The biggest cybersecurity and cyberattack stories of 2024

2024 was a big year for cybersecurity, with significant cyberattacks, data breaches, new threat groups emerging, and, of course, zero-day vulnerabilities.

Some stories, though, were more impactful or popular with our 31 million readers than others.

Below are fourteen of what BleepingComputer believes are the most impactful cybersecurity stories of 2024, with a summary of each. These stories are in no particular order.

14. Internet Archive hacked

On October 9, the Internet Archive was hit by two different attacks at once—a data breach where the site's user data for 33 million users was stolen and a DDoS attack by an alleged pro-Palestinian group named SN_BlackMeta.

While both attacks occurred over the same period, they were conducted by different threat actors. 

The threat actors who breached Internet Archive told BleepingComputer that they could do so through an exposed GitLab configuration file containing an authentication token, allowing them to download the Internet Archive source code.

This source code contained additional credentials and authentication tokens, including the credentials to Internet Archive's database management system. This allowed the threat actor to download the organization's user database, further source code, and modify the site.

13. Bad CrowdStrike updates crashed 8.5 million Wndows devices

On July 19th, 2024, a faulty CrowdStrike Falcon update was pushed out to Windows PCs in the early morning, causing the cybersecurity software's kernel driver to crash the operating system. 

This bug caused significant global disruptions, impacting approximately 8.5 million Windows systems, who now found that their devices had crashed with no easy way back into the operating system to remove the faulty update other than booting into safe mode.

The bug stemmed from a flaw in CrowdStrike's content validation process, which failed to detect a defective update. This faulty update triggered a series of system crashes, including endless reboot loops that affected both Windows devices and Windows 365 Cloud PCs.

As CrowdStrike is used by many organizations, it quickly caused widespread disruption, impacting financial firms, airlines, and hospitals worldwide who suddenly found their Windows devices and applications were unavailable.

Microsoft released a Windows repair tool to help remove the problematic CrowdStrike driver and restore affected systems. Despite this tool, many organizations faced a lengthy recovery process as each device would need to be manually fixed.

Things got worse when the threat actors started getting into the game.

Cybercriminals distributed fake CrowdStrike repair tools and manuals that pushed malware, including the new Daolpu infostealer. These phishing campaigns targeted orgs attempting to recover from the outage, further delaying outages.

Investors soon filed a lawsuit against CrowdStrike, accusing it of negligence in its quality assurance processes and failing to prevent the release of the defective update.

Microsoft also announced that they would be looking into changing their kernel driver handling policies in response to the incident and encouraged antivirus vendors to limit their use of Kernel drivers to prevent these types of crashes.

12. Kaspersky banned in the US—software automatically replaced with UltraAV

In June, the Biden administration announced an upcoming ban of Kaspersky antivirus software, giving customers until September 29, 2024, to find alternative security software.

The ban not only involved the sale of Kaspersky software in the US, but also prevented the company from delivering antivirus and security updates to customers.

A month later, Kaspersky began shutting down its operations in the US, telling BleepingComputer that the Biden administration's decisions have made operations "no longer viable."

Kaspersky decided to sell its US customer base to Point Wild (previously Pango) and emailed customers in early September that they would receive a free upgrade to the UltraAV software.

On September 19, Kaspersky users suddenly found their Kaspersky products removed and UltraAV force-installed on their computers whether they wanted it or not.

While in-app notices and emails were sent about the migration, many users either missed them or were unaware, making many customers furious that the software was installed on their devices without permission.

11. Russian state-sponsored hackers breached Microsoft's corporate email

In January, Microsoft disclosed that Russian state-sponsored threat actors breached their corporate email servers in November 2023 to steal email from their leadership, cybersecurity, and legal teams.

Some of these emails contained information about the hacking group itself, allowing the threat actors to learn what Microsoft knew about them.

The hacking group, known as Midnight Blizzard (aka Nobelium, or APT29) is believed to be a state-backed cyberespionage group tied to the Russian Foreign Intelligence Service (SVR).

Microsoft later disclosed that the threat actors conducted a password-spray attack that allowed access to a legacy non-production test tenant account.

This test tenant account also had access to an OAuth application with elevated privileges in Microsoft's corporate environment, allowing the hackers to steal data from corporate mailboxes.

The hackers breached Microsoft again in March 2024 using information found in the stolen emails, allowing them to steal source code repositories.

It kept getting worse, with CISA confirming in April that emails between US federal agencies and Microsoft were also stolen in the attack. These emails contained information that let the hackers gain access to some customer's systems.

10.  National Public data breach exposed your Social Security Number

In August, almost 2.7 billion records of personal information for people in the United States were leaked on a hacking forum, exposing names, social security numbers, all known physical addresses, and possible aliases.

