The most high-profile cyberattacks of 2024

16 January 2025 12 minutes Author: Lady Liberty

Several notable cybersecurity events took place in 2024, demonstrating the increasing risks to businesses and users. Readers will learn about key attacks, such as the Internet Archive hack that exposed the data of 33 million users, as well as large-scale attacks on MGM Resorts, Johnson Controls International, and Clorox.

1. Hacked Internet Archive

On October 9, the Internet Archive was hit by two separate attacks simultaneously—a data breach that exposed information on 33 million users and a DDoS attack allegedly orchestrated by the pro-Palestinian group SN_BlackMeta. Although the attacks occurred around the same time, they were carried out by different groups of attackers.

The hackers who broke into the Internet Archive told BleepingComputer that they were able to do so by exposing a GitLab configuration file. The file contained an authentication token that allowed the Internet Archive’s source code to be downloaded.

The resulting code contained additional credentials and authentication tokens, including access to the organization’s database management system. This gave the attackers the ability to download the user database, obtain other source code, and even make changes to the site.

2. CrowdStrike’s Bad Updates Broke 8.5 Million Windows Devices

In the early morning hours of July 19, 2024, a faulty CrowdStrike Falcon update pushed to Windows computers caused a critical kernel driver failure, causing the operating system to crash.

The bug had a global impact, affecting an estimated 8.5 million Windows devices. Users were unable to regain access to their operating system except by using Safe Mode to uninstall the faulty update.

The issue was the result of a flaw in CrowdStrike’s content validation that failed to detect the flaw. This led to severe system failures, including endless reboots, that affected not only regular Windows devices but also Windows 365 Cloud computers.

Given the widespread use of CrowdStrike among financial institutions, airlines, and hospitals, the issue caused widespread disruptions in their operations, suddenly rendering Windows devices and applications unavailable.

Microsoft released a Windows Recovery Tool to help remove the problematic CrowdStrike driver and restore affected systems. Despite the tool, many organizations faced a lengthy recovery process as each device had to be manually repaired. The situation worsened when threat actors began to intervene.

Cybercriminals distributed fake CrowdStrike repair tools and guides that promoted malware, including the new Daolpu ransomware. These phishing campaigns targeted organizations trying to recover from a disaster, further delaying the disaster.

Investors soon filed a lawsuit against CrowdStrike, accusing it of negligence in its quality assurance processes and failure to prevent the release of a defective update.

Microsoft also announced that in response to the incident, they would consider changing their policy on handling kernel drivers, and urged antivirus vendors to restrict the use of kernel drivers to prevent these types of failures.

3. Kaspersky is banned in the US — the software is automatically replaced with UltraAV

In June, the Biden administration announced an upcoming ban on Kaspersky antivirus software, setting a deadline of September 29, 2024, for users to find alternatives.

The ban not only covered the sale of Kaspersky software in the US, but also deprived the company of the ability to provide customers with antivirus and security updates.

In July, Kaspersky began winding down its US operations, explaining to BleepingComputer that the administration’s decision had made operations “unviable.” The company decided to sell its US customer base to Point Wild (formerly Pango) and informed users of a free upgrade to UltraAV software.

On September 19, users unexpectedly discovered that Kaspersky products had been removed from their devices and UltraAV had been installed in their place without their permission.

Although the migration was communicated via emails and in-app notifications, many users missed them or did not understand the changes. This caused a wave of outrage among customers over the forced installation of new software without their consent.

4. Russian state hackers hacked Microsoft corporate email

In January, Microsoft announced that its corporate email servers were compromised by Russian state-sponsored hackers in November 2023. The attackers gained access to emails from the company’s management, cybersecurity, and legal teams.

Some of the stolen emails contained information about the hacking group itself, which gave the attackers insight into how much Microsoft was aware of their activities.

The attack was linked to the cyberespionage group Midnight Blizzard (also known as Nobelium or APT29), which is believed to be affiliated with the Russian Foreign Intelligence Service (FSB).

Microsoft found that the hackers used a password-spraying attack to gain access to an old, non-production customer test account. This account had elevated OAuth application access rights, which allowed the attackers to steal data from corporate mailboxes.

In March 2024, hackers attacked Microsoft again, using information stolen from previous emails to gain access to source code repositories.

