TheCyberThrone Analysis of Major CyberSecurity Stories of Year 2024

The year 2024 was marked by several significant cybersecurity incidents and developments that captured global attention. From massive data breaches to sophisticated cyber-espionage campaigns, the landscape of cybersecurity continued to evolve rapidly. These events not only highlighted the vulnerabilities in our digital infrastructure but also underscored the importance of robust cybersecurity measures. Let’s take a closer look at some of the most impactful stories of the year.

Change Healthcare ransomware attack

The Change Healthcare ransomware attack in 2024 was one of the largest and most impactful cyberattacks on the U.S. healthcare sector.

Key Events

• Initial Breach: On February 12, 2024, hackers infiltrated Change Healthcare’s systems.
• Network Outage: By February 21, widespread outages hit Change Healthcare, halting billing systems and insurance claims processing. The company confirmed a network interruption due to a cybersecurity issue.
• Confirmation of Attack: On February 29, UnitedHealth Group disclosed that the ransomware group ALPHV/BlackCat was behind the attack.
• Data Theft: In March, the attackers claimed to have exfiltrated millions of sensitive health and patient records.

Impact

• Affected Population: Over 100 million individuals had their sensitive medical records compromised.
• Data Exposed: Stolen data included personal details such as names, addresses, Social Security numbers, health diagnoses, medications, treatment plans, and financial information.
• Healthcare Disruptions: The attack caused significant disruptions across the U.S. healthcare sector, affecting hospitals, pharmacies, and medical practices that depended on Change Healthcare’s services.

Response

• Security Measures: Change Healthcare activated its security protocols and isolated its network to contain the threat.
• Notification: UnitedHealth Group started informing affected individuals in late July 2024, continuing through October.
• Investigations: The Department of Health and Human Services (HHS) began probing the incident, focusing on compliance with HIPAA and the protection of protected health information (PHI).

MidNight Blizzard attack on Microsoft

Midnight Blizzard, also known as NOBELIUM, is a Russian state-sponsored threat actor linked to the Russian Foreign Intelligence Service (SVR). On January 12, 2024, they launched a sophisticated cyberattack on Microsoft’s corporate systems, aiming to steal sensitive information and disrupt operations.

Key Events

1. Detection (January 12, 2024): Microsoft’s security team detected unusual activity within their systems.
2. Response Activation: Immediate response protocols were activated to investigate and mitigate the attack.
3. Investigation: The team identified the use of spear-phishing emails with Remote Desktop Protocol (RDP) files as the entry method.
4. Collaboration: Microsoft worked with international law enforcement and cybersecurity communities to address the threat.

Impact

• Data Breach: The attackers aimed to collect intelligence through espionage.
• Targeted Sectors: The attack affected government, academia, defense, non-governmental organizations (NGOs), and other sectors.
• Security Measures: The incident highlighted the need for enhanced security measures, such as multi-factor authentication (MFA) and active threat protections.

Response

• Mitigation Efforts: Microsoft’s security team took immediate action to disrupt malicious activity and secure their systems.
• Ongoing Investigation: The investigation continues, with updates and guidance being provided to affected organizations.
• Collaboration: Microsoft emphasized the importance of collaboration with international law enforcement and cybersecurity communities to combat such threats.

National Public Data Breach

The National Public Data breach in 2024 was one of the largest data breaches in history, impacting 2.9 billion records. Here’s a detailed overview:

Key Events

• December 2023: Hackers first gained access to National Public Data’s systems.
• April 2024: The breach became public when a hacker known as “USDoD” posted the stolen data on the dark web.
• August 2024: National Public Data confirmed the breach, revealing that it affected 2.9 billion records containing sensitive personal information.
• October 2024: National Public Data filed for Chapter 11 bankruptcy due to the financial and legal repercussions of the breach.

Impact

• Affected Individuals: The breach exposed personal information of people in the US, UK, and Canada. This included full names, Social Security numbers, addresses, phone numbers, and email addresses.
• Risks: The compromised data posed significant risks of identity theft, financial fraud, and increased phishing attacks.
• Legal Actions: Over 14 complaints were filed in federal court, and three class-action lawsuits were initiated against National Public Data.

Response

• Notifications: National Public Data began notifying affected individuals and worked with law enforcement to identify the hacker.
• Bankruptcy: The company filed for Chapter 11 bankruptcy, facing potential liability for credit monitoring for hundreds of millions of individuals.

