|
Getting your Trinity Audio player ready...
|
Looking back over the past year’s security incidents, events, and stories, it became clear that high-profile data breaches and zero-day attacks would continue to dominate the headlines.
There seemed to be a cybersecurity incident every week, stretching spending budgets to the breaking point as CISOs and defenders navigated a worsening economy and staff cuts that harmed security programs.
SecurityWeek editors take a closer look at the five big stories that shaped 2022 and what they might mean for the future of securing data at scale in this review of the top stories of 2022.
Lapsus$ causes havoc
The year began with defenders still scrambling to mitigate the Log4j supply chain crisis, but beneath the surface, something equally dangerous was lurking and preparing to wreck havoc on some of the industry’s biggest names.
Lapsus$, the codename for a gang of financially motivated cybercriminals, sparked outrage with an “extortion and destruction” hacking spree that exposed and embarrassed prominent companies such as Nvidia, Samsung, Ubisoft, Uber, and Rockstar Games.
The Lapsus$ devastation also affected tech titans Microsoft and Okta, with Redmond publicly documenting “a large-scale social engineering and extortion campaign” and Okta badly mishandling communications with customers about the scope of its breach.
“[The group] is known for using a pure extortion and destruction model without deploying ransomware payloads,” Microsoft warned in a note, admitting that its own systems had been compromised in the high-profile raids.
The Lapsus$ compromises had become so significant by the end of 2022 that the US government took notice and assigned its CSRB (Cyber Safety Review Board) to “review the cyber activity of Lapsus$ in order to analyze their tactics and help organizations of all sizes protect themselves.”
The zero-day avalanche
Documented cases of in-the-wild zero-day attacks remained on the front burner for the second year in a row, with new data indicating that zero-day exploit activity has spread to low-tier cybercriminals.
By the end of 2022, there had been 52 publicly documented zero-day attacks on a wide range of software products, the majority of which affected code from big-tech vendors Microsoft, Google, and Apple.
Worryingly, zero-day attacks have been observed targeting software and firmware vulnerabilities in Cisco, Sophos, Trend Micro, Atlassian, Magento, and QNAP Systems products. Several vendors, including Fortinet and Citrix, were forced to ship emergency fixes in the face of zero-day exploitation over the course of the year.
Microsoft vulnerabilities accounted for approximately 23% of all zero-day exploitation in 2022, according to SecurityWeek data, followed by Google Chrome (17%) and Apple products (17% combined iOS and macOS zero-days).
Throughout 2022, the US government’s cybersecurity agency CISA added “known exploited vulnerabilities” to its must-patch catalog at an alarming rate, with VPNs, firewalls, and firmware prominently featured in the product categories under attack.
Big tech goes up against mercenary spyware vendors.
Throughout 2022, Cytrox, Candiru, BellTroX, and DSIRF joined the more notorious NSO Group as companies selling hacking tools or services and performing hack-for-hire targeted attack operations.
The big-tech crackdown, which includes court filings by Facebook parent company Meta, public documentation by Microsoft, and a congressional appearance by Google, paints a picture of a global surveillance-for-hire industry, with hacking teams based in the United States, Europe, and Israel.
Cobwebs Technologies, Cognate, Black Cube, Bluehawk CI, and CyberRoot (formerly BellTroX) were among the new names that emerged in 2022 as defenders discovered signs of zero-day exploitation, spear-phishing campaigns, and sophisticated exploit chains.
The growing surveillance-for-hire activity prompted cybersecurity professionals to urge the US government to act quickly to rein in these shady businesses. Google’s Shane Huntley testified before the House Intelligence Committee, urging Congress to consider a “full ban” on the federal procurement of commercial spyware technologies and urging expanded sanctions against two notorious vendors, NSO Group and Candiru.
The use of veterans of US allies’ intelligence services, as well as the continued abuse of software by repressive governments targeting journalists, activists, and dissidents, emerged as a concerning trend from these stories in 2022.
SBOMs and the security of the software supply chain
The tug-of-war in the desperate battle to secure the software supply chain dominated 2022, as the US government emphasized firmware security as a “single point of failure” and led robust discussions on the implementation of SBOM mandates (software bill of materials).
Top 2022 Cybersecurity News
The SBOM mandate, which was included in a White House executive order, is part of the federal government’s push to demand security guarantees from software delivery ecosystem vendors and suppliers.
As security leaders and CISOs scrambled to figure out how to use – and deliver – the mandatory software ingredient lists, big tech vendors released open-source toolkits for SBOM generation, and venture capitalists doubled down on supply chain investments.
Under the surface, however, some of the biggest names in IT and software delivery were voicing strong opposition to the government’s SBOM mandate. By the end of the year, lobbyists for big tech were publicly urging the federal government’s Office of Management and Budget (OMB) to “discourage agencies” from requiring SBOMs, claiming that “it is premature and of limited utility” for vendors to provide an accurate inventory of the ingredients that make up software components.
Amazon, Microsoft, Apple, Intel, AMD, Lenovo, IBM, Cisco, Samsung, TSMC, Qualcomm, Zoom, and Palo Alto Networks are among the prominent members of the ITI (Information Technology Industry Council).
The cybersecurity industry is expanding.
In a year marked by increased attack surface sprawl, cloud-related data breaches, and an expanding ransomware crisis, investors sought profits by investing in cybersecurity startups.
The number of cybersecurity “unicorns” (startups valued at more than $1 billion) decreased noticeably in 2022, but there was no shortage of large funding deals, particularly for early-stage startups tackling software supply chains or cloud data security.
We saw a VC frenzy to pour money into some unusual categories (secure enterprise browsers, for example), as well as a steady flow of investments into companies dealing with API security, attack surface management, data security posture management, and software supply chain security.
Google’s $5.4 billion acquisition of Mandiant and $500 million acquisition of Siemplify added an impressive cybersecurity stack to its enterprise cloud products, signaling a major push to compete with rival Microsoft for cybersecurity-related revenues.
In 2022, Microsoft passed on large-ticket acquisitions but continued to flex its security business muscles with the launch of new managed services at a time when cybersecurity revenues were approaching $15 billion per year.
In the last year, big-name private equity firms have been active in acquiring companies in the identity and access management space. Thoma Bravo purchased Ping Identity for $2.8 billion, SailPoint and ForgeRock for a combined $12 billion, and Vista Equity Partners paid $4.6 billion for KnowBe4.