In April, CISA confirmed that emails between U.S. federal agencies and Microsoft were also stolen in the attack. These emails contained information that allowed the hackers to gain access to some customers’ systems.

5. A public national data breach exposed your Social Security number

In August, nearly 2.7 billion records of personal information about people in the United States were leaked to a hacker forum, revealing names, Social Security numbers, all known physical addresses, and possible aliases.

The data was stolen from National Public Data, a company that collects and sells access to personal data for use in background checks, criminal records, and private investigators.

Troy Hunt of Have I Been Pwned analyzed the hack and determined that it contained 134 million unique email addresses, making it a massive data breach.

The hackers tried to sell it for $3.5 million, but it was eventually distributed for free on a hacker forum.

6. Global CDK ransomware attacks are destroying the car dealership industry

CDK Global, a software-as-a-service provider for car dealerships, was hit by a ransomware attack called Black Suit, which caused the company to shut down its systems and customers to be unable to conduct business.

CDK Global provides customers in the automotive industry with a SaaS platform that manages all aspects of a dealership’s operations, including CRM, financing, payroll, support and maintenance, inventory, and back office.

Since many car dealerships in the U.S. use the platform, the outage caused widespread outages, preventing dealers from tracking and ordering auto parts, making new sales, and offering financing.

7. SnowFlake Data Theft Attacks

In May, hackers began selling data they said was stolen from customers of the cloud-based platform Snowflake.

An investigation revealed that the Snowflake platform itself was not compromised. Instead, the hackers used compromised credentials to log into customer accounts. The data was likely obtained using phishing malware.

Once the accounts were accessed, the hackers exported the databases and demanded ransom from the companies, threatening to release the data. In July, AT&T confirmed that the incident exposed call logs from 109 million customers, obtained through an online database in Snowflake’s account. TicketMaster was also targeted by hackers who said they had stolen data from 560 million customers.

The data breaches linked to these attacks, which began in April 2024, affected hundreds of millions of people using services from AT&T, Ticketmaster, Santander, Pure Storage, Advance Auto Parts, Los Angeles Unified, QuoteWizard/LendingTree, and Neiman Marcus.

In November, the U.S. Department of Justice unsealed indictments against two individuals, Connor Riley Moka and John Erin Binns, who are accused of the attacks.

The attackers allegedly demanded $2.5 million in ransom as part of these attacks, and Wired reports that AT&T paid $370,000 to have the hackers delete the stolen call records.

8. North Korean IT worker diagram

This year has seen a significant increase in the number of North Korean IT workers seeking employment in the United States and other countries to conduct cyberespionage and raise funds to support their country’s operations.

In May, the U.S. Department of Justice charged five people—a U.S. citizen, a Ukrainian, and three foreign nationals—with helping North Korean companies infiltrate the U.S. labor market to generate revenue to fund North Korea’s nuclear program.

In July, email security company KnowBe4 accidentally hired a North Korean hacker as its chief software engineer. The hacker attempted to inject malware into the network to steal information.

In August, the Department of Justice arrested a Nashville man for helping North Korean IT workers secure remote jobs at U.S. companies. He also ran a farm of laptops used to impersonate American individuals.

Later, Mandiant and SecureWorks published reports detailing the tactics of North Korean IT professionals and providing recommendations for protecting against such threats.

9. UnitedHealth Change HealthCare Ransomware Attack

In February, UnitedHealth subsidiary Change Healthcare was hit by a massive ransomware attack that caused a major disruption to the U.S. healthcare industry.

The outages prevented doctors and pharmacies from submitting claims, and pharmacies were unable to accept discount cards for prescriptions, forcing patients to pay the full cost of their medications.

The attack was ultimately linked to the BlackCat ransomware gang, also known as ALPHV, which used stolen credentials to compromise the company’s Citrix remote access service, which did not have multi-factor authentication enabled.

During the attack, the attackers stole 6TB of data and eventually encrypted computers on the network, forcing the company to shut down its IT systems to prevent the attack from spreading.

UnitedHealth Group acknowledged that it paid the ransom to obtain a decryptor and have the attackers delete the stolen data. According to the BlackCat ransomware affiliate that carried out the attack, the ransom amount was $22 million.

The BlackCat ransomware operation came under immense pressure from law enforcement following the Change Healthcare attacks, leading to their shutdown.

After UnitedHealth paid the alleged $20 million ransom, the ransomware made a fraudulent exit, stealing all the money and not handing it over to the attacking affiliate.

