2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem
As we looked back at the security incidents, events and stories that demanded attention over the past year, it became crystal clear that high-profile data breaches and zero-day attacks would continue to dominate the headlines.
It seemed that hardly a week went by without some sort of cybersecurity incident making headlines, stretching spending budgets to the limits as CISOs and defenders navigated a worsening economy and staff cuts that hurt security programs.
In this review of the top stories of 2022, SecurityWeek editors take a closer look at the five big stories that shaped 2022 and what they might mean for the future of securing data at scale.
Lapsus$ wreaks havoc
The year began with defenders still scrambling to mitigate the Log4j supply chain crisis but, under the surface, something equally dangerous was lurking and preparing to cause carnage to some of the biggest names in the high-tech sector.
Lapsus$, codename for a gang of financially motivated cybercriminals, raised eyebrows with an “extortion and destruction” hacking spree that exposed and embarrassed prominent companies like Nvidia, Samsung, Ubisoft, Uber and Rockstar Games.
The Lapsus$ carnage also hit tech heavyweights Microsoft and Okta, with Redmond publicly documenting “a large-scale social engineering and extortion campaign” and Okta badly botching its communications with customers on the extent of its breach.
“[The group is] known for using a pure extortion and destruction model without deploying ransomware payloads,” Microsoft warned in a note acknowledging its own systems were compromised in the high-profile raids.
By the end of 2022, the Lapsus$ compromises were so significant that the US government took notice and assigned its CSRB (Cyber Safety Review Board) to “review the cyber activity of Lapsus$ in order to analyze their tactics and help organizations of all sizes protect themselves.”
The zero-day bonanza
For the second year in a row, documented cases of in-the-wild zero-day attacks remained on the front-burner with new data showing zero-day exploit activity has spread to low-tier cybercriminals.
At the end of 2022, there were 52 publicly documented zero-day attacks hitting a wide range of software products, most notably affecting code from big-tech vendors Microsoft, Google and Apple.
More worrisome, the zero-day attacks have been observed targeting software and firmware vulnerabilities in products from Cisco, Sophos, Trend Micro, Atlassian, Magento and QNAP Systems. Over the course of the year, multiple vendors, including Fortinet and Citrix, were forced to ship emergency fixes in the face of zero-day exploitation.
According to data tracked by SecurityWeek, Microsoft vulnerabilities accounted for about 23% of all zero-day exploitation in 2022, followed by Google Chrome (17%), and Apple products (17% combined iOS and macOS zero-days).
Over the course of 2022, the US government’s cybersecurity agency CISA added “known exploited vulnerabilities” to its must-patch catalog at a nonstop clip, with VPNs, firewalls and firmware featured prominently in the product categories under attack.
Big tech takes on mercenary spyware vendors
Throughout 2022, the public exposure and naming-and-shaming of mercenary spyware vendors continued at a rapid pace as companies like Cytrox, Candiru, BellTroX, and DSIRF joined the more notorious NSO Group in the category of companies selling hacking tools or services and performing hack-for-hire targeted attack operations.
The big-tech crackdown, which includes court filings by Facebook parent company Meta, public documentation by Microsoft and congressional appearance by Google, paints a picture of a surveillance-for-hire industry spread across the globe, with hacking teams based in the US, Europe and Israel.
Some new names that popped up in 2022 include Cobwebs Technologies, Cognate, Black Cube, Bluehawk CI and CyberRoot (formerly BellTroX) as defenders found signs of zero-day exploitation, spear-phishing campaigns and sophisticated exploit chains.
The expanding surveillance-for-hire activity prompted calls from cybersecurity professionals for the US government to urgently rein in these murky businesses. In an appearance before the House Intelligence Committee, Google’s Shane Huntley called on Congress to consider a “full ban” on federal procurement of commercial spyware technologies and urged expanded sanctions against two notorious vendors – NSO Group and Candiru.
A worrisome trend that emerged from these stories in 2022 was the use of veterans of the intelligence services of US allies and the continued abuse of software by repressive governments targeting journalists, activists and dissidents.
SBOMs and software supply chain security
The push-and-pull in the desperate battle to secure the software supply chain took center stage throughout 2022 as the US government called special attention to firmware security as a “single point of failure” and led robust discussions on the implementation of mandates around SBOMs (software bill of materials).
The SBOM mandate, included in a White House executive order, is part of a push by the federal government to demand security guarantees from vendors and suppliers in the software delivery ecosystem.
As security leaders and CISOs scrambled to figure out how to use – and deliver – the mandatory software ingredient lists, big tech vendors released open-source toolkits for SBOM generation and venture capitalists doubled down on investments in the supply chain space.
However, under the surface, some of the biggest names in IT and software delivery were expressing major objections to the government’s SBOM mandate. By the end of the year, lobbyists representing big tech were publicly calling on the federal government’s Office of Management and Budget (OMB) to “discourage agencies” from requiring SBOMs, arguing that “it is premature and of limited utility” for vendors to accurately provide a nested inventory of the ingredients that make up software components.
The trade group, called ITI (Information Technology Industry Council), counts Amazon, Microsoft, Apple, Intel, AMD, Lenovo, IBM, Cisco, Samsung, TSMC, Qualcomm, Zoom and Palo Alto Networks among its prominent members.
The business of cybersecurity gets bigger
In a year that saw continued expansion of attack surface sprawl, cloud-related data breaches and an expanding ransomware crisis, investors continued to seek profits investing in cybersecurity startups.
The pace of cybersecurity ‘unicorns’ (startups with valuations north of $1 billion) slowed noticeably in 2022 but there was no shortage of big funding deals, especially for early-stage startups tackling software supply chain or cloud data security.
We observed a frenzy among VCs to pour cash into some strange categories (secure enterprise browsers being one example) and a steady flow of investments into companies tackling API security, attack surface management, data security posture management, and software supply chain security.
Google’s $5.4 billion acquisition of Mandiant and the $500 million purchase of Siemplify gave the search marketing giant an impressive cybersecurity stack to add to its enterprise cloud products and signaled a big push to compete with rival Microsoft for cybersecurity-related revenues.
Microsoft passed on big-ticket acquisitions in 2022 but continued to flex its security business muscles with the rollout of new managed services at a time when cybersecurity revenues were hitting the $15 billion annual mark.
The last year saw active moves by big-name private equity firms to buy up companies in the identity and access management space. Significant transactions included Thoma Bravo purchasing Ping Identity for $2.8 billion, SailPoint and ForgeRock for a combined $12 billion; and Vista Equity Partners paying $4.6 billion for KnowBe4.
Related: Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge
Related: Google to Acquire Mandiant for $5.4 Billion in Cash
Related: Big Tech Vendors Objects to US Gov SBOM Mandate