Data extortion and ransomware attacks have had a massive impact on businesses during the first half of 2024.
Biggest Cyberattacks And Breaches
If the pace of major cyberattacks during the first half of 2024 has seemed to be nonstop, that’s probably because it has been: The first six months of the year have seen organizations fall prey to a series of ransomware attacks as well as data breaches focused on data theft and extortion.
And while recent years had been seeing intensifying cyberattacks, by and large they spared the general public from significant disruption — something that has proven to not be the case during 2024 so far.
[Related: Network Security Devices Are The Front Door To An IT Environment, But Are They Under Lock And Key?]
For instance, the February ransomware attack against UnitedHealth-owned prescription processor Change Healthcare caused massive disruption in the U.S. health care system for weeks — preventing many pharmacies and hospitals from processing claims and receiving payments. Then in May, the Ascension health system was struck by a ransomware attack that forced it to divert emergency care from some of its hospitals.
Most recently, software maker CDK Global fell victim to a crippling ransomware attack that has disrupted thousands of car dealerships that rely on the company’s platform. As of this writing, the disruptions were continuing, nearly two weeks after the initial attack.
The attacks have raised questions about whether threat actors are intentionally targeting companies whose patients and customers would be severely affected by the disruptions, in order to put increased pressure on the organizations for paying a ransom. If so, the tactic would seem to have been working, since UnitedHealth paid a $22 million ransom to a Russian-speaking cybercrime group that perpetrated the Change Healthcare attack, and CDK Global reportedly was planning to pay attackers’ ransom demands, as well.
It’s not certain that this has been the attackers’ strategy, however, said Mark Lance, vice president for DFIR and threat intelligence at GuidePoint Security, No. 39 on CRN’s Solution Provider 500 for 2024.
“Do I think that it was indirect or there was intent to have an impact all these kinds of downstream providers? You never know,” Lance said. When it comes to ransomware groups, “a lot of times, they might not even recognize the level of impact indirectly [an attack] is going to have on downstream providers or services.”
Still, he said, it can’t be entirely ruled out that attackers “might be using that as an opportunity to leverage [the disruption] and make sure they get paid.” And if there continue to be mass-disruption attacks such as these that point toward a “distinct trend,” that would represent a notable shift in attacker tactics, given that threat actors have usually steered clear of attacks that would put a government and law enforcement spotlight on them, Lance noted.
Other high-profile cyberattacks during the first half of 2024 included the widespread compromise of Ivanti VPNs and the breach of Microsoft executive accounts—both of which impacted U.S. government agencies—as well as widespread data-theft attacks targeting customers of Snowflake.
What follows are the details we’ve gathered on 10 major cyberattacks and data breaches in 2024 so far (in chronological order).
Ivanti VPN Attacks
Ivanti’s widely used Connect Secure VPNs saw mass exploitation by threat actors following the January disclosure of two high-severity, zero-day vulnerabilities in the systems. Researchers said thousands of Ivanti VPN devices were compromised during the attacks, with the list of victims including the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Other victims included Mitre, a major provider of federally funded R&D and the promulgator of a cyberattack framework that’s become ubiquitous in the security industry.
While several additional vulnerabilities ultimately were disclosed, researchers at Google Cloud-owned Mandiant reported that the two original Ivanti VPN vulnerabilities saw “broad exploitation activity” by a China-linked threat group tracked as UNC5221, as well as “other uncategorized threat groups.” The attacks by UNC5221 — a “suspected China-nexus espionage threat actor” — went back as far as Dec. 3, the researchers at Mandiant said.
The attacks prompted CISA to issue an urgent order to civilian executive branch agencies, requiring the unusual measure of disconnecting their Ivanti Connect Secure VPNs within 48 hours. Ivanti released the first patch for some versions of its Connect Secure VPN software on Jan. 31, three weeks after the initial vulnerability disclosure. “In this case, we prioritized mitigation releases as patches were being developed, consistent with industry best practices,” Ivanti said in a statement provided to CRN.
Microsoft Executive Accounts Breach
In January, Microsoft disclosed that a Russia-aligned threat actor was able to steal emails from members of its senior leadership team as well as from employees on its cybersecurity and legal teams. The tech giant attributed the attack to a group it tracks as Midnight Blizzard, which has previously been connected to Russia’s SVR foreign intelligence unit by the U.S. government and blamed for attacks including the widely felt 2020 breach of SolarWinds.
Customers known to have been impacted in the incident included multiple federal agencies, CISA confirmed. Through the compromise of Microsoft corporate email accounts, Midnight Blizzard has “exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft,” CISA said in an emergency directive.
In June, Microsoft confirmed that it had sent out more notices to customers impacted by the compromise, which were notified that their emails were viewed. “This is increased detail for customers who have already been notified and also includes new notifications,” the company said in a statement.
The breach, which is believed to have begun in November 2023, saw hackers initially gain access by exploiting a lack of MFA (multifactor authentication) on a “legacy” account, Microsoft said.
SOHO Routers Attacks
The FBI said in February that a China-linked threat group was found to have hijacked “hundreds” of small office/home office (SOHO) routers based in the U.S. as part of a campaign to compromise U.S. critical infrastructure providers. The FBI said it succeeded at disrupting the efforts of the group, known as Volt Typhoon, which is backed by the Chinese government. Targets of the Volt Typhoon attacks included providers of critical services including communications, energy, water and transportation, the FBI said.
The routers compromised by the group together formed an assembly of malware-infected devices, known as a botnet, which the threat group could use for launching an attack against U.S. critical infrastructure, the FBI said.