CrowdStrike IT outage

On July 19, 2024, a software update released by CrowdStrike caused a massive global IT outage. This resulted in millions of Windows computers crashing and entering a boot loop, affecting a wide range of industries and services worldwide. The incident underscored the importance of rigorous software testing and operational resilience in cybersecurity.

Key Events

• July 19, 2024, 04:09 UTC: CrowdStrike released a sensor configuration update (Channel File 291) to Windows systems. This update contained a logic error that triggered system crashes.
• July 19, 2024, 05:27 UTC: The issue was identified by CrowdStrike, and the update was reverted, but the damage had already been done, with many systems affected.
• July 19-22, 2024: CrowdStrike, in collaboration with Microsoft, provided remediation steps. Affected systems required manual intervention to delete the faulty .sys file and restore functionality.

Impact

• Global Disruption: The outage affected approximately 8.5 million Windows devices, causing widespread disruption across various sectors.
• Financial Damage: The estimated financial impact of the outage was at least $10 billion.
• Affected Industries:
  • Airlines: Delta, United, American, and KLM had to cancel hundreds of flights.
  • Healthcare: Hospitals and clinics faced significant disruptions, delaying cancer referrals and other urgent tasks.
  • Public Transit: Systems in cities like Chicago, New York City, and Washington, D.C., were impacted.
  • Financial Institutions: Online banking and appointment systems were disrupted.
  • Operational Disruptions: Public transit systems and GP services in England and Northern Ireland experienced major disruptions.

Response

• Immediate Fix: CrowdStrike released a fix within 90 minutes of the incident. However, many affected computers required manual intervention to delete the faulty file.
• Manual Intervention: IT staff had to boot systems into Safe Mode or the Windows Recovery Environment and delete the offending file.
• Cloud Remediation: Some users opted for cloud remediation by submitting a request via the support portal.
• Post-Incident Actions: CrowdStrike committed to implementing more rigorous software testing, rolling out updates in a staggered manner, and conducting a full root-cause analysis.

CISA impacted by Ivanti Vulnerabilities

The Ivanti Zero-day Vulnerabilities Attack in 2024 was a significant cybersecurity incident that even impacted the US Cybersecurity and Infrastructure Security Agency (CISA). Here’s a detailed overview:

Key Events

• Initial Discovery: Security firm Volexity discovered two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways in December 2023.
• Disclosure: Ivanti disclosed the vulnerabilities on January 10, 2024, identifying them as CVE-2023-46805 and CVE-2024-21887.
• Exploitation: Threat actors exploited these vulnerabilities to bypass authentication, execute arbitrary commands, and gain elevated privileges.
• Additional Vulnerabilities: Two more vulnerabilities, CVE-2024-21893 and CVE-2024-21888, were disclosed in January 2024.

Impact

• Affected Systems: The vulnerabilities impacted all supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure gateways.
• Attack Techniques: Attackers used the vulnerabilities to bypass two-factor authentication, execute malicious code, and gain root-level persistence.
• Data Exposure: The attack exposed sensitive data and allowed attackers to pivot further into victim environments.

Response

• Mitigation Guidance: Ivanti provided mitigation guidance and urged customers to apply patches and updates as soon as they became available.
• CISA Advisory: CISA issued an emergency directive (ED 24-01) directing all Federal Civilian Executive Branch (FCEB) agencies running Ivanti Connect Secure and Ivanti Policy Secure to implement mitigations, report indications of compromise, and remove compromised products from agency networks.
• Incident Response: Organizations were encouraged to hunt for malicious activity on their networks and apply Ivanti’s most recent external Integrity Checker Tool (ICT).

NIST NVD Disruption

The NIST National Vulnerability Database (NVD) disruption in 2024 was a significant event that impacted the cybersecurity community. Here’s a detailed overview:

Key Events

• Initial Discovery: The disruption began around February 12, 2024, when NIST almost completely stopped enriching software vulnerabilities listed in the NVD.
• Impact on CVEs: Since then, only 200 out of 2700 vulnerabilities (known as Common Vulnerabilities and Exposures or CVEs) published have been enriched. This means that over 2500 vulnerabilities have been uploaded without crucial metadata information.
• Metadata Issues: The missing metadata includes descriptions of the vulnerabilities, software weaknesses (CWEs), names of impacted software products, criticality scores (CVSS), and patching status.

Impact

• Security Risks: The lack of enriched metadata left organizations blind to what specific products and systems might be affected by the vulnerabilities. This made it difficult for security teams to prioritize and address the vulnerabilities effectively.
• Community Concerns: Security professionals expressed concerns about the impact on the security researcher community and organizations worldwide. The disruption could potentially make many organizations vulnerable to threat actors.

Response

• Ongoing Efforts: NIST has been working to resolve the issue and resume the enrichment of CVEs. However, the timeline for full restoration remains uncertain.
• Community Support: Security experts and organizations have been collaborating to find alternative ways to manage and mitigate vulnerabilities in the absence of enriched data from the NVD.

MOAB

The 26 Billion Records Data Leak, also known as the Mother of All Breaches (MOAB), was one of the largest data breaches ever discovered. Here’s a detailed overview:

Key Events

• Discovery: In January 2024, cybersecurity researchers Bob Dyachenko and the Cybernews team discovered an open instance containing 26 billion records or 12 terabytes of data.
• Source of Data: The leaked data was compiled from numerous previous breaches, breaches, and hacked databases. It included records from platforms like Tencent, Weibo, MySpace, Twitter, Wattpad, NetEase, LinkedIn, AdultFriendFinder, and many others.
• Data Exposure: The data included personal information such as names, email addresses, phone numbers, and other sensitive details.

Impact

• Scale: The sheer volume of the data leak made it the largest ever discovered, surpassing previous records.
• Risks: The exposed data posed significant risks of identity theft, financial fraud, phishing attacks, and unauthorized access to personal accounts.
• Affected Organizations: The breach included data from government organizations in the US, Brazil, Germany, the Philippines, Turkey, and several other countries.

Response

• Notification: Cybernews and other security researchers worked to notify affected individuals and organizations about the breach.
• Mitigation: Organizations were advised to monitor for suspicious activity, update passwords, and implement additional security measures to protect against potential threats.
• Legal Actions: Several class-action lawsuits were filed against companies whose data was compromised in the breach.

NIST New Guidelines for Password Complexity

In September 2024, the National Institute of Standards and Technology (NIST) released updated guidelines for password security, marking a significant shift from traditional practices. Here are the key changes:

Key Changes

1. Password Length Over Complexity: NIST no longer recommends enforcing arbitrary password complexity requirements such as mixing uppercase and lowercase letters, numbers, and special characters. Instead, the focus has shifted to password length as the primary factor in password strength.
2. Elimination of Mandatory Password Expiration: NIST has eliminated the requirement for periodic password changes. Frequent password resets often lead to weaker passwords and encourage users to make minor, predictable changes. Instead, passwords should only be changed when there’s evidence of compromise.
3. Password Blocklists: Organizations are advised to maintain an updated blocklist of commonly used or compromised passwords and prevent users from selecting any password on this list.
4. Prohibition of Password Hints and Security Questions: NIST advises against using password hints or knowledge-based authentication questions, as these can often be easily guessed or discovered through social engineering.
5. Improved Password Storage Methods: NIST recommends using salted hashing with a work factor that makes offline attacks computationally expensive. This approach helps protect stored passwords even if a database is compromised.
6. Support for ASCII and Unicode Characters: Passwords should accept all printing ASCII characters and the space character, as well as Unicode characters.

Recommendations

• Minimum Password Length: Passwords should be a minimum of 8 characters, with a strong preference for even longer passwords.
• Maximum Password Length: Organizations should allow passwords up to at least 64 characters to accommodate passphrases.
• Multi-Factor Authentication (MFA): NIST strongly endorses the use of MFA to enhance security.

US Telecom Giants Targeted by Cyber Espionage

A sophisticated cyber-espionage campaign targeted several major U.S. telecom giants, including Verizon, AT&T, and T-Mobile. The campaign, attributed to a Chinese state-backed hacking group known as Salt Typhoon (also called Earth Estries), compromised networks and extracted vast amounts of sensitive data.

Key Events

• Discovery: The breach was discovered in early 2024, revealing that the attackers had been siphoning data for several months.
• Initial Access: Salt Typhoon initially gained access through phishing attacks and exploiting vulnerabilities in network infrastructure.
• Data Extraction: The hackers used advanced techniques, including “living-off-the-land” tactics, to avoid detection and maintain persistence while extracting Call Detail Records (CDRs).
• Public Disclosure: The breach was publicly disclosed in April 2024, prompting immediate action from the affected companies and government agencies.

Impact

• Scope: The breach exposed the personal information of millions of Americans, including detailed call records.
• National Security: The exposed data posed significant risks, as it could be used to track high-profile targets and monitor sensitive operations.
• Financial Consequences: The affected companies faced substantial costs related to incident response, legal actions, and potential fines.

