediums like text and third-party messaging apps like WhatsApp. This is even more of an issue as the policies followed currently don’t specifically focus on the information received via these mediums and so it becomes a tunnel for attacks to slip by.
More research is required to detect such attacks in an efficient way and until that happens, voice phishing is going to be abounding and the people who are less tech-aware may be most affected.
Attacks against Windows domain will scale
Taking over the entire Microsoft Windows Domain/Active Directory — or an organisation’s entire network — is the goal of many targeted attacks against a Windows ecosystem. Once the attacker gets the initial footholds into an organisation’s internal network, the next thing to do is to move to other critical systems, such as a Windows Domain Controller, and to further compromise the entire domain. To achieve this goal, the attacker must leverage certain vulnerabilities to escalate the user privileges.
Windows Doman/Active Directory is a critical and complex system that involves multiple services and protocols, and any vulnerability in these services or protocols could be exploited to compromise the whole system, which then gives the attacker full access to an organisation’s sensitive information and enable profit from leaked data. Because of the importance and complexity of Windows Doman/Active Directory system, this “gold mine” area has drawn a lot of attention from both hackers and security researchers and drives them to work hard on it to find bugs and develop new attack techniques.
We believe that in the coming year, more domain privilege escalation vulnerabilities may be discovered and at the same time we might continue to see more real-world attacks against Windows with the explicit goal of complete network takeover.
Prepare for X, Y and Z
Threat actors evolve quickly and are always looking for holes in digital perimeter fences. And so, it is imperative that holes are found by SOC analysts before threat actors.
This requires organisations to plan for threats on the horizon, like those outlined above. This is especially true as stress continues to weigh on the global economy, and organisations could see increased activity from threat actors looking to advance their own agenda — whether for political or financial gain.
Planning for these threats, and others, that security experts see coming, helps organisations to prioritise a never-ending task list. To do this, organisations and the security analysts on their front line have to have complete visibility into their network, including all enterprise platforms and applications, and software supply chains that feed in.
This article was penned by Doug McKee, Jaspreet Singh, Daksh Kapur and Bing Sun, Trellix Advanced Research Center.
