alt= A visual representation of the top 10 cyber attacks from 2024, highlighting key incidents and their impacts.
Cyber security
2024-12-30 Post a Comment

Top 10 Cyber Attacks of 2024

By

Guru Baran

The year 2024 witnessed a surge in cyber-attacks, with incidents targeting critical infrastructure, healthcare, financial institutions, and even political campaigns.

These attacks highlight the growing sophistication of threat actors and the vulnerabilities across industries. Below is a detailed list of the top 10 cyber-attacks of 2024 based on their scale, impact, and geopolitical significance.

  • Healthcare Under Siege: Ransomware gangs increasingly targeted healthcare due to its critical nature.
  • Geopolitical Espionage: State-sponsored groups from China and Russia intensified attacks on critical infrastructure and political entities.
  • Supply Chain Vulnerabilities: Attacks like XZ Utils underscored the risks inherent in software supply chains.
  • AI Weaponization: Threat actors began leveraging generative AI tools for both offensive operations and malware development.

Table of Contents

  1. Change Healthcare Ransomware Attack
  2. Snowflake Data Breach
  3. Chinese Espionage Campaigns: Salt Typhoon and Volt Typhoon
  4. XZ Utils Supply Chain Attack
  5. National Public Data Breach
  6. CrowdStrike Falcon Update Outage
  7. Internet Archive Attack
  8. OpenAI’s Generative AI Exploitation Attempts
  9. Dell Data Breach
  10. Midnight Blizzard Targets Microsoft Executives

1. Change Healthcare Ransomware Attack

In February 2024, the Alphv/BlackCat ransomware group targeted Change Healthcare, a subsidiary of UnitedHealth Group. This attack disrupted healthcare services nationwide, affecting hospitals’ ability to process payments, prescribe medications, and perform procedures.

Over 100 million individuals had sensitive medical data exposed, making it one of the largest healthcare breaches in history. The company reportedly paid $22 million in ransom to recover operations.

2. Snowflake Data Breach

A widespread breach in April 2024 compromised accounts stored on Snowflake’s cloud platform due to inadequate security measures like missing multifactor authentication (MFA).

High-profile victims included AT&T (70 million customers affected), Ticketmaster (560 million records stolen), and Santander Bank. The attackers, linked to the Scattered Spider group, stole terabytes of sensitive data and extorted millions from corporations.

3. Chinese Espionage Campaigns: Salt Typhoon and Volt Typhoon

Chinese state-sponsored groups launched two major campaigns in 2024:

  • Volt Typhoon infiltrated U.S. critical infrastructure networks to prepare for potential disruptions during geopolitical conflicts.
  • Salt Typhoon targeted U.S. telecom providers like AT&T and Verizon, stealing metadata and compromising communications of political figures such as Donald Trump and JD Vance. These campaigns showcased China’s strategic use of cyber-espionage to gain geopolitical leverage.

4. XZ Utils Supply Chain Attack

The XZ Utils backdoor attack (CVE-2024-3094), disclosed in March 2024, was a near-miss supply chain compromise that could have caused catastrophic damage.

The attackers embedded malicious code into a widely used compression utility, potentially impacting thousands of downstream systems globally before it was detected and mitigated.

5. National Public Data Breach

In April 2024, hackers breached National Public Data’s systems, exposing 2.9 billion records containing personal information such as Social Security numbers and phone numbers.

The data was sold on the dark web for $3.5 million. This breach highlighted the risks posed by data brokers collecting and monetizing personal information without robust security measures.

6. CrowdStrike Falcon Update Outage

A faulty software update for CrowdStrike’s Falcon platform in July caused a global IT outage affecting approximately 8.5 million devices. Critical sectors like airlines and hospitals faced significant disruptions, resulting in an estimated $5.4 billion in damages for Fortune 500 companies alone.

7. Internet Archive Attack

In September 2024, attackers breached the Internet Archive’s systems, exposing over 31 million files, including email addresses and usernames. The attack also involved distributed denial-of-service (DDoS) incidents by pro-Palestinian hackers targeting the U.S.-based non-profit organization.

