Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

13 Reasons Why Cybercrime Isn’t Slowing Down Any Time Soon

January 05, 2023 - 10 min read

2022 was characterized by global risks from population pressures and climate change to political conflicts and industrial supply chain challenges. Cybercriminals used this turmoil to exploit these trending topics including major events, public affairs, social causes, and anywhere else opportunity appears.

2023 will see a continuation of these challenges, especially as bad actors continue to take advantage of the chaos caused by the expected backlash from Russia due to the Ukraine conflict. 

To help prepare the threat defender community for what is coming, the cyberthreat predictions that follow are based on key observations made by the Zscaler ThreatLabz research team. Made up of more than 125 security experts with decades of experience in tracking threat actors, malware reverse engineering, behavior analytics, and data science, the ThreatLabz team operates 24/7 to identify and prevent emerging threats using insights from 300 trillion daily signals from the Zscaler Zero Trust Exchange. Check out the ThreatLabz research team's top 13 cyberthreat predictions for 2023 below:


1. Spoiler! Attacks will be harder to catch in 2023

If you are not surprised by this spoiler, then you’re in luck, the rest of these predictions are intended for you. 

What we know:

  • On one end of the spectrum RaaS and other Crime-as-a-Service offerings are enabling novice cybercriminals to launch highly sophisticated attacks, featuring SSL encryption, undetectable BitB attacks, grammatically perfect phishing templates, customizable ransomware, and in depth target profiles.
  • On the other end, the threat group Lapsu$ has shown us the impacts of exfiltrating sensitive data via supplier compromise and smash and grab attack techniques.
  • Across the full spectrum, threats are becoming more frequent and harder to catch with shortened dwell time between compromise and final attack.


2. Rising use of CaaS offerings

Crime-as-a-service (CaaS) encompasses the full range of cyberthreat service offerings. As threat actors seek to increase payouts they will leverage more service model offerings to scale their operations faster. 

What we know:

  • Ransomware-as-a-Service (RaaS) offerings emerged in 2016 to provide business-like operational support for cybercriminals.
  • RaaS has become incredibly popular, and it now drives the bulk of modern ransomware attacks with 8 of the top 11 ransomware families from the past year utilizing RaaS ecosystems.


3. Shift to easier targets

Evolving threat models across the landscape lead to updated targets as threat actors seek to reduce sunk costs and increase profits.

What we know:

  • Ransomware models are continuously updated to avoid detection and improve efficacy.
  • More attackers are using prebuilt RaaS offerings and company profiles that have been leaked or put up for sale on the dark web.
  • Ransomware threat actors want to keep sunk costs low and smaller businesses are more accessible to target and attack.


4. Supply chain attacks will increase

Supply chain attacks are when adversaries compromise partner and supplier ecosystems to reach their ultimate target and goal. Compromising a target’s weaker suppliers is easier and has led to successful upstream attacks, which is why it the use of this tactic is likely to increase in the future.

What we know:

  • Every organization has a supply chain network and suppliers may have access to critical tools and information.
  • Discovering affiliates in the supply chain is relatively easy for attackers and may happen by chance during an adjacent compromise or attack.
  • Weaknesses in the supply chain are hard to uncover and can hugely increase the risk of a cyberattack for more secure organizations.


5. More malware delivery via phishing attacks

Threat actors using phishing kits are also looking to reap large payouts on their investments and will typically invest significant time and effort into picking ideal targets, gaining intel on their ability to pay and other information that can be used for malware attacks, this is especially beneficial for ransomware gangs and their affiliates. 

What we know:

  • Using CaaS offerings makes it easy for opportunistic threat actors at any skill technical skill level to take the next step and launch successful attacks including phishing, stealers, deploying malware, and even ransomware against targets.
  • The reliance on business email to exchange files and complete business transactions and other required tasks makes it a prime hotbed for delivering malware to unsuspecting users.
  • Cloud services make malware delivery easier as users tend to give cloud platforms like Google more implicit trust.


