In 2024, the momentum of cyberattacks has not only failed to diminish but has also been marked by several significant data breaches and ransomware attacks that pose severe threats to public safety. These incidents have caused substantial harm to the interests of the affected companies and industries, warranting our heightened vigilance and preventive measures. This article compiles the ten most significant cyberattacks and data breaches that have occurred so far in 2024 (in chronological order) for study and analysis.
1. Ivanti VPN Attack
In January this year, threat intelligence company Volexity discovered two zero-day vulnerabilities affecting Ivanti Connect Secure (ICS) VPN and Policy Secure network access control (NAC) devices—CVE-2023-46805 authentication bypass and CVE-2024-21887 command injection vulnerability—that were being widely exploited.
Attackers were using a GIFTEDVISITOR webshell variant to backdoor target systems, with Volexity finding that over 1,700 ICS VPN devices were compromised by the GIFTEDVISITOR webshell. These devices were used to indiscriminately attack victims, including government and military departments, national telecom companies, defense contractors, technology firms, banks, financial and accounting institutions, global consulting firms, and aerospace, aviation, and engineering companies.
These attacks prompted CISA to issue an urgent directive to U.S. federal agencies to take emergency measures, including disconnecting their ICS VPN connections within 48 hours. On January 31, three weeks after the initial disclosure of the vulnerabilities, Ivanti released its first patch for some versions of the Connect Secure VPN software.
2. Microsoft Executive Account Breach
On January 19, Microsoft announced that its systems were breached by Russian hackers who accessed a “very small proportion” of corporate email accounts. The compromised accounts belonged to senior leadership team members, cybersecurity and legal department employees, and individuals engaged in “other functions.”
The tech giant attributed the attack to a group called “Midnight Blizzard,” which previously conducted a large-scale attack on U.S. IT company SolarWinds in 2020, exposing sensitive information of the U.S. federal government.
According to Microsoft, Midnight Blizzard first accessed the company’s systems through a “password spraying” attack in late November, a strategy where malicious actors use the same password across multiple accounts. However, Microsoft stated that the threat to its systems was not detected until late January. This indicates that the hackers had access to the affected email accounts for up to two months, and the compromised email accounts might not have had 2FA enabled.
Initial investigations by Microsoft suggested that Midnight Blizzard targeted corporate email accounts to gather information about themselves and managed to exfiltrate “some emails and attached documents.” Microsoft stated that this attack was not due to vulnerabilities in Microsoft products or services, and there was no evidence that the threat actors accessed customer environments, production systems, source code, or AI systems.
3. SOHO Router Attacks
In February, the Volt Typhoon group hijacked “hundreds” of small office/home office (SOHO) routers in the U.S., using them to form a botnet to attack critical infrastructure in the country. The FBI indicated that the targets of the Volt Typhoon attacks included key service providers in communications, energy, water, and transportation.
Later that month, the U.S. government dismantled another SOHO router botnet used by Russian cyber spies in malicious software activities. This botnet, built using known “Moobot” malware, was later compromised by the Russian APT group (APT28, also known as Forest Blizzard/Sofacy/Fancy Bear, linked to the Russian GRU).
According to the FBI, initially, non-GRU cybercriminals installed Moobot malware on Ubiquiti Edge OS routers, which still used publicly available default admin passwords. GRU hackers then used Moobot malware to install their own custom scripts and files, repurposing the botnet into a global cyber espionage platform.
4. Change Healthcare Ransomware Attack
The Change Healthcare attack was first disclosed on February 22, resulting in large-scale disruptions to the U.S. healthcare system for several weeks. The IT systems were forced offline due to the ransomware attack, causing many pharmacies, hospitals, and other healthcare facilities and offices to be unable to process claims and receive payments.
A Russian cybercriminal organization named Blackcat (also known as Alphv) claimed responsibility for the ransomware attack and stated that it received $22 million in ransom from UnitedHealth after the attack.
Subsequently, another cybercriminal group named RansomHub published data allegedly stolen from Change Healthcare. UnitedHealth reported at the end of April that approximately one-third of Americans’ data might have been stolen in the Change Healthcare attack.
In June, Change Healthcare acknowledged that sensitive patient medical data was exposed in the attack, potentially involving “diagnoses, medications, test results, images, care plans, and treatment options.”