8. OpenAI’s Generative AI Exploitation Attempts

OpenAI reported thwarting over 20 attempts by state-sponsored groups from Russia, China, and Iran to exploit its large language models (LLMs) for malicious purposes. These included spear-phishing campaigns, infrastructure reconnaissance, and malware development using AI tools like ChatGPT.

9. Dell Data Breach

In May 2024, Dell Technologies disclosed a breach affecting 49 million customer records containing names, addresses, and order details. Although financial data was not exposed, attackers attempted to sell the stolen database online for $500,000.

10. Midnight Blizzard Targets Microsoft Executives

Russian threat group Midnight Blizzard (APT29) infiltrated Microsoft’s corporate email accounts starting in late 2023 but was discovered in January 2024. The group accessed sensitive information from senior executives in cybersecurity and legal departments as part of a broader espionage campaign targeting private companies.

As cyber threats grow more sophisticated each year, organizations must prioritize robust cybersecurity measures like MFA implementation, regular vulnerability assessments, and employee training to mitigate risks effectively.

read more
alt=Google Chrome, the world's most popular web browser, displayed on a computer screen with vibrant colors and a user-friendly interface.
Cyber security
2024-12-30 Post a Comment

16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft

î „Ravie Lakshmanan

                                                                                                                                                                                                                                                                                               A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.

The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens.

The first company to be known to have been exposed was cybersecurity firm Cyberhaven.

On December 27, Cyberhaven disclosed that a threat actor compromised its browser extension and injected malicious code to communicate with an external Command and Control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data.

“Browser extensions are the soft underbelly of web security,” says Or Eshed, CEO of LayerX Security, which specializes in browser extension security. “Although we tend to think of browser extensions as harmless, in practice, they are frequently granted extensive permissions to sensitive user information such as cookies, access tokens, identity information, and more.

“Many organizations don’t even know what extensions they have installed on their endpoints, and aren’t aware of the extent of their exposure,” says Eshed.

Once news of the Cyberhaven breach broke, additional extensions that were also compromised and communicating with the same C&C server were quickly identified.

Jamie Blasco, CTO of SaaS security company Nudge Security, identified additional domains resolving to the same IP address of the C&C server used for the Cyberhaven breach.

Additional browser extensions currently suspected of having been compromised include:

  • AI Assistant – ChatGPT and Gemini for Chrome
  • Bard AI Chat Extension
  • GPT 4 Summary with OpenAI
  • Search Copilot AI Assistant for Chrome
  • TinaMInd AI Assistant
  • Wayin AI
  • VPNCity
  • Internxt VPN
  • Vindoz Flex Video Recorder
  • VidHelper Video Downloader
  • Bookmark Favicon Changer
  • Castorus
  • Uvoice
  • Reader Mode
  • Parrot Talks
  • Primus

These additional compromised extensions indicate that Cyberhaven was not a one-off target but part of a wide-scale attack campaign targeting legitimate browser extensions.

Analysis of compromised Cyberhaven indicates that the malicious code targeted identity data and access tokens of Facebook accounts, and specifically Facebook business accounts:

User data collected by the compromised Cyberhaven browser extension (source: Cyberhaven)
User data collected by the compromised Cyberhaven browser extension (source: Cyberhaven)

Cyberhaven says that the malicious version of the browser extension was removed about 24 hours after it went live. Some of the other exposed extensions have also already been updated or removed from the Chrome Web Store.

However, the fact the extension was removed from the Chrome store doesn’t mean that the exposure is over, says Or Eshed. “As long as the compromised version of the extension is still live on the endpoint, hackers can still access it and exfiltrate data,” he says.

Security researchers are continuing to look for additional exposed extensions, but the sophistication and scope of this attack campaign have upped the ante for many organizations of securing their browser extensions.

read more
alt=An image depicting a computer screen with a "No Internet Connection" message, symbolizing North Korea's internet outage.
Cyber security
2024-10-19 Post a Comment

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

î „Ravie Lakshmanan

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks.

“In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes,” Secureworks Counter Threat Unit (CTU) said in an analysis published this week. “In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024.”

The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267.

The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea’s strategic and financial interests, refers to an insider threat operation that entails infiltrating companies in the West for illicit revenue generation for the sanctions-hit nation.

These North Korean workers are typically sent to countries like China and Russia, from where they pose as freelancers looking for potential job opportunities. As another option, they have also been found to steal the identities of legitimate individuals residing in the U.S. to achieve the same goals.