6. Dwell time will continue to decrease

Dwell time is the length of time between the initial compromise and the final stage of the attack where the final threat such as ransomware is deployed in the victim's environment. For most organizations, this is also the length of time an attack can be detected and stopped by defenders before it causes damage. 

What we know:

  • The median dwell time for ransomware incidents is five days, according to Mandiant’s 2021 M-Trends report
  • Speed is the key to ensuring an attack happens and increases the odds of getting a payout. Ransomware dwell time is steadily decreasing and shorter dwell times make it harder for defenders to stop attacks.


7. Attackers will continue rebranding

Malware families, ransomware gangs, and other cybercriminal associations reorganize themselves frequently and may choose to rebrand because of new member affiliations to avoid criminal charges and to ensure they can secure cyber insurance payouts. 

What we know:

  • Federal agencies are getting better at tracking ransomware payments and identifying threat actors, affiliates, and supply chains.
  • Attackers may choose to reaffiliate or rebrand to avoid criminal convictions and to thwart tracking or identification efforts by government and law enforcement agencies.
  • Attackers are learning more about cyber insurance to secure payouts including info about deductibles, premiums, payment coverage, and other details to customize extortion demands. 
  • More and more cyber insurance policies declare they will not payout for the same type of cyberattack more than once per victim, so some families may choose to rebrand to ensure they can get an initial payout or future payments by victims with cyber insurance.


8. Exploits will continue to cause damage

There have been some major vulnerabilities discovered in the past year (e.g., Log4j, PrintNightmare, ProxyShell/ProxyLogon) that organizations will be dealing with for years to come.

What we know:

  • Attackers will continue to search for and exploit unpatched and out-of-date software and servers to bypass security controls.
  • New vulnerabilities and exploits will continue to be an issue for defenders to watch.
  • Threat actors wait for new 0-days to launch large attacks while organizations try to play catch-up and patch their vulnerable systems.


9. Wipers will be used in political conflicts

Wipers are an effective way of disrupting critical services and are typically launched at government websites, systems, infrastructure, and other key resources that will cause severe operational damage to the targeted nation or organization.

What we know:

  • In the ongoing geopolitical conflict, Russian attacks against Ukraine include the use of wipers disguised as ransomware.
  • Disguising wipers as ransomware gives nation-state threat actors a layer of deniability by letting them point the finger at financial vs. political motives.
  • Observed examples of these wipers are very poorly disguised and become quite obvious under even the slightest scrutiny, this may be done on purpose as a fear spreading tactic to let victims and potential allies know they are being targeted.


10. Endpoint protection will not be enough

What we know:

  • Threat actors will increase the use of tactics to bypass antivirus and other endpoint security controls.
  • Attacks will increasingly focus on core business service technologies, e.g. VMware ESX.
  • Organizations will have an even greater need for defense-in-depth rather than relying solely on endpoint security to prevent and detect intrusions.
  • To bypass firewalls and other legacy security technology, ransomware adversaries have been encrypting data troves before transferring them out of the target’s environment.


11. Data extortion will surge

What we know:

  • Multi-extortion tactics have been on the rise since 2019 and more and more groups are adopting this effective tactic. As a result, sensitive data theft has been increasing and more data leak sites are emerging.
  • If victims are willing to pay to prevent their sensitive data from being leaked, ransomware threat actors don’t need to encrypt.
  • Encryptionless data extortion attacks by ransomware actors have already been observed in the threat landscape.
  • Data ransom attacks without encryption have no recovery time, if victims pay the ransom before the data is leaked, this is seen as preferential for attackers and victims that pay and don’t have to undergo the full process of recovery.
  • This trend reduces the number of steps in the attack sequence to detect and stop these threats.


12. Leaked source code will lead to forks

Updated and forked versions of malware and other threats make it harder for defenders to detect because there are so many variants using custom techniques to deploy the same attack and the variants will continue to evolve at different rates.

