7 biggest cybersecurity stories of 2024 – Source: www.csoonline.com

Cybersecurity headlines were plenty this year, with several breaches, attacks, and mishaps drawing worldwide attention.

But a few incidents in particular had far-reaching consequences, with the potential to reshape industry protections, shake up how vendors secure customers’ systems, or drive security leaders to reassess their strategies.

Longer-term trends such as increased cybersecurity regulations and the impact of AI on the industry also had and will have a significant impact on IT security operations in 2024 and beyond.

Here is a look at the cybersecurity stories of the year, along with perspective on how these happenings are reshaping CISOs’ strategies and tactics in defending the enterprise.

Change Healthcare ransomware attack

A ransomware attack on UnitedHealth Group–owned Change Healthcare caused widespread disruption in February.

Cybercriminals affiliated to the ALPHV/BlackCat ransomware gang broke into Change Healthcare’s systems using leaked credentials to access a Citrix portal account unprotected by multifactor authentication access controls. They siphoned off sensitive data — names, Social Security numbers, diagnoses, treatment plans, and financial data, later estimated to affect up to 112 million people — before deploying ransomware.

The US Department of Health and Human Services (HHS) is investigating whether a breach of protected health information occurred in assessing whether either UHG or Change Healthcare violated strict healthcare sector privacy regulations.

Change Healthcare — which operates the US’s biggest clearinghouse for medical insurance claims — took its systems offline in response to the attack, which paralyzed large parts of the US healthcare system for weeks. Thousands of pharmacies and healthcare providers experienced disruption because electronic payments and medical claims could not be processed.

Patients were forced to pay for many of their medications out of pocket instead of relying on copays or coupons. The breach threatened many medical providers with insolvency.  UnitedHealth Group offered $2 billion in assistance to healthcare providers affected by the attack.

The combined costs of accelerated payments and no-interest, no-fee loans to thousands of affected providers, as well as incident response efforts and a complete rebuild of Change Healthcare’s systems alongside revenue losses mean the total cost of the breach is expected to exceed $1 billion.

It later emerged that Change Healthcare paid the equivalent of $22 million in Bitcoin to a cryptocurrency wallet associated with ALPHV in the wake of the attack. That didn’t stop the RansomHub group from attempting to extort UnitedHealth over the release of sensitive information stolen during the breach.

The attack provoked calls to mandate baseline security standards for healthcare providers during Congressional hearings in April. Questions were also raised about how consolidation is making the healthcare sector more vulnerable to cyberattacks.

Even though the faulty update was quickly withdrawn, the resulting outage affected organizations worldwide across multiple sectors, including airlines, banks, broadcasters, and hospitals.

In the wake of the outage, CrowdStrike strengthened its pre-release testing processes and improved quality control. The incident highlighted the critical importance of robust testing and failsafe mechanisms for security software.

In response to the outage, Microsoft began a process of evaluating whether security vendors needed kernel-level access to work effectively. By running in the kernel security software packages gain greater visability and the opportunity to thwart low-level malware but the approach means that if there’s a problem the whole systems will crash into the infamous blue screen of death.

In addition to bringing worldwide attention to kernel-level and software testing issues, the incident highlighted for CISOs and CIOs IT’s overdependence on administrative software, the need to reassess cloud concentration risk, and the importance of having a robust business continuity plan, among other key strategic issues.

Widespread Snowflake breaches linked to MFA shortcomings

Account hacks involving cloud-based data warehousing firm Snowflake led to multiple high-profile data breaches, affecting organizations, including AT&T, Ticketmaster, Neiman Marcus Group, and Advance Auto Parts.

Cybercrime group UNC5537 systematically compromised Snowflake customer instances using stolen customer credentials before exfiltrating sensitive data. This compromised data was used in attempts to extort money from many of its victims or offered for sale through cybercrime forums, according to an investigation by Mandiant, the threat intel division of Google.

In a regulatory filling, AT&T admitted in July that cybercriminals had stolen the phone and text message metadata of 110 million people. The compromised information included records of calls or texts but not the contents of any text messages or customer’s personally identifiable information. The US telco reportedly paid criminals $377,000 to throw away these stolen phone records.

The issue was first uncovered in April after Mandiant tracked a data breach back to a Snowflake instance compromised using credentials previously stolen through infostealer malware. Subsequent work revealed this pattern repeated in multiple cases, many of which could be traced back to historic malware infections dating back to 2020.

Mandiant and Google notified 165 potentially affected organizations. Compromised credentials of Snowflake customer accounts in instances where multifactor authentication was not enabled rather than any breach of Snowflake’s environment was blamed for the hacking spree.

LockBit takedown fails to curtail ransomware threats

In other cybercrime-related news, the LockBit ransomware gang was disrupted in a major international police operation in February. Servers and web domains linked to the gang were seized, rogue account were closed, and suspects arrested in Poland and Ukraine as part of Operation Cronos.

Despite the takedown, attacks with LockBit ransomware or variants thereof were later reported, and reports that elements of the group intended to revive their operations began to surface as well. As before, these scams typically involve attempts to extort victims over the threatened release of stolen data alongside demanding payments for decryption keys.

LockBit — a major ransomware-as-a-service operation — made an estimated $90 million from attacking US victims alone between January 2020 and June 2023.

London-based multinational design and engineering company Arup fell victim to a deepfake scam that cost it HK$200 million ($25.6 million). A finance worker at its Hong Kong office was tricked into authorizing the transaction after attending a videoconference call during which fraudsters used deepfake technology to impersonate its UK-based chief financial officer.

Deepfakes are also starting to feature as an element in North Korean fake IT worker scams. North Korean operatives posing as legitimate IT professionals in attempts to gain employment at Western firms. If hired, these “remote workers” exploit their insider access to steal sensitive or proprietary information while collecting a salary that is funnelled back to the North Korean regime.

More than 300 businesses are believed to have fallen victim to the fake worker IT scam that is estimated to have generated millions in revenue for the North Korean government, allowing it to evade international sanction while funding its weapons programs.

NPD breach fallout

A breach of US background checking firm National Public Data exposed the data of hundreds of millions of people in exposing 2.9 billion records. The hack took place in December 2023 but only became general knowledge after a 4TB dump of stolen data onto a cybercrime forum July 2024.

The breach exposed the Social Security numbers, names, mailing addresses, emails, and phone numbers of an estimated 170 million people, in the US, UK, and Canada.

In October 2024, National Public Data, which faced several lawsuits in the wake of the breach, filed for bankruptcy.

Regulatory pressures on the rise

The Salt Typhoon cyber-espionage attacks on telecom providers, blamed on China, prompted plans to oblige telecom carriers to tighten up their security.