2024 has seen an unusually high level of cyberattack and data breach activity. Even though the year is not yet over, a slew of major cyberattacks has seen organizations lose millions in revenue, alongside a massive hit in their security integrity. And while intensified cyberattacks are nothing new, by and large, the attacks during the previous years spared the general public from significant disruption, which is not the case anymore for 2024 so far.
It’s not certain that this public-facing strategy has been the attackers’ strategy as cybercriminals tend to not recognize the level of impact indirectly an attack is going to have on downstream providers or services. But it is plausible that they are using such attacks as an opportunity to leverage the disruption and make sure they get paid.
Here are the ten major cyberattacks and data breaches that have made an impact so far this year.
Ivanti VPN Attacks
In January, Ivanti’s widely used Connect Secure VPNs was hit by two high-severity, zero-day vulnerabilities in its systems, which brought about mass exploitation. Researchers said thousands of Ivanti VPN devices were compromised during the attacks, with the US Cybersecurity and Infrastructure Security Agency (CISA) as among the victims. Researchers at Google Cloud-owned Mandiant reported that the two original Ivanti VPN vulnerabilities saw “broad exploitation activity” by a China-linked threat group tracked as UNC5221, as well as “other uncategorized threat groups.”
The attacks prompted CISA to issue an urgent order to civilian executive branch agencies, requiring the unusual measure of disconnecting their Ivanti Connect Secure VPNs within 48 hours. Ivanti released the first patch for some versions of its Connect Secure VPN software on Jan. 31, three weeks after the initial vulnerability disclosure.
Microsoft Executive Accounts Breach
In January, Microsoft disclosed that a Russia-aligned threat actor known as Midnight Blizzard, which is reported to be connected to Russia’s SVR foreign intelligence unit, managed to steal emails from members of its senior leadership team as well as from employees on its cybersecurity and legal teams. Multiple federal agencies were among the accounts compromised by the attack as well. It is believed that the breach went back as far as November 2023, when hackers initially gained access by exploiting a lack of MFA (multifactor authentication) on a “legacy” account.
In June, Microsoft confirmed that it sent out more notices to customers impacted by the compromise.
SOHO Routers Attacks
The FBI disclosed in February that a China-linked threat group known as Volt Typhoon was found to have hijacked “hundreds” of small office/home office (SOHO) routers based in the US, targeting providers of critical services including communications, energy, water, and transportation. These affected routers were meant to form an assembly of malware-infected devices, known as a botnet, which the threat group could use to launch attacks against critical infrastructure. The FBI said it succeeded at disrupting the efforts of the group.
Change Healthcare Attacks
The first attack on Change Healthcare was disclosed on Feb. 22 and it caused massive disruption in the US health care system for weeks. The Russian-speaking cybercriminal group known by the names of Blackcat and Alphv claimed responsibility for the ransomware attack and parent company UnitedHealth paid a $22 million ransom following the attack.
Subsequently, a different cybercriminal gang, known as RansomHub, posted data it claimed was stolen from Change Healthcare. UnitedHealth said in late April that data belonging to an estimated one-third of all Americans may have been stolen in the attack against Change Healthcare. In June, Change Healthcare disclosed that sensitive patient medical data was exposed in the attack. Medical data stolen during the attack may have included diagnoses, medicines, test results, images, care and treatment.
ConnectWise ScreenConnect Attacks
In February, ConnectWise disclosed that two vulnerabilities had been found that affect its ScreenConnect tool, impacting MSPs using it. Mandiant subsequently identified "mass exploitation" of the vulnerabilities by various threat actors. ConnectWise said that it “employed additional preventative measures,” before releasing patches within days of the disclosure. CISA issued a notice that ConnectWise partners and end customers should pull the cord on all on-prem ScreenConnect servers if they could not update to the latest version.
XZ Utils Compromise
In March, Red Hat and CISA warned that the two latest versions of XZ Utils, a widely used set of data compression tools and libraries in Linux distributions, were found to have been compromised. However, the hack was discovered before the compromised software could be distributed broadly.
AT&T Breach
In March, AT&T said it was investigating a possible data breach after personal data from more than 70 million current and former customers was discovered on the dark web Based on a preliminary analysis, the company said the data set appeared to be from 2019 or earlier and impacts approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.
Ascension Ransomware Attack
Ascension, a health system with 140 hospitals and operations in 19 states and Washington, DC, said in May that its clinical operations were disrupted after it was struck by a ransomware attack. The attack, which began when an employee inadvertently downloaded malware, forced Ascension to divert emergency care from some of its hospitals. Data that included health data belonging to patients, was believed to be stolen in the attack.
Snowflake Customers Targeted
In June, widespread attacks targeting Snowflake customers led to a “significant” volume of data stolen and more than 100 customers known to be potentially impacted, including that of Neiman Marcus Group, Ticketmaster, Santander Bank, Pure Storage and Advance Auto Parts. The wave of data theft attacks is believed to be utilizing stolen passwords.
In its advisory, Snowflake said it is “developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies.”
CDK Global Attack
CDK, a provider of SaaS-based CRM, payroll, finance and other key functions used by 15,000 dealerships, shut down most of its systems after a pair of cyberattacks struck on June 18 and 19. The first attack affected its dealer management system (DMS) which kicked out a number of dealers from the network. The second attack which happened the next day resulted in an outage that severely affected thousands of car dealerships.
Final word
Whether big or small, organizations must be more vigilant than ever of potential threats that can paralyze them in both operational and financial aspects. There is a need to not only bolster their cybersecurity measures consistently to the highest level but also empower their people with the proper skills and knowledge to prevent these threats from impacting them in the first place and from inflicting further operational and financial harm to the organization.
Comments