A post on the dark web that offers Indonesian data for sale and was found with the help of Digital Footprint Intelligence<\/a><\/em><\/strong><\/p>\n We often see people use work email addresses to register with third-party sites and services, which can be hacked and exposed to a data leak, putting the security of the company that owns the email at risk. The attack surface in its infrastructure increases with the number of potentially vulnerable objects. When sensitive data becomes publicly accessible, it may invoke the interest of cybercriminals and trigger discussions of potential attacks on the organization on dark web sites (forums, instant messaging channels, onion resources, etc.). In addition, the likelihood of the data being used for phishing and social engineering increases.\u00a0<\/strong><\/p>\n Ransomware operators set up blogs where they post about new successful hacks of businesses and publish the data they stole. The number of posts in those blogs grew in 2022, both in open sources and on the dark web. Whereas we were seeing 200 to 300 posts in each of the first ten months of 2021, the number peaked at more than 500 monthly at the end of 2021 and the first half of 2022[1]<\/sup><\/a>.<\/p>\n Changes in the number of ransomware blog posts in 2021\u20132022, worldwide (download<\/a>)<\/p>\n Extortionists used to try to settle matters with victim businesses in private, without attracting the attention of the broader public. Cybercriminals used to strive to keep a low profile until they got what they wanted, while the hack victims preferred to avoid reputational damage or any other consequences of the attack. These days, hackers post about the security breach in their blogs instead of contacting the victim, set a countdown timer to the publication of the leaked data, and wait for the victim’s reaction. This pattern helps cybercriminals win regardless of whether the victim pays up or not. Data is often auctioned, with the closing bid sometimes exceeding the demanded ransom.<\/p>\n Example: a post about the hack of the Australian company Medibank, found with the help of Digital Footprint Intelligence<\/a><\/em><\/strong><\/p>\n We expect that in 2023, cybercriminals will try to reach out to victim businesses ever less often, while the number of blog posts and mentions of victims’ names in the news will increase.<\/p>\n Example of a countdown to the publication of leaked data as seen in the LockBit ransomware blog<\/em><\/strong><\/p>\n These days, hardly a day goes by without a new leak being reported. The number of fake reports grows along with that. We believe that in 2023, cybercriminals will more frequently allege, that they have hacked a company, as an ego trip and a rep boost. A leak report that appears in public sources can be used as a media manipulation tool and hurt the target business regardless of whether the hack happened or not. It is key to identify these messages in a timely manner and initiate a response process similar to that for information security incidents. This includes monitoring of dark and deep web sites for leak or compromise reports.<\/p>\n The major attack vectors, such as vulnerabilities in publicly used applications<\/a>, compromised credentials, and emailed malicious links and attachments, will be joined by activities and tools relating to cloud and virtualization technology. Businesses increasingly transfer their information infrastructures to the cloud, often using partner services for that. They place little focus on information security when migrating to the cloud: this is not even a task they assign to the virtualization service provider. An incident catches the company with insufficient data for investigation, as the cloud provider neither gathers nor logs system events. This essentially makes investigating the incident a difficult task.<\/p>\n Cybercriminals will tap dark web sites more often in 2023 to purchase access to previously compromised organizations. Our investigations have revealed a clear trend: the number of attacks utilizing pre-compromised accounts posted on dark web sites is on the rise. What is dangerous about that trend is that the preliminary phase of the attack, that is the account being compromised, can go unnoticed. The victim company will not learn about the attack until it is faced with major damage, such as their services suffering interruptions or ransomware encrypting their data.<\/p>\n Digitalization brings increased cybersecurity risks with it. If a corporation is to secure the loyalty of its customers and partners, it must ensure business continuity and robust protection of its critical assets, corporate data and the entire IT infrastructure to counter growing threats. Large businesses and government organizations often employ multilevel security, but even that is not a guarantee against compromise. Therefore, timely, adequate incident response<\/a> and investigation are essential to both remedying the consequences and fixing the root cause, as well as to preventing similar incidents from happening again.<\/p>\n The malware-as-a-service model will continue to gain popularity in 2023, with blackmailer teams among others. Cybercriminals try to optimize their work efforts by scaling their operations and outsourcing certain activities just as a legitimate business would. For instance, LockBit\u00a0\u2014 you can read about its evolution here<\/a>\u00a0\u2014 has been expanding its services like a software development company. The cybercriminals recently went so far as to announce<\/a> a bug bounty program. Malware-as-a-service (MaaS) is lowering the entry threshold for wannabe cybercriminals: anyone can launch a ransomware attack by renting a fitting malware tool.<\/p>\n Meanwhile, the number of popular and well-known ransomware tools will decline, and attacks will grow in similarity. Companies might view this as a positive: a great number of ransomware tools will utilize similar MaaS techniques and tactics, so a smaller number of these will need to be considered for SOC response. That said, attackers’ tools will grow in complexity, rendering automated systems insufficient as a means of complete security.<\/p>\n The year 2023 will be a complicated one from an information security perspective, because the threat landscape is evolving rapidly. This sets a pace for businesses, which are forced to adapt. On the brighter side, researchers have the advanced tools to curb the growing threats.<\/p>\n These were our predictions for the year 2023. A year from now, we shall see which ones materialized and which ones did not.<\/p>\n![\"A](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16170858\/KSB_2022_DFIDFIR_predictions_01-1024x355.png\")
<\/a><\/p>\nMedia blackmail: businesses to learn they were hacked from hackers’ public posts with a countdown to publication<\/h2>\n
![\"Example:](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16182259\/KSB_2022_DFIDFIR_predictions_03-650x1024.jpg\")
<\/a><\/p>\n![\"Example](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/01\/16182340\/KSB_2022_DFIDFIR_predictions_04.png\")
<\/a><\/p>\nEnjoying the fun part: cybercriminals to post fake hack reports more often<\/h2>\n
Cloud technology and compromised data sourced on the dark web to become popular attack vectors<\/h2>\n
Malware-as-a-service: a greater number of cookie-cutter attacks, more complex tools<\/h2>\n
\n