08 Jul Largest Cyberattacks and Breaches in 2024
Largest Cyberattacks and Breaches
If the pace of big cyberattacks in the first half of 2024 appears to be constant, that’s because it is: the first six months of the year have seen firms fall victim to a succession of ransomware assaults as well as data breaches aimed at data theft and extortion.
While recent years have seen an increase in cyberattacks, they have mostly spared the general population from considerable interruption – something that has not been the case thus far in 2024.
For example, the February ransomware assault on UnitedHealth-owned prescription processor Change Healthcare caused widespread disruption in the United States’ health-care system for weeks, stopping many pharmacies and hospitals from processing claims and getting reimbursements. Then, in May, the Ascension health system was hit by a ransomware assault, forcing it to redirect emergency treatment from several of its facilities.
Most recently, CDK Global suffered a severe ransomware assault that crippled hundreds of auto dealerships who use the company’s infrastructure. The disturbances were still going on nearly two weeks after the original strike.
The assaults have sparked concerns about whether threat actors are deliberately targeting enterprises whose patients and customers would be adversely impacted by the interruptions in order to build pressure on the corporations to pay a ransom. If so, the strategy appears to have worked, since UnitedHealth paid a $22 million ransom to a Russian-speaking cybercrime ring that carried out the Change Healthcare assault, and CDK Global apparently planned to pay attackers’ ransom demands as well.
This may not have been the attackers’ plan, according to Mark Lance, vice president for DFIR and threat intelligence at GuidePoint Security, ranked 39th on CRN’s Solution Provider 500 for 2024.
“Do I believe it was indirect, or was there an intention to have an influence on all of these downstream providers? “You never know,” Lance said. With regard to those that distribute ransomware, “a lot of times, they might not even recognize the level of impact indirectly [an attack] is going to have on downstream providers or services.”
However, he would not completely rule out the possibility that attackers “might be using that as an opportunity to leverage [the disruption] and make sure they get paid.” And if there continue to be mass-disruption assaults such as these that suggest toward a “distinct trend,” it would mark a significant shift in attacker tactics, given that threat actors have typically steered clear of strikes that would pose a threat, Lance stated that the government and law enforcement had focused their attention on them.
Other high-profile cyberattacks in the first half of 2024 included the massive compromise of Ivanti VPNs and the hack of Microsoft executive accounts, both of which affected US federal institutions, as well as major data-theft assaults against Snowflake clients.
The following are the information we’ve gathered about ten big cyberattacks and data breaches in 2024 (in chronological order).
Following the January publication of two high-severity zero-day vulnerabilities in Ivanti’s widely used Connect Secure VPNs, threat actors exploited them extensively. According to researchers, hundreds of Ivanti VPN devices were hacked during the assaults, and the victims included the United States Cybersecurity and Infrastructure Security Agency (CISA). Other victims included Mitre, a significant supplier of federally supported R&D and the developer of a cyberattack platform that has been widely used in the security sector.
While several additional vulnerabilities were eventually discovered, researchers at Google Cloud-owned Mandiant reported that the two original Ivanti VPN vulnerabilities saw “broad exploitation activity” by a China-linked threat group known as UNC5221, as well as “other uncategorized threat groups.” The assaults by UNC5221 — “suspected China-nexus espionage”
Following the assaults, CISA issued an urgent directive to civilian executive branch agencies, asking them to unplug their Ivanti Connect Secure VPNs within 48 hours. Ivanti issued the first fix for some versions of their Connect Secure VPN software on January 31, three weeks after the first vulnerability was discovered. “In this case, we prioritized mitigation releases as patches were being developed, consistent with industry best practices,” Ivanti stated in a statement to CRN.
Microsoft Executive Account Breach
In January, Microsoft said that a threat actor affiliated with Russia was able to collect emails from members of its top leadership team, as well as cybersecurity and legal workers. The IT behemoth blamed the attack on a group known as Midnight Blizzard, which has already been linked to Russia’s SVR foreign intelligence agency by the US government and responsible for breaches such as the well reported 2020 SolarWinds breach.
CISA acknowledged that many federal entities were among the customers impacted by the incident. Midnight Blizzard “exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft,” according to an emergency directive issued by CISA.
In June, Microsoft revealed that it had sent out more warnings to users affected by the attack, informing them that their emails had been seen. “This is increased detail for customers who have already been notified, as well as new notifications,” the business stated.
According to Microsoft, the breach, which is thought to have started in November 2023, began with hackers gaining access to a “legacy” account through a lack of MFA (multifactor authentication).
SOHO Routers Attacks
In February, the FBI discovered that a China-linked threat organization had hijacked “hundreds” of small office/home office (SOHO) routers situated in the United States as part of an effort to hack US critical infrastructure providers. The FBI claimed it was successful in blocking the activities of Volt Typhoon, an organization funded by the Chinese government. The Volt Typhoon assaults targeted key service providers such as communications, energy, water, and transportation, according to the FBI.
The gang’s hacked routers combined to form a botnet of malware-infected devices that the threat group might employ to execute an assault against important infrastructure in the United States, according to the FBI.