They are also known to request for changes to delivery addresses for company-issued laptops, often rerouting them to intermediaries at laptop farms, who are compensated for their efforts by foreign-based facilitators and are responsible for installing remote desktop software that allow the North Korean actors to connect to the computers.

What’s more, multiple contractors could end up getting hired by the same company, or, alternatively, one individual could assume several personas.

Secureworks said it has also observed cases where the fake contractors sought permission to use their own personal laptops and even caused organizations to cancel the laptop shipment entirely because they changed the delivery address while it was in transit.

Ransom for Stolen Data

“This behavior aligns with Nickel Tapestry tradecraft of attempting to avoid corporate laptops, potentially eliminating the need for an in-country facilitator and limiting access to forensic evidence,” it said. “This tactic allows the contractors to use their personal laptops to remotely access the organization’s network.”

In a sign that the threat actors are evolving and taking their activities to the next level, evidence has come to light demonstrating how a contractor whose employment was terminated by an unnamed company for poor performance resorted to sending extortion emails including ZIP attachments containing proof of stolen data.

“This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers,” Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, said in a statement. “No longer are they just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses.”

To tackle the threat, organizations have been urged to be vigilant during the recruitment process, including conducting thorough identity checks, performing in-person or video interviews, and be on the lookout for attempts to re-route corporate IT equipment sent to the contractors declared home address, routing paychecks to money transfer services, and accessing the corporate network with unauthorized remote access tools.

“This escalation and the behaviors listed in the FBI alert demonstrate the calculated nature of these schemes,” Secureworks CTU said, pointing out the workers’ suspicious financial behavior and their attempts to avoid enabling video during calls.

“The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers.”

read more
alt=A man in a hoodie is seated at a computer, focused on the screen in a cozy indoor setting.
Cyber security
2024-10-18 Post a Comment

Undercover North Korean IT workers now steal data, extort employers

By

North Korean IT professionals who trick Western companies into hiring them are stealing data from the organization’s network and asking for a ransom to not leak it.

Dispatching IT workers to seek employment at companies in wealthier nations is a tactic that North Korea has been using for years as a means to obtain privileged access for cyberattacks or to generate revenue for the country’s weapons programs.

Researchers at cybersecurity company Secureworks uncovered the extortion component during multiple investigations of such fraudulent schemes.

After the employment of a North Korean national with access to proprietary data (as part of their contractor role) terminated, the company would receive the first extortion email, the researchers explain.

To obtain the job and avoid raising suspicions afterwards, the fraudulent IT workers used a false or stolen identity and relied on laptop farms to route traffic between their real location and the company through a U.S.-based point.

They also avoided video during calls or resorted to various tricks while on the job to hide their face during video conferences, such as using artificial intelligence tools.

Overview of the scheme
Overview of the scheme
Source: Secureworks

In July, American cybersecurity company KnowBe4 revealed that they were among the hundreds of victimized companies, and in their case, the threat actor attempted to install an infostealer on the company’s computer.

Secureworks tracks the group organizing and coordinating North Korea’s IT worker army as “Nickel Tapestry,” while Mandiant uses the UNC5267 name.

One example of a Nickel Tapestry campaign in mid-2024 that Secureworks investigated is that of a company that had proprietary data stolen almost immediately after employing an external contractor

The data was transferred to a personal Google Drive cloud storage using the company’s virtual desktop infrastructure (VDI).

After terminating the employment due to poor performance, the company began receiving extortion emails from external Outlook and Gmail addresses containing samples of the stolen data in ZIP archives.

The threat actors demanded a six-figure ransom to be paid in cryptocurrency in exchange to not leaking the data publicly.

Secureworks’ investigation revealed that Nickel Tapestry had used Astrill VPN and residential proxies to mask their real IP address during the malicious activities, while AnyDesk was used for remote accessing the systems.

The researchers warn that North Korean IT workers often coordinate to refer one another to companies.

Organizations should be cautious when hiring remote workers or freelancers, and look for signs of fraud like changes in payment accounts and laptop shipment addresses, submission of generic-looking resumes, atypical correspondence hours, and unwillingness to enable camera during interviews.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights