Executive Summary

The first half of 2024 has been marked by a series of significant cyberattacks and data breaches, affecting a wide range of sectors including healthcare, technology, and critical infrastructure. This report delves into the technical intricacies of these incidents, highlighting the vulnerabilities exploited, the threat actors involved, and the impact on organizations. Our analysis is based on data from the CRN article "10 Major Cyberattacks And Data Breaches In 2024 (So Far)" and other open-source intelligence sources. The report aims to equip Rescana's customers with the knowledge needed to bolster their cybersecurity defenses.

Technical Information

In January 2024, two high-severity, zero-day vulnerabilities were discovered in Ivanti's Connect Secure VPNs. These vulnerabilities were rapidly exploited by threat actors, leading to widespread compromises. The China-linked threat group UNC5221 was identified as a primary actor, suspected of conducting espionage activities. The impact was severe, with victims including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Mitre. CISA responded with an urgent directive to disconnect affected VPNs. Ivanti released patches on January 31, 2024, and organizations are strongly advised to apply these patches immediately and monitor for unusual activity. For more details, refer to Mandiant's report on UNC5221 and CISA's emergency directive.

Another major incident involved the breach of Microsoft executive accounts due to the lack of multifactor authentication (MFA) on a legacy account. The Russia-aligned group Midnight Blizzard, linked to Russia’s SVR, was responsible for this breach, compromising emails of Microsoft’s senior leadership and multiple U.S. federal agencies. To mitigate such risks, it is crucial to implement MFA on all accounts and review access controls. Relevant information can be found in CISA's emergency directive and Microsoft’s security advisory.

Small office/home office (SOHO) routers were also targeted, with exploitation by China-linked Volt Typhoon and Russia's GRU in separate campaigns. These attacks targeted U.S. critical infrastructure providers, forming botnets for potential attacks. Regular firmware updates and network segmentation are recommended as mitigation strategies. The FBI's disruption reports provide further insights.

In the healthcare sector, Change Healthcare fell victim to a ransomware attack by the Blackcat/Alphv group. This attack involved data extortion and disruption of healthcare services, with UnitedHealth paying a $22 million ransom. The data of a substantial proportion of Americans was stolen. Strengthening incident response plans and conducting regular backups are essential mitigation measures. Congressional testimony by UnitedHealth's CEO and claims by the Blackcat/Alphv group offer additional context.

The ConnectWise ScreenConnect tool was compromised through two vulnerabilities, leading to mass exploitation by various threat actors and subsequent ransomware deployment. Managed Service Providers (MSPs) using ScreenConnect were particularly affected. Prompt application of patches and additional preventative measures are advised. Mandiant’s exploitation report and CISA’s advisory provide further details.

A significant software supply chain attack was averted with the discovery of compromised versions of XZ Utils. Malicious code was inserted by a contributor, posing a potential widespread threat. Verifying software integrity and monitoring for unusual behavior are critical. Microsoft engineer Andres Freund’s discovery, along with warnings from Red Hat and CISA, highlight the importance of vigilance.

AT&T experienced a data breach involving personal data from 2019 or earlier, with the data discovered on the dark web. Over 70 million current and former customers were affected. Enhancing data protection measures and conducting regular audits are necessary steps to prevent such breaches. AT&T’s investigation report provides further insights.

The Ascension ransomware attack was initiated by malware downloaded by an employee, leading to data theft and service disruption. Emergency care was diverted, and patient health data was exposed. Employee training and network monitoring are crucial to prevent similar incidents. Ascension’s public statements offer additional information.

Snowflake customers were targeted due to the lack of MFA on customer accounts, resulting in data theft using stolen passwords. Over 100 customers, including major companies, were potentially impacted. Implementing MFA and enforcing strong password policies are essential. Mandiant’s advisory and Snowflake’s security plan provide further guidance.

Finally, CDK Global faced cyberattacks leading to system shutdowns, with potential ransom payments to recover systems. Thousands of car dealerships were disrupted. Strengthening cybersecurity defenses and incident response is imperative. CDK’s customer communications offer further details.