Later in February, the FBI announced that it had stopped a massive effort by Russia-aligned hackers that had penetrated “hundreds” of SOHO routers. The FBI blamed the assaults on the Russian intelligence organization GRU, which had also attempted to utilize the seized routers as a botnet for spying purposes.
Change Healthcare Attacks
The Change Healthcare hack, which was first discovered on February 22, caused weeks of widespread disruption in the United States’ health-care system. The IT system breakdown that occurred in reaction to the ransomware assault prohibited many pharmacies and hospitals, as well as other health-care institutions and offices, from processing claims and accepting payments.
The Russian-speaking cybercriminal organization known as Blackcat and Alphv claimed responsibility for the ransomware assault. Witty acknowledged in May’s Congressional testimony that UnitedHealth paid a $22 million ransom following the attack.
Following that, a separate cybercriminal organization, RansomHub, claimed to have stolen data from Change Healthcare and put it online. UnitedHealth stated in late April that data belonging to a “substantial proportion” of Americans may have been taken during the attack on prescription processor Change Healthcare, a unit of the insurer’s Optum subsidiary. During testimony during a United States House of Representatives hearing on May 1, UnitedHealth Group CEO Andrew Witty stated that the assault affected “maybe a third” of all Americans.
Change Healthcare stated in June that it now thinks the assault exposed sensitive patient medical data. Medical data seized during the hack might have included “diagnoses, medicines, test results, images, care and treatment,” according to a data breach warning released by Change Healthcare.
You might find this article interesting too!: 7 Common Pitfalls When Adopting Zero Trust Security
ConnectWise ScreenConnect Attacks
ConnectWise announced in February that two vulnerabilities had been discovered in its ScreenConnect product, which affected MSPs utilizing ScreenConnect both on-premises and in the cloud. Mandiant later discovered “mass exploitation” of the vulnerabilities by many threat actors. “Many of them will deploy ransomware and conduct multifaceted extortion,” a post on Mandiant’s website reads.
ConnectWise stated that it immediately “recognized the heightened risk of exploitation with any patching delay” and “employed additional preventative measures,” before issuing updates within days of the announcement. CISA issued a notification advising ConnectWise partners and end customers to turn off all on-premises ScreenConnect servers if they were unable to update to the newest version during the assaults.
XZ Utils compromise
In March, Red Hat and CISA reported that the two most recent versions of XZ Utils, a popular set of data compression tools and libraries in Linux distributions, had been hacked. However, the software supply chain intrusion, described as a “nightmare scenario” by numerous experts, was detected by a Microsoft developer before the affected program was widely spread.
According to the original maintainer of the XZ Utils project, a contributor was responsible for inserting malicious code.
Andres Freund, a Microsoft engineer, said in a blog post that he identified the vulnerability after noting “odd” behavior in Debian systems, such as longer login times and higher CPU use. Security researchers praised Freund for going above and above to find the problem, which led to the discovery of the software’s backdoor.
AT&T Breach
Andres Freund, a Microsoft engineer, said in a blog post that he identified the vulnerability after noting “odd” behavior in Debian systems, such as longer login times and higher CPU use. Security researchers praised Freund for going above and above to find the problem, which led to the discovery of the software’s backdoor.
Ascension Ransomware Attack
Ascension, a health-care group with 140 hospitals and activities in 19 states and Washington, D.C., announced in May that clinical operations had been affected due to a ransomware assault. The nonprofit and Catholic health institution said that on May 8, “we detected unusual activity on select technology network systems.”
The May attack, which began when an employee unwittingly downloaded malware, led Ascension to shift emergency treatment away from some of its facilities.
Ascension later verified that data, including patient health information, was likely taken during the hack. “We now have evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks
Snowflake Customers Targeted
According to Mandiant analysts, multiple assaults against Snowflake clients in June resulted in the theft of a “significant” volume of data and the potential impact on more than 100 customers.
Neiman Marcus Group is among the most recent victims of the Snowflake assaults, along with Ticketmaster, Santander Bank, Pure Storage, and Advance Auto Parts. The surge of data theft assaults is thought to be using stolen credentials.
A cybercriminal organization has been “suspected to have stolen a significant volume of records from Snowflake customer environments,” Mandiant analysts claimed. Impacted accounts have not been. Mandiant researchers confirmed that it was equipped with MFA (multifactor authentication).
In its caution, Snowflake stated that it is “developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies.”
CDK Global Attack
CDK, a software supplier for 15,000 dealerships, took down the majority of its systems following two intrusions on June 18 and 19. The firm offers SaaS-based CRM, payroll, finance, and other critical activities to dealerships. In a recorded message for clients heard Monday, the business said that the problems from the assaults are still affecting consumers, but CDK stated that its “customer care support channels are now live.”
The firm announced on Friday that it has reconnected “one of our large public dealers” to its primary dealer management system (DMS), as well as restored DMS access for a second “small group” of dealerships. CDK said that the first small group has been returned to its DMS system.
While CDK was recovering from the initial attack on June 18, the business reported a second strike the next day. “Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems,” CDK stated in an earlier statement to CRN. The system meltdown caused an outage that significantly impacted thousands of vehicle dealerships.
CDK has declined to comment on media rumors that the firm planned to make a ransom payment worth tens of millions of dollars in order to retrieve its systems more swiftly.