Cybercriminals: 2023 was not the year of rest for the wicked

Make no mistake, 2023 was a big year for cybercriminals targeting Australian businesses. So much so that you may be wondering ‘where to from here?’

Let’s talk about the negative stuff first though.

Cybercriminals outdid themselves in 2023 – what was hot

The ASD Cyber Threat Report 2022-2023 was released in November. Their observation that “cybercriminals continued to adapt tactics to extract maximum payment from victims” is no surprise.

Of the 127 extortion-related incidents that ASD responded to, 118 involved ransomware or other forms of restriction to systems, files, or accounts. Business email compromise, wrote ASD, remained a key vector to conduct cybercrime, ransomware remained a highly destructive cybercrime type, and so did hacktivists’ denial-of-service attacks.

Around 13% of the cyber security incidents recorded by ASD during 2022–23 were data breaches, compared with 7% the year before. This made data breaches the third most common incident type in 2022–23, only eclipsed by compromised infrastructure (15.2%) and compromised credentials (18.8%).

41% of data breaches involved malicious cyber actors exploiting valid accounts and credentials to access cloud services, local systems, or entire networks, and around 34% involved the exploitation of internet-facing applications.

And the top three cybercrime types for business? Email compromise, business email compromise (BEC) fraud, and online banking fraud.

Publicly reported common vulnerabilities and exposures (CVEs) increased by 20%. Cybercriminals didn’t hang around for too long either – they exploited 1 in 5 vulnerabilities within 48 hours of a patch or mitigation advice being released, says ASD. A further half of the vulnerabilities were exploited within two weeks of a patch or mitigation advice being released – but not applied. And a month later, when patching should be done and dusted, cybercriminals circled back round to exploit 2 in 5 vulnerabilities.

Crime pays

Worldwide, the estimated cost of cybercrime in 2023 was $USD 8.15 trillion dollars.

But what did this cost Australian businesses? Last year, PwC said the total annual cost for cyberattacks was likely around $A10 billion annually. Fast forward to the 2022-2023 period, where the ASD processed nearly 94,000 cybercrime reports – or one every six minutes (last year, it was one every seven minutes) – and an estimated increased cost of 23%.

The ‘value’ of each report went up 14%.

Small businesses averaged a $46,000 loss, medium businesses – $97,200, and large businesses – $71,600. So, no one has got off lightly.

What does a data breach look like? (Besides grim)

ASD reported that the 2022-23 data breaches were generally either opportunistic or complex. Which means what?

Opportunistic intrusions involve a malicious actor exploiting a single internet-facing application or service which contains data. The ‘smash and grab’ technique (think driving a car into a storefront window) is typically used by actors to steal data directly from this single initial access vector.

Whereas complex intrusions involve a malicious actor demonstrating a wider variety of techniques (think sophisticated bank safe cracking). After gaining initial access by escalating privileges, they move laterally, seeking data to exploit. These intrusions result in more extensive network compromise and usually more complex intrusions and extensive incidents.

What’s the most popular information stolen in these intrusions? Contact information is by far the most popular target (32%), followed by identity information (18%) and financial details (14%).

And how do cyber actors use this stolen data?

  • Identity theft.
  • Phishing campaigns for financial gain.
  • State actors may use personal information for espionage purposes.
  • Posting data to the dark web where it can be shared, bought, or sold by other malicious actors.
  • Information pieced together for fraud or to gain other privileged access.
  • Future crimes like blackmail or extortion.

AI to the rescue in 2024?

Well, yes – and no. While many cybersecurity vendors have focussed on adding artificial intelligence (AI) to their solutions over the last few years to enhance everything from proactive threat hunting to improving malware detection, it’s important to remember that both sides have the same tools. The global AI cybersecurity market is a significant growth area for goodies and baddies alike.

As we welcome the game-changing capabilities of AI into our businesses (and our world) to augment and improve human performance, warnings abound that malicious actors can and are using AI to orchestrate cyber intrusions.

According to ASD, “Malicious cyber actors could also use AI tools to augment their activities. For example, a cybercriminal may be able to produce low effort, high quality material for phishing attacks. AI could also be used to create fraudulent deepfake content like voice and video clips, or to create malware. Security researchers have demonstrated with existing technologies that malicious actors could use AI to help orchestrate cyber intrusions.”

It’s worth noting that in early 2023, ASD published a framework of ethical principles governing their own usage of AI. One of the principles recognises the vulnerability of AI to external forces: “Reliable and secure AI ensuring that technologies continue to meet their intended purpose and remain protected from external interference.”

What help can we expect from the government?

Almost $600 million worth of help is at hand.

In November, just a week after ASD revealed reports of cybercrime were up 23% on the year before, the Australian Government announced a new plan to better protect infrastructure, fund cyber awareness programs to further educate Australians (businesses and individuals), expand the Digital ID program, and create a “ransomware playbook” to guide businesses through preparing for and responding to an attack.

The government has also vowed to work with international partners to help deter malicious cyber activity.

Where to from here?

How can you mitigate the risks to your business?

In 2023, we introduced the Amidata Best Practice 11 (the ABP 11) Critical Cybersecurity Controls for Business Survival, which builds on the ASD Essential 8.

Our 11-point best practice framework is designed to provide end-to-end cybersecurity protection for your internet-connected technology network. It addresses how Australian businesses can approach and remediate the many concerns raised by ASD about cybercrime, and it also supports and drives cyber resilience – from endpoint security, enforced application control, hardening of user applications, backups, and patching to staff awareness training.

If you’d like to find out how to improve your cyber resilience, please ask us about ABP 11 and our proven best practice services and solutions. We also offer a free cyber security vulnerability assessment.

Read more tech news

The Art of (Cyber) War: Prevailing threats and effective defences

In our first of this two-part blog (Know thy enemy), we referenced Sun Tzu (771–256 BC), a brilliant Chinese military…...

Read more

Hybrid cloud data management – in search of that silver lining.

Hybrid cloud is here to stay. According to the recent Global Hybrid Cloud Trends Report, an impressive 82% of IT…...

Read more

Know thy enemy: Traversing the 2024 global threat landscape.

Sun Tzu (771–256 BC), a Chinese military general, strategist, and philosopher, showed remarkable prescience when he said, “Know thy enemy…...

Read more