The data was stolen from National Public Data, a company that collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators.

Have I Been Pwned's Troy Hunt analyzed the breach and determined it contained 134 million unique email addresses, making this a monstrous data breach.

The threat actors behind the breach attempted to sell it for $3.5 million, but it was eventually leaked for free on a hacking forum.

9. Attacks on edge networking devices run rampant

This year, we continued to see attacks targeting edge networking devices from various manufacturers, including Fortinet, TP-Link, Ivanti, and Cisco. 

These types of devices are valuable targets as they are meant to be exposed to the Internet, and once breached, allow threat actors to pivot into the internal network.

There are too many stories to summarize, so here are a list of the interesting ones:

• Chinese hackers breached 20,000 FortiGate systems worldwide
• CISA cautions against using hacked Ivanti VPN gateways even after factory resets
• The Pacific Rim attacks: US sanctions Chinese firm for hacking firewalls in ransomware attacks
• Chinese hackers use Quad7 botnet to steal credentials
• Cisco warns of NX-OS zero-day exploitation to deploy custom malware

It has gotten so bad that the US is considering banning China-made TP-Link routers over cybersecurity concerns.

8. CDK Global ransomware attacks takes down the car dealership industry

Car dealership software-as-a-service provider CDK Global suffered a Black Suit ransomware attack, causing the company to shut down its systems and leaving clients unable to operate their business normally.

CDK Global provides clients in the auto industry with a SaaS platform that handles all aspects of a car dealership's operation, including CRM, financing, payroll, support and service, inventory, and back-office operations.

As many of the car dealerships in the US utilize the platform, the outage led to widespread disruption, preventing dealers from tracking and ordering car parts, conducting new sales, and offering financing.

7. The SnowFlake data theft attacks

In May, threat actors began selling data that they claimed was stolen from customers of the Snowflake cloud data platform.

After the attacks were investigated, it was determined that the threat actors didn't breach Snowflake but rather used compromised credentials to log in to customer's SnowFlake accounts.

These credentials are believed to have been stolen through information-stealing malware.

Once they logged into the account, they were able to export the databases and use them to extort companies into paying a ransom for the data not to be publicly released.

AT&T disclosed in July that call logs of 109 million customers were exposed during the incident and that the data was accessed from an online database on the company's Snowflake account.

TicketMaster was also impacted, with the threat actors claiming to steal the data of 560 million customers.

Data breaches linked to these attacks, which started in April 2024, have affected hundreds of millions of individuals using the services of AT&T, Ticketmaster, Santander, Pure Storage, Advance Auto Parts, Los Angeles Unified, QuoteWizard/LendingTree, and Neiman Marcus.

In November, the US Department of Justice unsealed an indictment against two people, Connor Riley Moucka and John Erin Binns, who are accused of being behind the attacks.

The threat actors allegedly extorted $2.5 million as part of these attacks, with Wired reporting that AT&T paid $370,000 for the hackers to delete stolen call records.

6.  The North Korean IT Worker scheme

This year, we saw an uptick in North Korean IT workers trying to get jobs in the US and other countries to perform cyberespionage and generate revenue for their country's operations.

In May, the Department of Justice charged five individuals, a US Citizen woman, a Ukrainian man, and three foreign nationals, for their involvement in helping North Korean IT works infiltrate US job markets to generate revenue for North Korea's nuclear weapons program.

In July, email security firm KnowBe4 mistakenly hired a North Korean hacker as their Principal Software Engineer, who attempted to install information-stealing malware on the network.

In August, the Justice Department arrested a Nashville man charged with helping North Korean IT workers obtain remote work at companies across the United States and operating a laptop farm they used to pose as U.S.-based individuals.

Both Mandiant and SecureWorks later released reports on the North Korean IT Worker threat, sharing their tactics and how companies can protect themselves.

5. The UnitedHealth Change HealthCare ransomware attack

In February, UnitedHealth subsidiary Change Healthcare suffered a massive ransomware attack that caused massive disruption to the US healthcare industry.

The outages prevented doctors and pharmacies from filing claims and prevented pharmacies from accepting discount prescription cards, causing patients to pay full price for medications.

The attack was ultimately linked to the BlackCat ransomware gang, aka ALPHV, who used stolen credentials to breach the company's Citrix remote access service, which did not have multi-factor authentication enabled.

During the attack, the threat actors stole 6 TB of data and ultimately encrypted computers on the network, causing the company to shut down IT systems to prevent the spread of the attack.

