Cybersecurity and cybercrime never sleep, and 2023 is no exception. The year has produced many memorable stories and revelations, from the arrival of generative artificial intelligence to gangs apologising to hospitals.
Knowledge helps us be more cyber-safe—here are six cybersecurity and cybercrime events that caught our attention during 2023.
Generative AI arrives
Generative artificial intelligence is the year's most significant technology story. Since OpenAI released ChatGPT in late 2022, numerous such tools have come to the public's attention. In a matter of months, generated video and audio joined the pack. The security threats were evident almost immediately: criminals use generative AI to scale and intensify phishing, misinformation and other scams. Threat actors now offer malicious generative AI services that cater to criminals, such as DarkBERT and FraudGPT. Cyberattacks using generative AI are not a new phenomenon. Such attacks have happened before—in 2021, fraudsters used a deepfaked voice to steal from a bank. But 2023 marks their entry into the frontline of cyber risks.
Denial of Service goes massive
Distributed Denial of Service (DDOS) attacks continue to be a major part of cybercrime. While there have been gains in shutting down massive DDOS networks, 2023 reminds us that it's an ongoing battle as it recorded the biggest yet DDOS attack. Google, Amazon, and Cloudflare noted the massive attack, which started in August and peaked in October at an astounding 398 million requests per second. To compare, 2022's biggest DDOS attack peaked at 46 million requests per second. The larger-scale attacks may be due to a weakness in the HTTP/2 protocol—organisations are urged to update their network systems and close this bug.
Big jumps in API and IoT threats
2023 has not been a good year for application programming interfaces (APIs) and Internet of Things (IoT) devices. Shadow APIs are becoming a threat. These are undocumented third-party APIs not known or managed by the organisation using them. Several reports indicate that cybercriminals are increasing scans for such APIs, which are likely to be unprotected, and one report estimates such scans are up 900 percent compared to 2022. IoT devices are also drawing more attention from criminals. IoT malware threats have jumped ten-fold this year, primarily because of poor authentication controls.
Mandatory reporting expands
More countries are making breach reports mandatory. Australia, which had been mulling a ban on paying ransomware demands, is instead planning that businesses must disclose when they fall victim to a ransomware attack. The hope is that this will address underreporting that, according to the Australian government, is "limiting our national understanding of [ransomware's] true impact on the economy." In the United States, the Security and Exchange Commission (SEC) has released new rules that compel companies to report a breach within four days. Ironically, one cybercrime gang has already used the new rules to harass a victim they'd hit with ransomware encryption. When the targeted company refused to negotiate, the gang filed an anonymous breach report with the SEC. They should have read the fine print—the SEC rules only take effect in mid-December.
NIST readies its Cybersecurity Framework 2.0
A decade ago, US President Barack Obama ordered the development of a framework to protect critical infrastructure from cyberattacks. The framework emerged from the National Institute of Standards and Technology, known as NIST. Today, the NIST CyberSecurity Framework (CSF) is one of the primary references for cybersecurity excellence and holds enormous sway on how organisations respond to cyber threats and risks. Thus, it's significant that NIST has begun updating the framework to version 2.0, elevating the scope beyond critical infrastructure and adding the 'Govern' pillar, which "covers how an organisation can make and execute its own internal decisions to support its cybersecurity strategy." It has concluded public comment and expects the new standard will be published in early 2024.
Ransomware gang apologises to hospital
Ransomware-as-a-Service can sometimes backfire on a gang. At the start of 2023, an online gang apologised to a Canadian children's hospital and gave it a decrypter. The apology happened after an affiliate used its tools to target the teaching and research hospital that focuses on children's diseases. The gang said the attack was against its policy, though it has a track record of targeting healthcare institutions. Experts note that this type of apology action is not uncommon—ransomware gangs worry a bad reputation can lead to fewer payouts from future victims. It's certainly not a case of Robin Hood altruism: though the gang did provide the decryption key, it did not compensate the hospital for over two weeks of downtime.