Later in February, the FBI said it disrupted a widespread campaign by Russia-aligned hackers that had compromised “hundreds” of SOHO routers. The attacks were pinned on the Russian intelligence agency GRU, which had also been attempting to use the hijacked routers as a botnet for the purposes of espionage, according to the FBI.
Change Healthcare Attacks
First disclosed Feb. 22, the Change Healthcare attack caused massive disruption in the U.S. health care system for weeks. The IT system shutdown initiated in response to the ransomware attack prevented many pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments.
The Russian-speaking cybercriminal group known by the names of Blackcat and Alphv claimed responsibility for the ransomware attack. Witty confirmed in his Congressional testimony in May that UnitedHealth paid a $22 million ransom following the attack.
Subsequently, a different cybercriminal gang, known as RansomHub, posted data it claimed was stolen from Change Healthcare. UnitedHealth said in late April that data belonging to a “substantial proportion” of Americans may have been stolen in the attack against prescription processor Change Healthcare, a unit of the insurer’s Optum subsidiary. During testimony at a U.S. House Of Representatives hearing on May 1, UnitedHealth Group CEO Andrew Witty said that “maybe a third” of all Americans were impacted in the attack.
In June, Change Healthcare disclosed that it now believes sensitive patient medical data was exposed in the attack. Medical data stolen during the attack may have included “diagnoses, medicines, test results, images, care and treatment,” according to a data breach notification posted by Change Healthcare.
ConnectWise ScreenConnect Attacks
In February, ConnectWise disclosed that two vulnerabilities had been found that affect its ScreenConnect tool, impacting MSPs using ScreenConnect both on-prem and in the cloud. Mandiant subsequently identified "mass exploitation" of the vulnerabilities by various threat actors. “Many of them will deploy ransomware and conduct multifaceted extortion,” a post on Mandiant’s website states.
ConnectWise said that it quickly “recognized the heightened risk of exploitation with any patching delay” and “employed additional preventative measures,” before releasing patches within days of the disclosure. CISA issued a notice that ConnectWise partners and end customers should pull the cord on all on-prem ScreenConnect servers if they could not update to the latest version amid the attacks.
XZ Utils Compromise
In March, Red Hat and CISA warned that the two latest versions of XZ Utils, a widely used set of data compression tools and libraries in Linux distributions, were found to have been compromised. However, the software supply chain hack—described as a “nightmare scenario” by multiple experts— was discovered by a Microsoft engineer before the compromised software could be distributed broadly.
As disclosed by the original maintainer of the XZ Utils project, a contributor to the XZ Utils was responsible for the insertion of malicious code.
A Microsoft engineer, Andres Freund, said in a post that he discovered the vulnerability after noticing “odd” behavior in installations of Debian, a popular Linux distribution—including that logins were taking longer and using more CPU than usual. Security researchers credited Freund with going the extra mile to hunt down the issue, ultimately revealing the backdoor in the software.
AT&T Breach
In March, AT&T said it was investigating a possible data breach after personal data from more than 70 million current and former customers was discovered on the dark web. The telecommunications giant said it had determined that “AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago.” Based on a preliminary analysis, the company said the data set appeared to be from 2019 or earlier and impacts approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders. The company said the discovered data includes personal information such as social security numbers.
Ascension Ransomware Attack
Ascension, a health system with 140 hospitals and operations in 19 states and Washington, D.C., said in May that its clinical operations were disrupted after it was struck by a ransomware attack. The nonprofit and Catholic health system said that on May 8 “we detected unusual activity on select technology network systems.”
The May attack, which began when an employee inadvertently downloaded malware, forced Ascension to divert emergency care from some of its hospitals.
Ascension later confirmed that data, including health data belonging to patients, was likely stolen in the attack. “We now have evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks,” the health system said.
Snowflake Customers Targeted
In June, widespread attacks targeting Snowflake customers led to a “significant” volume of data stolen and more than 100 customers known to be potentially impacted, according to researchers from Mandiant.
Neiman Marcus Group is among the latest to join the list of victims of the Snowflake attacks, with other impacted companies including Ticketmaster, Santander Bank, Pure Storage and Advance Auto Parts. The wave of data theft attacks are believed to be utilizing stolen passwords.
A cybercriminal group has been “suspected to have stolen a significant volume of records from Snowflake customer environments,” researchers at Mandiant said. Impacted accounts have not been configured with MFA (multifactor authentication), Mandiant researchers confirmed.
In its advisory, Snowflake said it is “developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies.”
CDK Global Attack
CDK, a provider of software used by 15,000 dealerships, shut down most of its systems after a pair of cyberattacks struck on June 18 and 19. The company provides SaaS-based CRM, payroll, finance and other key functions for dealerships. In a recorded message for customers heard Monday, the company indicated that the disruptions from the attacks are continuing to impact customers, though CDK said that its “customer care support channels are now live.”
The company said on Friday that it had brought “one of our large public dealers” back on to its core dealer management system (DMS), along restoring the DMS access for a second “small group” of dealerships. CDK had said the first small group was restored onto its DMS system Thursday.
While CDK was working to recover from the first attack on June 18, the company said it was struck by a second attack the following day. “Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems,” CDK said in a previous statement provided to CRN. The system shutdown resulted in an outage that has severely affected thousands of car dealerships.
CDK has declined to comment on media reports indicating that the company was planning to make a ransom payment, purportedly worth tens of millions of dollars, with the goal of recovering its systems more quickly.