The cyber trends of 2023, as told by cyber experts
Experts from cybersecurity provider BeyondTrust share their predictions for the evolving cyber landscape in the coming year.
Vapourware, MFA fatigue and cyberuninsurability are some key trends cyber experts expect to see in 2023. Image: Canva
During a recent BeyondTrust webinar, cybersecurity experts James Maude, Lead Cyber Security Researcher, and Morey J. Haber, Chief Security Officer, laid out the five key cyber trends the world can expect to see in 2023.
1. Vapourware: The new ransomware
In 2022, BeyondTrust predicted that ransomware would become more sophisticated, with attacks becoming more personalised and involving different attack vectors. In 2023, such attacks may as well stem from thin air.
There will be a rise of extortion based on vapourware – attacks made simply based on a threat, even when no real breach has happened, Maude explained.
This can, for example, look like an email sent to an individual’s personal address stating that a threat actor has managed to infiltrate their home computers and obtain evidence of activity on illicit sites. Cyber criminals can then threaten to send the evidence to the contacts of the prospective victim unless they pay a ransom.
Vapourware threats can also be made against entire organisations. For instance, Haber explained, threat actors can say that one of their software products has been compromised and seek a ransom in exchange for information on how they got in. If the software in question is open source, they can then use the open-source information to lend some legitimacy to their claims.
“The lesson here is to verify anything you see or hear before you even consider engaging with the threat actor and offering payment,” said Haber. “Do your due diligence to make sure that it is not open-source, and there’s actually a real problem.”
2. Multi-factor authentication fatigue
Multi-factor authentication (MFA) is not the Holy Grail, Haber said. While it was frequently used in the past as the go-to solution for stolen usernames, passwords and other credentials, the foundation of MFA as a secure platform is now crumbling, he added.
Today, MFA fatigue is setting in – a phenomenon where users become less diligent about the push notifications they receive as part of the MFA process – and may allow threat actors to access their accounts by carelessly approving illegitimate verifications.
Besides MFA fatigue, threat actors are also becoming more sophisticated. Phishing techniques, like proxy phishing, will become more prevalent in 2023, Maude said. Such attacks work by setting up a spoofing website, which resembles a legitimate page. When users key in their username, password and multifactor authentication details on the proxy site, their credentials are then captured by the threat actors.
While these phishing techniques were available only to more proficient hackers in the past, the rise of Phishing-as-a-Service software, like EvilProxy, will mean that such attacks are now easily executable by a wider pool of threat actors.
That is not to say that MFA should be scrapped, however. Rather, Haber highlighted that organisations need to consider alternative means of carrying out MFA rather than simply relying on push notifications. One way they could do so is through authenticator applications, for instance.
“I would encourage anyone looking for the next generation MFA to avoid the pitfalls that we know of today,” Maude cautioned.
3. Cyber insurers turn cold
Cyber uninsurability is going to become the new normal, Haber said. “Many organisations have seen a three- to five-times increase in cybersecurity costs, and cyber insurance is not something [they can] afford.”
A study done by insurance provider Swiss Re Group found that about 90 per cent of cyber risks remain uninsured, reported Insurance Business Asia.
Another pertinent problem is that some insurance providers are refusing to pay out after breaches happen, Maude observed. Furthermore, some insurance providers are introducing exceptions to the types of attack they cover. He gave the example of Lloyds Bank in London, which has announced that it is no longer covering nation state attacks or cyber attacks considered an act of war.
But things are not completely hopeless. There are ways for organisations to become more insurable, such as by implementing the necessary safeguards for vulnerable attack vectors, like emails and third-party devices. Governments, too, can help to push down the prices of cyber insurance by enacting laws legislating that companies do not make ransomware payments, Haber added.
4. Hackable electronics
Electronic lightsticks have become a staple accessory in concerts, but come 2023, such single use electronics will have to go, Haber said. Besides being bad for the environment, such devices are also a vulnerable attack surface.
“Threat actors can easily figure out how to abuse them,” he explained. Many of these devices operate on radio frequencies that can easily be decoded. “You can very quickly start intercepting the signals and replaying them back…to attack and mess around with other devices,” Maude added.
Such devices are particularly vulnerable as they are often designed to be low cost, he elaborated. As such, organisations often do not integrate more stringent security controls, such as encryption, within.
5. The end of cyber terrorism
Haber foresees that countries will begin considering legislation against the payment of ransomware in the coming year.
Organised cybercrime is making money because someone will pay it, whether it's themselves or through cyber insurance, Haber said. “If you cut off that monetary source, those businesses will find a new attack vector or dry up.”
The sophistication and organisation of cyber criminals have been improving over the years, often because they are able to obtain funding from such ransomware exploits, Maude added.
But the tide might be turning in ransomware payments anyway. A recent report from Chainalysis, a provider of blockchain analysis tools, suggests that, year-on-year, there was a significant decline in ransomware payments for 2022.
Yet implementing legislation banning such payment, according to both Haber and Maude, could be difficult to implement. Maude raised the concern that, if the US government were to impose such a legislation, a multinational organisation could simply pay the ransom through a European subsidiary, for instance.
By imposing legislation against ransomware payment, Haber believes that it could force organisations to consider other means of bolstering their cybersecurity. For instance, if a vapourware threat were to happen, such a law would force organisations to do their due diligence instead of automatically defaulting to paying the ransom.
Check out the full webinar here, and learn about other cyber predictions by BeyondTrust here.