The biggest cyber scares of 2024

It has become somewhat trite to comment on the fact that the threat landscape has become increasingly hostile over recent years but 2024 acted as a reminder that attackers continue to become more refined and brutal, with real world consequences.

This year we saw hackers cause carnage at a wide range of organizations, from healthcare, telecoms, technology, industries as well as the public sector. Collected below is a roundup of the biggest cyber scares we saw over the course of this year.

Change Healthcare attack causes chaos across US medical facilities

The year got off to a somewhat rocky start in February when Change Healthcare, a key provider of payment technologies to the healthcare industry was hit by a cyberattack that crippled its services.

On 21 February Change Healthcare, a subsidiary of the US’s largest health insurer UnitedHealth Group posted a notice stating that it had suffered a ransomware attack that forced it to take its systems offline.

The breach meant medical facilities reliant on the technology provided by Change Healthcare could not process electronic payments, medical claims, or drug prescriptions, causing chaos across the US.

The firms confirmed that a “substantial quantity of data” had been exfiltrated from its environment between 17 and 20 February.

In June this year, we learned that the stolen information included sensitive information covering patients’ health, their insurance, financials, as well as other PII such as their social security numbers, driver’s licenses, state ID numbers, and passport numbers.

It is believed the attack was carried out by the notorious ALPHV/BlackCat ransomware collective, after the group claimed responsibility for the breach, and in April UnitedHealth Group admitted to having paid a $22 million ransom to recover the stolen data during the incident.

After receiving increased attention from global law enforcement agencies in response to the devastating attack, the group claimed it was shutting down shortly after the incident. Current rumors suggest it has since rebranded under a new name to continue operations.

According to its first quarter results for 2024, UnitedHealth estimated the incident could cost the company as much as $1.6 billion. This proved to be on the lower end as its end-of-year disclosures made in September revealed the true cost of the attack had risen to $2.9 billion.

Not long after the initial rumors of UnitedHealth paying the $22 million dollar ransom to ALPHV/BlackCat in March 2024, the internet dodged what could have been a catastrophic supply chain attack targeting a popular open source project.

In March 2024, Andres Feund, a developer at Microsoft spotted the backdoor in XZ Utils, a set of open source data compression tools based on the LZMA compression algorithm that’s used across a wide range of popular Linux distributions out of the box.

According to a report from Akamai, the backdoor was added to the SSH daemon on the vulnerable machine, enabling a remote attacker to execute arbitrary code on the system. The report concluded that “we got lucky” and that if the backdoor had not been spotted the consequences could have been catastrophic.

The XZ Utils project had been solely maintained by its original developer, Lasse Collin, since it was initially released. But in October 2021 an individual developer using the name Jia Tan began opening pull requests to fix a number of bugs in the project.

Tan continued to submit patches to the repository over the next three years and as pressure mounted on Collin to ask him to fix bugs more quickly, he placed his trust in Jia Tan to help.

After obtaining release manager rights with full access to the source code, Tan injected the backdoor into XZ Utils.

“This backdoor almost became one of the most significant intrusion enablers ever – one that would’ve dwarfed the SolarWinds backdoor, wrote Akamai Security Intelligence Group. “The attackers were almost able to gain immediate access to any Linux machine running an infected distro, which includes Fedora, Ubuntu, and Debian. Almost.”

Snowflake attack leads to huge data breaches at major firms with war of words over culpability

In April 2024, a number of major enterprises suffered data breaches after a threat actor known as Shiny Hunters cracked into a number of high-profile Snowflake cloud database accounts, storing vast amounts of personal data.

According to some reports, the hackers used custom tools to find vulnerable Snowflake instances and used credential stuffing to gain access to the database. Once inside, they used Snowflake’s built-in features to exfiltrate large swathes of data.

Ticketmaster had the personal details of 560 million of its customers stolen, including their names, addresses, phone numbers, and partial credit card information, with the hackers listing a 1.3TB database stolen from the firm on BreachForums for $500,000.

Santander revealed 30 million customers as well as all of its current and some former employees had their bank details stolen during the campaign, which included 28 million credit card numbers, 6 million account numbers, and HR information linked to Santander staff.

After both firms publicly stated the incident was the result of unauthorized access to a database hosted by a third party provider, namely Snowflake, Brad Jones, CISO at Snowflake hit back at claims the breaches were caused by a vulnerability or misconfiguration in its platform.

Instead, Jones claimed the campaign specifically targeted accounts that didn’t use two-factor authentication (2FA), which made them more susceptible to credential-stuffing attacks.

The attackers used stolen credentials, which were either purchased on the dark web or accessed using infostealer malware, according to Jones, who acknowledged that Snowflake had evidence that a threat actor stole personal credentials and accessed demo accounts belonging to a former employee.

Seventeen year-old brings down TfL’s online payment system

The next major cyber scare of 2024 took place in September, when Transport for London (TfL) reported it had suffered a “sophisticated” and “aggressive” cyberattack.

The attack itself had a limited impact on the city’s actual transport framework with buses and trains running as expected, but it took out a number of TfL’s digital services.

TfL was unable to process payments on the Oyster and contactless app, travelers were unable to register their Oyster cards to their customer accounts on the website or the app, and TfL was unable to issue refunds for incomplete pay-as-you-go journeys made using contactless.

TfL also announced that the incident saw bank data linked to 5,000 customers exposed, as well as employee passwords.

Shortly after the attack, the NCA confirmed it had arrested a 17-year-old in Walsall in connection to the incident.

It is estimated the attack cost TfL more than $38 million (£30 million) after having to suspend a number of its services, spending $6.3 million (£5 million) on incident response, investigation, and remedial cybersecurity measures in the past 3 months.

Salt Typhoon hacked into US telcos to spy on political figures

The final security story we want to highlight is perhaps the most concerning, and where threat actors linked to the Chinese state hacked into a number of telecommunications around the world.

Speculation about a potential threat campaign targeting telecommunications companies in the US had been bubbling since September, and the Wall Street Journal confirmed a number of high profile internet service providers had been breached in October

In November, the FBI and CISA issued a joint statement warning of a threat campaign, believed to have originated in China, that was targeting commercial telecommunications infrastructure.

The warning said US agencies had identified PRC-affiliated actors who had compromised networks at multiple network companies, looking to steal customer data and compromise communications of individuals involved in the US government.

The attack was also said to have given the attackers access to the information systems used by the federal government for court-authorized network wiretapping.

In December the FBI and CISA issued advice to all citizens to use encrypted messaging platforms to protect themselves from potential attackers lurking on the network.

In a call with reporters, US government officials including Jeff Greene, executive assistant director for cybersecurity at CISA said users should also try to use encrypted voice communication if they have the ability to do so.

Things got more serious when Anne Neuberger, deputy of national security for the Biden administration, warned that the hackers, named as the Salt Typhoon collective, were able to record the telephone conversations of ‘very senior’ political figures in the US.

It looks like the group has established persistence on communication channels used throughout the US and is still accessing telecom networks across the region, putting individuals, businesses, and government agencies at risk.