The Multi-State Information Sharing and Analysis Center (MS-ISAC) anticipates the following in 2023 based on what we have observed over the past few years:
- Open-Source Supply Chain Security: Cyber threat actors (CTAs) have shown specific interest in software supply chain vulnerabilities over the last few years. Examples include the attacks on SolarWinds, Microsoft Exchange, and the open-source logging library, Log4j. We should expect this to continue, with a particular focus on open-source software repositories. This is particularly concerning for the average corporate consumer because there is a level of trust every organization must place in their software vendors. Expect to see a wide array of attackers, from lesser-skilled script kiddies through organized cyber criminals and even state-associated CTAs, converge on disclosed vulnerabilities when the potential yield is high. The MS-ISAC continues to observe mass scanning and exploit attempts against known vulnerabilities associated with major incidents going back at least to late 2021.
- More Threats Coded in Newer Languages: The MS-ISAC anticipates an increase in malware, specifically ransomware, coded in more uncommon programming languages such as Rust and Golang. There are several advantages to using non-standard languages, which include making the malware more difficult to detect and reverse engineer, reducing code re-use by other CTAs, and providing themselves with opportunities to “skill up” and gain some control over their intellectual property. As CTAs evolve their unique code, expect to see more targeted ransomware attacks against specific sectors that have more to lose by not responding quickly. This includes schools, hospitals, and critical infrastructure, such as power and water systems. CTAs target these organizations because they are more likely to pay due to the real-world impacts of systems being down, such as missed school days and power outages.
- Insider Threats: Since the beginning of the COVID-19 pandemic, attackers have used social engineering and other tried-and-true tactics to leverage worldwide economic issues and global recession to their advantage. Organized cybercriminal groups specifically seek out organizations that are rich in financial or other resources while they are reorganizing or reducing their workforce, especially IT and security staff. As a result, we expect an increase in insider threats from both witting and unwitting personnel. For example, employees who may be concerned about their financial future may attack in retaliation for pay reductions, pay freezes, or layoffs. In other cases, negligent employees may unknowingly invite an external CTA in by opening a malicious document related to potential layoffs or similar themes. Recent high-profile intrusions that leveraged insiders include attacks on Okta and Nvidia in the commercial sector and multiple K-12 schools that suffered data dumps from the cyber actor mud in 2022.
- New Techniques in Response to Security Features: Since Microsoft’s recent efforts to increase security by default, CTAs have shifted away from traditional methods (e.g., sending malware-laden Office documents) toward more novel techniques. One such technique is hiding malicious files within other container files. Additionally, as of January 2023, the security community has observed CTAs exploiting feature updates in common note-taking applications such as Microsoft OneNote and Evernote. Attackers send attachments or links to legitimate notebooks which contain links or scripts that run in the background of a victim’s system. Once invoked, a process begins to install malware onto the victim’s computer or otherwise provide unauthorized access to the system or its data. The MS-ISAC has observed phishing and malspam (i.e., emails with malicious attachments) as the two most successful intrusion vectors across our membership for many years. Phishing is generally considered an unsophisticated, yet highly effective, attack vector and shows no signs of slowing in the near future.
- Threats Stemming from Geopolitical Conflicts: In 2022, following Russia’s invasion into Ukraine, pro-Russian cyber threat actors targeted organizations in nations supporting Ukraine. Most prominently, the hacktivist collective known as Killnet made headlines for their threats and DDoS attacks on various entities, including targeting U.S. state and local governments and critical infrastructure. As the war in Ukraine enters its second year, the MS-ISAC expects low-impact attacks from groups like Killnet to continue. The potential for higher-impact, state-directed cyberattacks becomes increasingly likely as tensions between the U.S. and Russia build up.
- Increased use of Artificial Intelligence to Support Malware Development & Delivery: Developments in artificial intelligence (AI), including the rapid availability of open AI, are highly likely to enhance CTAs’ offensive operations against victims over the next two years. In the near term, expect AI to primarily enhance the operations of sophisticated cybercriminals and state-aligned CTAs. These groups are able to integrate AI into their existing tooling, and, in some cases, state actors may already be involved in AI research and development. The security community has already observed targeted email language written by AI for various purposes, including phishing emails intended to collect sensitive victim information. As AI becomes more available and more CTAs leverage it, we can expect more sophisticated, believable phishing emails, free of the common historical markers for such emails, like typos and unusual phrasing. A very near-term capability is likely to be ransomware actors leveraging chatbots to communicate with victims, allowing victims to interact with AI in much the same way internet customers do when returning items or asking basic questions about transactions with large retailers today. Although AI use in cyberattacks is currently limited, CTAs’ recognition of, and intention to harness, the potential and rapid development of AI signals an emerging threat. These potentially rapid developments will require significant defensive maturity in the West.