Cybersecurity Trends 2022

This year we reported on the cyberattacks that accompanied the first moments of the ongoing Russian invasion of Ukraine (here and here). Not that there had been no bad blood between these two nations before, as they conducted cyberattacks against each other in the years past. Rather, the widespread interest in the conflict, likely due to its escalation to a war, brought the attention of the media to the state-sponsored cyberattacks this year.

The earliest attacks included defacement of government websites and the use of WhisperGate, HermeticWiper and IsaacWiper malware. Following the invasion, some gangs started announcing which side they were on, and the attacks included even some in favor of Ukraine and some that targeted the U.S. Due to the latter, the CISA and the White House issued recommendations. In the case of software companies, these included embedding security in development since the beginning (see DevSecOps).

In the following months Conti, a ransomware gang that sided with Russia in the conflict, conducted a wave of cyberattacks against Costa Rica. This gang stole information from government organizations in that country and threatened to disclose it. Their attacks persisted, representing millions of dollars in losses, and apparently even spread to Peru. Even though Conti is presumed gone since May, it is believed that its members are now part of ransomware campaigns such as BlackByte and BlackCat. The latter, as reported by the FBI in April, "had compromised at least 60 entities worldwide" during the span of one month.

The above events have organizations around the world keeping a wary eye on cyberattacks coming from state-sponsored groups. Precautions need to be taken as the average cost of a data breach worldwide has reached a record high of $4.35M, a 2.6% increase over last year's.

Last year ended with the hot mess that is Log4Shell, and that mess hasn't been cleaned up yet. The vulnerability affects Log4j, a highly popular logging tool that is used in (potentially) millions of applications. Patches have been issued for that and further vulnerabilities in the library, but folks still fail to do the updating. Meanwhile, threat actors have been exploiting it throughout the year.

Use of software dependencies with known vulnerabilities is a widespread issue. Our 2022 State of Attacks report shows that almost 75% of the systems we assessed this year used vulnerable software components. Notably, this is the type of vulnerability that generated the most exposure to risk when aggregated. (Our analyses included systems where our software composition analysis (SCA) detected Log4Shell, among others. Recently, our SCA was enabled to detect the critical flaw Text4Shell.)

Vulnerable dependencies that go unchecked create the risk of suffering supply chain attacks. According to research by the Ponemon institute, in 2022 the cost of such a compromise is $4.46M on average globally (surpassing that of data breaches attributed to attacks of all categories).

Even though mainframe architecture is very much present, the adoption of the cloud is ever growing and is indeed a much more realistic option for emerging businesses around the world. You've heard about the positive side before: Moving to the cloud provides scalability for good prices. And again, you've heard about the risks: sensitive data loss, compromised accounts, servers shut down, etc. But these can be tackled. So what are teams doing wrong?

The main theme of successful attacks in the cloud this year was exploitation of vulnerabilities. Again: We saw in our annual report that using vulnerable software components was the biggest issue exposing systems to compromise. It's got repercussions worldwide: IBM X-Force says 26% of cloud incidents from July last year to 12 months later shared this initial entry point. One of the most exploited vulnerabilities this year was, of course, Log4Shell.

Another attack trend was misconfiguration abuse. We've been vocal about how our hackers recurrently find problems with misconfigured cloud services. In our annual report, we show that it was among the top five problems that exposed infrastructure the most to risk. A related problem that also made it to that top is the absence of authentication mechanisms or having one that can be bypassed. Additionally to this, IBM X-Force found overly privileged user accounts in 99% of their penetration tests.

As we mentioned above, the Biden Administration recommended technology and software firms integrate security from the beginning of product development. This is one of the main themes of implementing the DevSecOps culture. Compared to last year, we saw a 32.5% increase in systems using our Continuous Hacking solution. These systems' owners are constantly receiving security testing findings from the early stages of the software development lifecycle (SDLC). What's more, some enable a feature in their CI/CD to avoid deploying software into production when there are open vulnerabilities (what's known as "breaking the build"). This year, we found that customers who break the build take about 30% less time on average to remediate vulnerabilities in their software. We also saw that deploying manual penetration tests in combination with automated tests allows teams to find critical severity vulnerabilities in their software, since they were all shown to be found only by our ethical hackers.

In line with this rising trend, we have been enriching our DevSecOps blog series. Be sure to check it out.

In May, NIST released key practices for building, sustaining and enhancing cybersecurity supply chain risk management capabilities. Notably, the institute advised firms to map such risk to the overall enterprise risk management, making it an essential point in the boardroom agenda.

Just this month, Google launched an initiative to make knowledge about the details of software available to everyone. This initiative is called GUAC (which does not refer to the delicious avocado-based dip, but rather stands for Graph for Understanding Artifact Composition). By adding up software security metadata from public and private sources, it aims to create a graph that can answer queries about supply chain risk associated with each software, as it shows relationships between projects, resources, artifacts, repositories, etc.

And this year we gave a demonstration at Black Hat 2022 Arsenal of our open-source tool called Makes. It is used for building CI/CD pipelines and application environments, with the particularity that it cryptographically signs direct and indirect dependencies. This allows teams to defend their application from supply chain attacks. Regardless, it's a good practice to perform software composition analysis (SCA) scans continuously.

Tackling the issue of compromised credentials is key to prevent threat actors from entering and exfiltrating data or even further exploiting any misconfiguration of cloud services. Multi-factor authentication (MFA) is still going strong to counter brute-force attacks and other kinds. Entrusting authentication to a single password factor is just too risky. This month, it's been reported that hackers using eight Nvidia RTX 4090 graphics cards can crack an eight-digit password (the most popular length) in 48 minutes. All it takes is taking leaked passwords as encoded hashes, reverse-engineering them to view them as plain text, and they're good to use in targeted attacks.

Apart from having MFA, it's important that software itself is safe. Regarding authentication, it's time that software solution developers start requesting a combination of automated and manual static application security testing (SAST) to see if credentials are exposed in code, as this was another prominent, high-risk flaw that we found in systems this year.

In a final note, we'd like to share that the cybersecurity community is pushing for a shift in how we understand risk in a system. In a few words, instead of counting vulnerabilities, teams are encouraged to determine the risk they each represent. At Fluid Attacks, we have come up with a solution that takes the CVSS base score as a basis and further augments it significantly and exponentially as the base score increases, attempting to depict more accurately what our hackers see in practice. This gives us a risk exposure measure we call CVSSF. As a result, visibility becomes greater the riskier vulnerabilities get. Our clients get the CVSSF of each detected vulnerability on our platform and make better decisions to prioritize remediation, not thinking about numbers, but risk.

Want some help implementing the above preventive security measures? We offer a 21-day free trial of our Continuous Hacking Essential plan, which can help you find vulnerable software dependencies and proprietary code, improper configuration of cloud services, and more. Contact us if you have any questions!