As the year draws to a close, we chat to Head of Security at Intersys Jake Ives, for a full debrief of the last 12 months in cyber security. We’re looking at stories from the UK and beyond that have highlighted current and emerging trends in security. As always, we include solutions for the big threats out there.
Whether it’s getting a detailed cyber security gap analysis or going for Cyber Essentials Plus certification, there are always steps that every organisation can take to stay protected.
Jake, what were the big cyber attack strategies on your scanner this year?
Ransomware as a tactic dominated the headlines this year. The National Crime Agency has warned that it ‘[…] continues to be the most significant, serious and organised cyber crime threat faced by the UK’. Whether it was against NHS blood testing platform Synnovis or American health insurance giant UnitedHealth. Hackers are also turning to Ransomware-as-a-Service as way to carry out advanced attacks without needing the technical know-how themselves.
The sophistication of phishing campaigns is another big one for me. Phishing is no longer restricted to just the traditional email. Attackers have increasingly used QR codes and SVG images to deliver malicious payloads, exploiting the trust users place in these formats.
There was also the abuse of Microsoft Word’s file recovery feature where hackers sent corrupted Word documents as email attachments to bypass security software. Another strategy used in phishing scams was the abuse of clean URLs and services like TryCloudFlare (that are intended for genuine audiences) to deliver malware. Over the past six months, we’ve seen several types of malware being distributed via clean URLs with open redirect flaws.
We also saw a significant uptick in man-in-the-middle and reverse proxy attacks where cybercriminals intercept and alter communications between two parties to steal sensitive information.
What’s worse, the availability of sophisticated cyber crime tools – e.g. phishing-as-a-service – has lowered the barrier to entry for cyber criminals. It’s allowing even less technically skilled attackers to launch effective phishing campaigns such as the above using ready-made tools and services.
Another trend that caught my eye was a sharp increase in SIM swapping. This is where scammers effectively take over your phone number by transferring it to their SIM card. This allows them to receive your texts, calls, and more importantly, any 2FA authentication codes which they use to change passwords and hack into emails and accounts. People must be aware that like phone call MFA, receiving your MFA codes via SMS text is no longer secure.
If you haven’t done so already, make sure to move to a more secure app-based MFA method such as Google or Microsoft Authenticator. You might also want to reach out to your phone operator and ensure that your account details are up to date and that all available security is implemented.
From a cyber criminal’s point of view, what made a vulnerable target in 2024?
Targeting third-party suppliers, whether software suppliers, hosting providers or data custodians, can be lucrative. This is because several organisations can be at the other end of a non-descript, third-party provider’s supply chain. Incidents involving third-party cloud storage platforms were prominent this year.
Vulnerabilities in cloud storage services were exploited to access sensitive data from multiple organisations, highlighting the risks of relying on third-party providers. Just look at the AT&T data breach where records of calls and texts of AT&T customers were stolen by hackers. The data was stored on a poorly protected third-party cloud storage company, Snowflake. AT&T was one amongst several other companies including Ticketmaster and Santander that were affected by cyber attacks on Snowflake’s customer environments.
Which were the most disruptive cyber incidents of 2024?
- The Russian ransomware attack on the blood test management platform Synnovis were a stark reminder that poor cyber security can actually put lives in danger. The attack affected all of Synnovis’ IT systems and consequently disrupted clinical services including thousands of procedures and appointments across six NHS trusts. Medical records were left inaccessible and hospitals were unable to verify patient’s blood types. The NHS has become an easy target for threat actors as its cyber security is notoriously lax from decades of funding cuts and lack of modernisation. The recent updates to the NHS Data Security and Protection Toolkit which will now align NHS England with the National Cyber Security Centre’s cyber assessment framework is a welcome move. In a wider context, the new government’s Cyber Security and Resilience Bill is also expected to help secure national infrastructure by expanding its remit to include more digital services and supply chains.
- Across the pond, The healthcare sector was firmly within hackers’ sights as the UnitedHealth ransomware attack caused havoc in America’s private health insurance system. 100 million people were affected when the breach caused massive problems with claims processing. The incident also led to the tragic shooting of UnitedHealth’s CEO Brian Thompson. The fallout included a $22 million ransomware payment. United Health itself said that hackers had potentially stolen a third of America’s data. Hackers broke into a UnitedHealth server with compromised credentials including stolen passwords and emails. The mind-boggling fact here was that America’s biggest health insurance company didn’t use multi-factor authentication protection! Hackers were able to access the system using only basic login details. An absolutely shocking cyber security fail.
- The Transport for London (TfL) cyber attack led to the data of around 5,000 customers being hacked. Multiple services including contactless and Oyster payment systems were also affected. The hack cost TfL £30 million and some services such as the contactless systems have only recently been restored. 27,000 employees were asked to present themselves in-person to have their passwords changed and digital identities verified. What I found most intriguing about the incident was the arrest of a 17-year-old boy. Details are still sketchy about the exact attack strategy used and hopefully will emerge after the investigation is complete. I fear that sophisticated hacking tools are now making it easy for relatively inexperienced hackers to carry out complex attacks. You don’t need a degree in computer science to pull it off. Just an internet connection and a clear idea of what you want to do. TfL, just like the NHS, has suffered from long-term underfunding and attacks such as these highlight the importance of protecting our critical national infrastructure.