The UnitedHealth Group admitted to paying a ransom demand to receive a decryptor and for the threat actors to delete the stolen data. The ransom payment was allegedly $22 million, according to the BlackCat ransomware affiliate who conducted the attack.

The BlackCat ransomware operation was under immense pressure from law enforcement after the Change Healthcare attacks, causing them to shut down.

After UnitedHealth paid an alleged $20 million ransom, the ransomware operation performed an exit scam, stealing all of the money and not sharing any with the affiliate who conducted the attack.

Unfortunately, the affiliate claimed to still have Change Healthcare's data, which they used to extort the healthcare company again, this time using RansomHub's extortion site.

Ultimately, the data disappeared from the extortion, likely indicating that another ransom was paid.

In October, UnitedHealth confirmed that over 100 million people had their personal and healthcare data stolen, marking this as the largest healthcare data breach in recent years.

4. LockBit disrupted

On February 19, authorities took down LockBit's infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel.

This disruption was part of an international law enforcement operation called Operation Cronos.

Five days later, LockBit relaunched with new infrastructure and threatened to focus more of its attacks on the government sector.

However, the ransomware gang was never able to return to its previous prominence, with its affiliates moving to other ransomware operations.

Over the past year, law enforcement has continued to target LockBit, identifying and charging seven LockBit ransomware members.

Among those charged, is the primary operator of the ransomware operation, who the Department of Justice claims is a Russian national named Dmitry Yuryevich Khoroshev, aka 'LockBitSupp' and 'putinkrab'.

LockBit recently began testing a new encryptor called LockBit 4, which does not appear to be much different than its previous version.

3. Windows 11 Recall: A privacy nightmare?

Microsoft's new AI-powered Windows 11 Recall feature has sparked a lot of concern among the cybersecurity community, with many thinking that it is a massive privacy risk and a new attack vector that threat actors can exploit to steal data.

After receiving tremendous backlash, Microsoft delayed the release of the software to increase its security by requiring users to opt-in to enable Recall on their computers and that they'll have to confirm they're in front of their PC via Windows Hello to be able to use it.

Microsoft continued to delay its release while adding additional features, such as automatically filtering sensitive content, allowing users to exclude specific apps, websites, or in-private browsing sessions, and it can be removed if needed.

However, after releasing the software to Windows Insiders for testing, it was discovered that Windows 11 Recall did not properly filter sensitive information, like credit cards.

Microsoft said they continue refining the product as new issues are discovered.

2. The 2024 Telecom attacks

A Chinese state-sponsored hacking group known as "Salt Typhoon" is linked to a series of cyberattacks targeting telecommunications firms globally.

These breaches compromised at least nine major telecom providers, including AT&T, Verizon, and T-Mobile.

The group reportedly focused on infiltrating telecom infrastructure to steal text messages, phone call information, and voicemails from targeted people. The threat actors also targeted the wiretapping platforms used by the US government, raising serious national security concerns. 

A White House briefing revealed that Salt Typhoon's operations also impacted telecommunications providers in dozens of countries.

In the US, these attacks prompted concerns about weaknesses in telecom infrastructure and the security of government surveillance platforms. 

US lawmakers, including Senator Ron Wyden, have proposed legislation to address vulnerabilities in the nation's telecom infrastructure. The proposed bill aims to establish stricter cybersecurity standards and oversight for telecom providers to prevent similar attacks in the future.

The US government reportedly plans to ban China Telecom's last active US operations in response to the telecom hacks.

1. The rise of Infostealers

Information-stealing malware campaigns are running rampant this year, used in many different campaigns to steal infected users' browser information, cookies, saved credentials, credit cards, and cryptocurrency wallets.

While infostealers have been around for many years, they have been particularly prominent with threat actors using them in a wide range of campaigns.

These stolen credentials are then used to breach corporate networks, bank accounts, cryptocurrency exchanges, and email accounts.

The number of stories surrounding infostealers is too long to summarize, so instead, here are a few of the ways infostealers were used this year:

• Hacker hijacks Orange Spain RIPE account to cause BGP havoc
• Global infostealer malware operation targets crypto users, gamers
• Windows vulnerability abused braille "spaces" in zero-day attacks
• Malicious ads push Lumma infostealer via fake CAPTCHA pages
• Clever 'GitHub Scanner' campaign abusing repos to push malware
• Cybercriminals pose as "helpful" Stack Overflow users to push malware

Unfortunately, for those who become infected with an infostealer, it can lead to devastating financial losses as threat actors steal cryptocurrency and access victims' bank accounts. 

The best way to prevent these types of attacks is to enable two-factor authentication with an authenticator app on all accounts that offer the protection. With 2FA enabled, even if a threat actor has your credentials, they won't be able to log in without the code generated by your authenticator.