Exploitation in the Wild

The exploitation of the Ivanti VPN vulnerabilities by UNC5221 involved sophisticated techniques aimed at espionage. Indicators of Compromise (IOCs) include unusual VPN access patterns and unauthorized data exfiltration. Midnight Blizzard's breach of Microsoft accounts was characterized by targeted phishing campaigns and exploitation of legacy systems. The SOHO router attacks by Volt Typhoon and GRU involved the creation of botnets, with IOCs including unusual network traffic and unauthorized access attempts. Blackcat/Alphv's ransomware attack on Change Healthcare involved data encryption and extortion, with IOCs including ransomware notes and encrypted files. The exploitation of ConnectWise ScreenConnect vulnerabilities involved unauthorized access and ransomware deployment, with IOCs including unusual remote access patterns and ransomware signatures. The XZ Utils compromise involved malicious code insertion, with IOCs including unexpected software behavior and unauthorized code changes. The AT&T data breach involved data exfiltration, with IOCs including unauthorized access to customer data and data found on the dark web. The Ascension ransomware attack involved malware infection, with IOCs including ransomware notes and encrypted files. The Snowflake customer data theft involved unauthorized access, with IOCs including unusual login attempts and data exfiltration. The CDK Global cyberattacks involved system shutdowns, with IOCs including unauthorized access attempts and system disruptions.

APT Groups using this vulnerability

The China-linked threat group UNC5221 was primarily responsible for exploiting the Ivanti VPN vulnerabilities, targeting sectors such as critical infrastructure and government agencies in the United States. Midnight Blizzard, linked to Russia’s SVR, exploited the Microsoft executive accounts breach, targeting U.S. federal agencies and technology companies. Volt Typhoon and GRU, linked to China and Russia respectively, targeted SOHO routers, focusing on U.S. critical infrastructure providers. The Blackcat/Alphv group targeted Change Healthcare, impacting the healthcare sector in the United States. Various threat actors exploited the ConnectWise ScreenConnect vulnerabilities, affecting MSPs globally. The XZ Utils compromise involved a malicious contributor, with potential impacts on software supply chains worldwide. The AT&T data breach involved unknown threat actors, affecting telecommunications customers in the United States. The Ascension ransomware attack involved unknown threat actors, impacting the healthcare sector in the United States. The Snowflake customer data theft involved unknown threat actors, affecting technology companies globally. The CDK Global cyberattacks involved unknown threat actors, impacting the automotive sector in the United States.

Affected Product Versions

The Ivanti VPN vulnerabilities affected Connect Secure VPN versions prior to the January 31, 2024 patch. The Microsoft executive accounts breach involved legacy accounts without MFA. The SOHO router attacks affected various router models from multiple manufacturers. The Change Healthcare ransomware attack affected systems within UnitedHealth. The ConnectWise ScreenConnect vulnerabilities affected versions prior to the latest patch. The XZ Utils compromise affected versions with the malicious code insertion. The AT&T data breach involved data from 2019 or earlier. The Ascension ransomware attack affected systems within Ascension. The Snowflake customer data theft involved accounts without MFA. The CDK Global cyberattacks affected systems within CDK Global.

Workaround and Mitigation

To mitigate the risks associated with the Ivanti VPN vulnerabilities, organizations should apply the patches released on January 31, 2024, and monitor for unusual activity. For the Microsoft executive accounts breach, implementing MFA on all accounts and reviewing access controls are essential. To prevent SOHO router attacks, regular firmware updates and network segmentation are recommended. For the Change Healthcare ransomware attack, strengthening incident response plans and conducting regular backups are crucial. To mitigate the ConnectWise ScreenConnect vulnerabilities, applying patches promptly and employing additional preventative measures are advised. To prevent XZ Utils compromise, verifying software integrity and monitoring for unusual behavior are critical. For the AT&T data breach, enhancing data protection measures and conducting regular audits are necessary. To prevent Ascension ransomware attacks, employee training and network monitoring are crucial. For the Snowflake customer data theft, implementing MFA and enforcing strong password policies are essential. To mitigate CDK Global cyberattacks, strengthening cybersecurity defenses and incident response is imperative.

References

CRN Article: "10 Major Cyberattacks And Data Breaches In 2024 (So Far)" https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far Mandiant Reports https://www.mandiant.com/resources/reports CISA Directives https://www.cisa.gov/publications/directives FBI Disruption Reports https://www.fbi.gov/news/stories/disruption-reports Microsoft Security Advisories https://www.microsoft.com/security/blog/advisories

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and vulnerability management, enabling organizations to proactively identify and mitigate risks. We are here to support you in strengthening your cybersecurity posture and addressing any challenges you may face. If you have any questions about this report or any other issue, please feel free to reach out to us at ops@rescana.com.