Response

• Government Advisory: The FBI and CISA issued an advisory recommending Americans use end-to-end encryption messaging apps to protect their communications.
• Telecom Companies’ Actions: The affected companies worked to remove the attackers from their networks, patch vulnerabilities, and enhance security measures.
• Ongoing Investigation: Law enforcement agencies continued to investigate the breach, working to identify and apprehend those responsible.

Lockbit Enforcement takedown

The recent takedown of LockBit, a notorious ransomware group, represents a landmark achievement in global cybersecurity efforts. Known for its extensive and damaging ransomware attacks, the disruption of LockBit’s operations involved a concerted effort from international law enforcement agencies.

Key Events

1. Seizure of Infrastructure: Authorities seized 34 servers, 14,000 rogue accounts, and 200 cryptocurrency accounts linked to LockBit.
2. Arrests: Two individuals associated with LockBit were apprehended in Poland and Ukraine.
3. Data Leak Site: The LockBit data leak site and affiliate panel were successfully taken down.
4. Stealbit Tool Seizure: The specialized data exfiltration tool, Stealbit, was confiscated.
5. Decryption Keys: Law enforcement obtained approximately 1,000 potential decryption keys to assist ransomware victims.

Impact

• Disruption of Operations: The takedown significantly disrupted LockBit’s ability to conduct ransomware attacks.
• Financial Blow: The seizure of cryptocurrency accounts dealt a major financial blow to the group.
• Victim Assistance: The decryption keys obtained will aid in recovering data for numerous victims.

Response

• Collaborative Effort: The operation, named Operation Cronos, was led by the UK’s National Crime Agency (NCA) and the FBI, with support from Europol and law enforcement from 10 countries.
• Cybersecurity Community: The cybersecurity community has applauded the operation as a major victory in the fight against ransomware.
• Ongoing Vigilance: Authorities emphasize the importance of ongoing vigilance and collaboration in combating cyber threats.

Cisco Acquires Splunk

Cisco, a global leader in networking technology, has acquired Splunk, a renowned cybersecurity and observability company, for approximately $28 billion. This acquisition aims to revolutionize how organizations harness data to connect and protect every aspect of their operations.

Key Events

1. Announcement: Cisco announced its intention to acquire Splunk on September 21, 2023.
2. Deal Closure: The acquisition was completed on March 18, 2024.
3. Financial Terms: Cisco agreed to pay $157 per share in cash, representing an equity value of around $28 billion.

Impact

• Enhanced Capabilities: The combination of Cisco’s network infrastructure and Splunk’s security and observability solutions will provide unparalleled visibility and insights across an organization’s digital footprint.
• AI Integration: The acquisition will help organizations leverage AI more effectively by providing the necessary infrastructure, data, security, and observability platforms.
• Market Position: Cisco becomes one of the largest software companies globally, enhancing its position in the cybersecurity and observability market.

Response

• Leadership Integration: Splunk’s President and CEO, Gary Steele, will join Cisco’s Executive Leadership Team.
• Customer Benefits: The combined capabilities will help organizations move from threat detection and response to threat prediction and prevention.
• Future Outlook: Cisco and Splunk aim to drive the next generation of AI-enabled security and observability solutions.

Talent Shortage in Cyber

The global cybersecurity industry is experiencing an urgent need for 4 million more professionals to address the talent gap. This shortage spans across nations, industries, and is projected to reach 85 million workers by 2030, potentially causing $8.5 trillion in unrealized annual revenue.

Timeline

• 2022-2023: The cybersecurity workforce grew by 12.6%.
• 2024: The talent gap remains significant despite the growth.
• 2030: Projected global talent shortage of 85 million workers.

Impact

• Increased Risks: Two-thirds of organizations face additional risks due to cybersecurity skills shortages.
• Economic Consequences: The talent shortage could lead to significant financial losses and hinder the ability to address escalating cyber threats.
• Industry Challenges: Financial services, materials and industrials, consumer goods, and technology are the most affected industries.

Response

• Attracting Talent: Efforts are being made to attract, train, and retrain cybersecurity professionals.
• Skills-Based Hiring: Organizations are adopting skills-based hiring practices to fill gaps.
• Collaborative Efforts: Industry experts, educational institutions, and government bodies are working together to address the shortage.

This brings the end of this week in review security coverage. Thanks for visiting TheCyberThrone. If you like us, please follow us on Facebook, Twitter, Instagram