- Staying on the topic of critical national infrastructure, the lax security at the state-owned Sellafield nuclear waste facility was a real eye-opener for me. How could Britain’s most hazardous nuclear site have security so poor that a whopping 75% of its computer systems were susceptible to cyber attacks? The Office for Nuclear Regulation slapped an almost £400,00 fine and declared that information that could threaten national security was left exposed for years. When it comes to critical national infrastructure, regulatory bodies must insist on clear actionable steps that facilities must take to improve their cyber security. For instance, mandating twice-yearly penetration tests undertaken by two independent security providers would highlight any security gaps.
What key cyber security trends should we expect to see in 2025?
The rise and rise of malicious AI
I know I say this every year but AI-driven cyber attacks are only going to get more sophisticated and harder to spot. Until very recently I was advising clients to be on the lookout for telltale signs of a phishing email such as poor spelling and grammar, dodgy-looking logos or links. But now with the next generation of AI-powered phishing tools, it’s going to be fairly easy for hackers to create authentic-looking phishing emails that can sneak under the radar. Similarly, gone are the days when a green padlock symbol was the sign of a ‘safe’ site. It’s so easy to get SSL certificates now that even phishing sites sport them!
But this is where the emphasis on user awareness and education is going to become even more crucial in the new year. There are still some things that we should all be looking out for such as carefully inspecting the full URL rather than just looking at the first half of it.
But it’s certainly an arms race and threat actors have very sophisticated tools at their fingertips. That’s why getting basic cyber security in order is becoming essential.
Brace yourself for more state-sponsored attacks online
The impact of wider global conflicts is also going to be felt on our shores. We have seen how consistently cyber crime groups with ties to Russia, China and other hostile states have tested our security defences this last year. We should expect more of the same in 2025.
Britain’s cyber security chief Richard Horne has already warned that hostile activity in cyber space went up by 16% in 2024 alone. These figures are worrying but there are steps that organisations of all sizes can take to shore up their security.
I would recommend fundamental exercises such as gap analysis and cloud security reviews to understand your current security posture. Then implementing security controls such as DMARC (to prevent email spoofing) and conditional access polices in MS365 (to ringfence sensitive data and applications) are crucial. Regular penetration tests can also expose unknown security gaps in your systems and finally, a continued programme of user education and awareness is essential to ensure a culture of security within the organisation.
Simple things like posting your personal political views on LinkedIn can give politically motivated hackers more of a reason to target you and your organisation.
I’d also like to advise home users to be more careful when buying cheap IoT devices and placing these on the same network as their other network equipment. The security on some of these devices is often really poor and frequently responsible for opening backdoors in networks. Think twice about placing that cheap £15 camera on your network. Rotate your wireless keys, disable UPnP on your routers and use the guest network isolation functionality built into routers to place IoT devices onto this network.
In 2024, hostile state actors targeted Western organizations more aggressively. The KnowBe4 incident revealed a new employee’s device was compromised with malware by a fake IT worker from North Korea, despite rigorous hiring procedures. AI advancements now enable threat actors to create deep fakes and perform previously impossible tasks.
Passwordless authentication on the horizon
This one may not happen overnight but the idea that you should not have to rely on easily hackable passwords to log into your accounts is no longer theoretical. Windows Hello for Business uses biometrics or a PIN to allow users to log into their Windows devices. Google and Apple passkeys work similarly and all are more resistant to phishing and brute-force attacks. I’m expecting to see the healthcare, financial, manufacturing and Enterprise sectors as early adopters of this security measure as they are considered more vulnerable.
The need for cyber security audits
I anticipate that more organisations are going to see the benefit of engaging cyber security firms to conduct an in-depth security audit of their entire IT infrastructure.
It’s a hugely important first step to understanding the current state of your cyber security, uncovering flaws and taking mitigation actions. For instance, a security audit can find out if any parts of an organisation’s services are unnecessarily exposed to the internet.
This kind of intelligence can help organisations secure themselves from unauthenticated remote code executions (where hackers can remotely spread malicious code on a computer by connecting to it over public or private networks).
We saw just such an attack this year in a critical SSH vulnerability. While in theory, it could take a hacker two or three weeks to exploit this flaw, the organisations that had minimised their systems exposure to the internet in the first place, were better protected.
The importance of being Cyber Essentials certified
If there’s one thing that organisations of all sizes can do right now to bolster their cyber security, it’s to get Cyber Essentials certification. The National Cyber Security Centre has made that quite clear in its annual review for 2024.
This government-backed scheme is a great starting point for protection against a variety of the most common cyber attacks. Getting this certification will ensure your systems have the right kind of technical controls in place to repel common types of phishing, malware, ransomware, password guessing and network attacks. For organisations looking for more in-depth protection, there is also the Cyber Essentials Plus certification which also includes a hands-on technical verification.
Research has shown that organisations who implement Cyber Essentials controls are 92% less likely to make a claim on their cyber insurance. A big part of my job is helping clients get cyber essentials certified through our comprehensive Cyber Essentials readiness and assessment service. We take the stress out of the whole process by managing it right from initial consultancy, implementing mitigation through to filling out the application. It’s a security measure that not enough people are taking seriously in my opinion.
Jake Ives is Head of Security at Intersys and is at the coalface of all things cyber sec from Microsoft 365 and Azure compliance and security to penetration testing, gap analysis, security research, systems analysis and monitoring.
Intersys offers comprehensive cyber security services ranging from Cyber Security as a Service and Security Operations Centre to ransomware response, security audits and penetration testing.