Unfortunately, the affiliate claimed to still have Change Healthcare’s data, which they used again to extort money from the healthcare company, this time using the ransomware site RansomHub.

The data eventually disappeared from the ransom note, likely indicating that another ransom had been paid.

In October, UnitedHealth confirmed that more than 100 million people had their personal and medical data stolen, calling it the largest medical data breach in years.

10. LockBit

On February 19, authorities successfully took down the LockBit group’s infrastructure, which consisted of 34 servers. These servers hosted data-leakage websites, their mirrors, stolen victim data, cryptocurrency addresses, decryption keys, and an affiliate dashboard. The operation was part of an international law enforcement initiative called Operation Cronos.

Five days later, LockBit was able to resume operations on the new infrastructure. The group announced its intention to increase attacks on the government sector, but it failed to regain its former popularity. Many LockBit affiliates moved on to other ransomware operations.

Law enforcement agencies continued to pressure LockBit throughout the year, bringing charges against seven of its members. Among them was the main operator of the ransomware, whom the US Department of Justice identified as Russian citizen Dmitry Yurievich Khoroshev, also known by the aliases “LockBitSupp” and “putinkrab”.

The group recently began testing a new encryptor, LockBit 4, which, according to preliminary estimates, has only minor differences from the previous version.

11. Remember Windows 11: a privacy nightmare?

Microsoft’s new Windows 11 AI-powered Recall feature has caused a lot of concern among the cybersecurity community, with many believing it to be a huge privacy risk and a new attack vector that attackers could exploit to steal data.

After receiving a huge backlash, Microsoft delayed the software’s release to improve its security, requiring users to enable Recall on their computers and verify that they were in front of their PC using Windows Hello in order to use it.

Microsoft continued to delay its release, adding additional features such as automatic filtering of sensitive content, allowing users to exclude certain apps, websites, or private browsing sessions, and it can be uninstalled if needed.

However, after the release of the Windows Insider Preview build, it was discovered that Windows 11 Recall was not properly filtering sensitive information, such as credit cards.

Microsoft said it would continue to improve the product as new issues were discovered.

12. Telecom Attacks 2024

A Chinese state-sponsored hacking group known as Salt Typhoon has been implicated in a series of cyberattacks targeting telecommunications companies around the world.

The attacks compromised at least nine major carriers, including AT&T, Verizon, and T-Mobile. The attackers’ primary goal was to penetrate telecommunications infrastructure to steal text messages, phone records, and voicemails from targeted individuals. They also targeted wiretapping platforms used by the U.S. government, raising serious national security concerns.

A White House briefing confirmed that Salt Typhoon’s activities had affected telecommunications providers in dozens of countries.

In the United States, the attacks exposed numerous vulnerabilities in telecommunications infrastructure, raising concerns about the security of government surveillance systems. In response, Senator Ron Wyden and other lawmakers have proposed legislation aimed at addressing these vulnerabilities. The bill would strengthen cybersecurity standards and oversight for telecommunications carriers to prevent similar attacks in the future.

In addition, the U.S. government plans to ban China Telecom from active operations in the country in response to the threat posed by hacking attacks.

13. The Rise of Infosteelers

This year has seen a particularly strong increase in campaigns using malware aimed at stealing information. These programs hijack infected users’ browsers, stealing cookies, saved passwords, credit card details, and cryptocurrency wallets.

Although phishing attacks have been around for a long time, they have become increasingly popular with attackers this year, thanks to their use in numerous attacks. The stolen data is used to compromise corporate networks, bank accounts, cryptocurrency exchanges, and email.

For victims of phishing attacks, such attacks can lead to catastrophic financial losses, as attackers gain access to bank accounts and steal cryptocurrency.

The most effective way to protect yourself from such attacks is to enable two-factor authentication (2FA) through your authentication apps. With 2FA, even if attackers gain access to your data, they won’t be able to log in without a one-time code generated by the authenticator.

Other related articles
News
Read more
DDoS attacks targeting Discord
Panamorfi: New DDoS Campaign Targets Discord, Uses Minecraft DDoS Package Via Misconfigured Jupyter Notebooks. Aqua Security detected and blocked the attack with its runtime protection solution.
470
Found an error?
If you find an error, take a screenshot and send it to the bot.