5. ConnectWise ScreenConnect Attack
In February, ConnectWise disclosed two vulnerabilities affecting its ScreenConnect tool, impacting both on-premises and cloud deployments of ScreenConnect by MSPs. Security firm Mandiant subsequently identified various threat actors exploiting these vulnerabilities on a large scale, many of whom deployed ransomware and engaged in multifaceted extortion.
Fortunately, ConnectWise quickly recognized that “any patch delay would increase the risk of exploitation” and took additional preventive measures, releasing patches within a few days of disclosure. CISA also issued a notification stating that if ConnectWise partners and end customers could not upgrade to the latest version during the attack, they should disconnect all local ScreenConnect servers to minimize the impact of the attack.
6. XZ Utils Attack
XZ Utils, a widely used data compression tool and library in Linux distributions, was compromised in March. RedHat and CISA issued warnings about the two most recent versions of XZ Utils being affected. The vulnerability was initially disclosed by a Microsoft engineer when the compromised software had not yet spread widely.
On March 29, Microsoft PostgreSQL developer Andres Freund emailed OSS-Security about a backdoor found in xz/liblzma, involving a supply chain attack with obfuscated malicious code. Andres discovered the vulnerability after noticing “strange” behavior while installing Debian (a popular Linux distribution), such as longer login times and higher CPU usage.
As revealed by the original maintainers of the XZ Utils project, a code contributor inserted malicious code, ultimately leading to a successful backdoor implant in sshd across numerous Linux distributions, triggering a “nightmarish” software supply chain attack crisis.
7. AT&T Data Breach
In March, AT&T announced it was investigating a potential data breach after discovering personal data of over 70 million current and former customers on the dark web. The telecom giant stated that it identified a data set published on the dark web about two weeks prior containing specific fields of AT&T data. Preliminary analysis suggested that the dataset appeared to originate from 2019 or earlier, affecting about 7.6 million current AT&T account holders and approximately 65.4 million former account holders. The discovered data included personal information such as names, home addresses, phone numbers, and Social Security numbers.
Following the incident, AT&T reset passwords for the affected 7.6 million current users and indicated that it was actively contacting these customers and the 65.4 million former account holders who also suffered a breach.
8. Ascension Ransomware Attack
Ascension, one of the largest healthcare systems in the U.S. with 140 hospitals and operations across 19 states and Washington D.C., revealed in May that it suffered a ransomware attack due to an employee inadvertently downloading malicious software. The attack impacted the MyChart electronic health records system, telephone systems, and systems used for ordering tests, surgeries, and medications, prompting the healthcare giant to take some devices offline to contain the ransomware attack’s impact.
Ascension also suspended some non-emergency elective surgeries, tests, and appointments, and redirected emergency services to other medical units to avoid triage delays. Several federal agencies, including the Department of Health and Human Services and the FBI, were involved in recovery efforts to minimize disruption to patient care.
Although Ascension later confirmed that evidence indicated the threat actors only accessed and stole files from seven of the thousands of servers on its network, the incident underscored the urgent need to enhance healthcare cybersecurity resilience.
9. Snowflake Data Breach
In June, Mandiant researchers reported a large-scale attack on Snowflake customers resulting in “significant” data theft, affecting over 100 known clients, including Ticketmaster, Santander Bank, Pure Storage, Advance Auto Parts, and cybersecurity giant Cylance.
Mandiant researchers noted that a group of hackers exploited credentials obtained through information-stealing malware to carry out large-scale attacks on Snowflake accounts not protected by multi-factor authentication (MFA) and Snowflake customer instances with no access restrictions for untrusted locations. Some of the credentials used by the hackers were several years old.
Snowflake stated in its advisory that it is “developing a plan to require customers to implement advanced security controls, such as multi-factor authentication (MFA) or network policies.”
10. CDK Global Cyberattack
After experiencing two consecutive cyberattacks on June 18 and 19, CDK Global, which provides software for 15,000 dealers, was forced to shut down most of its systems. The cyberattacks had a profound impact on CDK Global’s major clients, including General Motors dealers, Group 1 Automotive, Asbury Automotive Group, AutoNation, Lithia Motors, Penske, Sonic Automotive, and Holman, all of which rely heavily on CDK’s software for managing daily operations from sales transactions to inventory management.
Due to the system shutdown, some dealers began processing orders manually. Other services, such as state inspections, repairs, and parts distribution, also experienced disruptions in certain regions. Reports indicated that CDK planned to pay a ransom reportedly worth tens of millions of dollars to expedite system recovery, but CDK declined to comment on the matter.