What we know:

  • Malware source code can be leaked by rival groups, researchers, defenders, or anybody who takes an interest and when source code is leaked it makes it easier for defenders to build detection rules and put other security measures in place to stop the deployment of these threats.
  • Malware developers will also add more obfuscation in 2023 to hinder reverse engineering and bypass static signature detection by incorporating advanced techniques, including control flow flattening, polymorphic string obfuscation, and the use of virtual machine-based packers.


13. Ransomware services will change

What we know:

  • Ransom payment services are critical for threat actors to get paid, so they will likely continue to improve.
  • Multi extortion attacks were a response to organizations getting really good at data backup and recovery.
  • Ransomware recovery tools and using decryption keys can take longer than recovering from strong data backup solutions, as a result, more organizations are opting to recover from backups even if they get the decryption key and tools from the attackers.
  • Ransom decryption services are becoming less critical as threat actors find better ways to get paid, as a result, they may invest fewer development resources and make it harder for victims to recover via decryption.
  • The preference for using Bitcoin may shift to other cryptocurrencies as the FBI and other govs crack down and trace and recover more ransoms.


Rethinking your security strategy?

Of concern, some organizations are beginning to accept the dangerous notion that being hit by threats including ransomware is the new normal. This type of broad acceptance often leads to a flawed approach to security and a lack of investment to prevent attacks and dangerous industry practices like accepting the risk of paying the ransom because it may be cheaper the first time. In another example, some companies use certain systems like backed-up VMs as honeypots to attract attackers, and then when they see threat activity on those systems they just hit delete and then restore. Both of these examples are short-sighted bandaids on a long-haul problem that requires a complete and comprehensive zero trust security strategy with all the people, processes, and infrastructure needed to adapt to tomorrow's threats.

To help organizations overcome the impending security challenges of 2023 and beyond, the Zscaler Zero Trust Exchange delivers seamless zero trust architecture that helps stop attacks in the following ways:

  • Prevents compromise: Full SSL inspection at scale, browser isolation, and policy-driven access control to prevent access to suspicious websites.
  • Eliminates lateral movement: Connect users directly to apps, not the network, to limit the blast radius of a potential incident.
  • Shuts down compromised users and insider threats: If an attacker gains access to your identity system, we can prevent private app exploit attempts with in-line inspection and detect the most sophisticated attackers with integrated deception.
  • Stops data loss: Inspect data-in-motion and data-at-rest to prevent potential data theft from an active attacker.


Stop cyberthreats with Zscaler

 Zscaler Internet Access helps identify and stop malicious activity by routing and inspecting all internet traffic through the Zero Trust Exchange. Zscaler blocks:

  • URLs and IPs observed in Zscaler cloud, and from natively integrated open source and commercial threat intel sources. This includes policy-defined high-risk URL categories commonly used for phishing such as newly observed and newly activated domains.
  • IPS signatures developed from ThreatLabz analysis of phishing kits and pages.
  • Novel phishing sites identified by content scans powered by AI/ML detection.

Advanced Threat Protection blocks all known command-and-control domains.

Advanced Cloud Firewall extends command-and-control protection to all ports and protocols, including emerging C&C destinations.

Cloud Browser Isolation creates a safe gap between users and malicious web categories, rendering content as a stream of picture-perfect images to eliminate the leakage of data and the delivery of active threats.

Advanced Cloud Sandbox prevents unknown malware delivered in second stage payloads.

Zscaler Private Access safeguards applications by limiting lateral movement with least privileged access user-to-app segmentation and full in-line inspection of private app traffic.

Zscaler Deception detects and contains attackers attempting to move laterally or escalate privileges by luring them with decoy servers, applications, directories, and user accounts.


Discover more

Interested to learn more about staying safe from cyberthreats in 2023? Click here for Zscaler’s perspectives. 

This blog is part of a series of blogs that look ahead to what 2023 will bring for key areas that organizations like yours will face. The next blog in this series covers hybrid workforce predictions for 2023.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.