This year, cybersecurity headlines made headlines, with several breaches, attacks, and incidents getting the world’s attention.
But some incidents in particular have had far-reaching consequences, with the potential to reshape industry protections, alter how providers protect visitor systems, or prompt security leaders to reevaluate their strategies.
Longer-term trends, such as stricter cybersecurity regulations and the effect of AI on the industry, have also had and will have a significant impact on IT security operations in 2024 and beyond.
Here is a look at the cybersecurity stories of the year, along with perspective on how these happenings are reshaping CISOs’ strategies and tactics in defending the enterprise.
A ransomware attack on Change Healthcare, owned by UnitedHealth Group, caused widespread disruption in February.
Cybercriminals affiliated to the ALPHV/BlackCat ransomware gang broke into Change Healthcare’s systems using leaked credentials to access a Citrix portal account unprotected by multifactor authentication access controls. They siphoned off sensitive data — names, Social Security numbers, diagnoses, treatment plans, and financial data, later estimated to affect up to 112 million people — before deploying ransomware.
The U. S. Department of Health and Human Services(HHS) is investigating whether a fitness data breach has occurred by assessing whether UHG or Change Healthcare violated the fitnesscare industry’s strict privacy regulations.
Change Healthcare, which operates the largest U. S. clearinghouse for fitness insurance claims, pulled the plug on its formulas in reaction to the attack, which paralyzed much of the U. S. fitnesscare formula for weeks. Thousands of pharmacies and fitness service providers were affected because electronic bills and medical claims may be processed.
Patients were forced to pay for many of their medications out of pocket depending on co-pays or coupons. This breach threatened many medical providers with insolvency. UnitedHealth Group presented $2 billion in aid to healthcare providers affected by the attack.
The combined prices of accelerated invoices and interest-free, fee-free loans to thousands of affected providers, along with incident reaction efforts and a complete rebuild of Change Healthcare’s systems and lost profits mean the total charge of the breach exceeds the dollar. billion.
It later emerged that Change Healthcare paid the equivalent of $22 million in Bitcoin to a cryptocurrency wallet associated with ALPHV in the wake of the attack. That didn’t stop the RansomHub group from attempting to extort UnitedHealth over the release of sensitive information stolen during the breach.
The attack sparked calls to impose critical protection criteria for physical care providers in congressional hearings in April. Questions have also been raised about how consolidation is making the physical care sector more vulnerable to cyber attacks.
Overall, the incident drew global attention to developing cyberattacks against the healthcare sector, with ransomware considered the core risk to the sector. CISOs in healthcare and other industries have learned several lessons from the fiasco.
A faulty configuration update to CrowdStrike’s Falcon Sensor security software caused system crashes to Windows systems running the software in July. The content update to Channel File 291 caused an out-of-bounds memory read in the Windows sensor client, crashing affected Windows PCs and servers and sent them into a bootloop.
An estimated 8. 5 million Microsoft Windows were affected.
Even though the faulty update was quickly withdrawn, the resulting outage affected organizations worldwide across multiple sectors, including airlines, banks, broadcasters, and hospitals.
Following the outage, CrowdStrike strengthened its front-end processes and made progress on quality assurance. The incident highlighted the critical importance of physically powerful and failsafe mechanisms for security software.
In reaction to this outage, Microsoft initiated a procedure to evaluate whether security vendors needed the kernel level to function effectively. By running in the kernel, security packages gain benefits from greater visibility and the ability to thwart low-level malware, but the technique means that if something goes wrong, the whole formula will hit the famous Blue Screen of Death.
In addition to drawing global attention to software-like issues and kernel-level testing, the incident highlighted CISOs and CIOs’ over-reliance on control software, a desire to rethink the threat of cloud concentration, and the importance of having a strong physical business continuity plan. among other things. strategic problems.
Account hacks involving cloud-based data storage company Snowflake have led to several high-profile data breaches, affecting organizations such as AT&T, Ticketmaster, Neiman Marcus Group, and Advance Auto Parts.
Cybercrime group UNC5537 systematically compromised Snowflake customer instances using stolen customer credentials before exfiltrating sensitive data. This compromised data was used in attempts to extort money from many of its victims or offered for sale through cybercrime forums, according to an investigation by Mandiant, the threat intel division of Google.
In a regulatory filling, AT&T admitted in July that cybercriminals had stolen the phone and text message metadata of 110 million people. The compromised information included records of calls or texts but not the contents of any text messages or customer’s personally identifiable information. The US telco reportedly paid criminals $377,000 to throw away these stolen phone records.
The issue was first discovered in April after Mandiant traced a data breach to sample Snowflake credentials previously compromised and stolen via data-stealing malware. Subsequent work found that this trend was repeated in several cases, many of which can simply be attributed to old malware infections dating back to 2020.
Mandiant and Google have notified 165 potentially affected organizations. Compromised credentials for Snowflake visitor accounts in cases where multi-factor authentication was not enabled, any breach of the Snowflake environment was blamed on the hacking wave.
In response, Snowflake presented detection and hardening tips to its consumers.
Two suspects – Connor Riley Moucka of Kitchener, Ont. , and John Binns, an American in Turkey – were indicted by US prosecutors in October for their alleged involvement in the Snowflake knowledge breaches.
The widespread attacks underscored why cloud security has become a very sensible CISO priority and highlighted that, in today’s enterprises, the use of MFA is particularly where it deserves to be, with new MFA mandates from vendors like Microsoft and AWS now in sight.
Separately, the LockBit ransomware gang was dismantled in a primary foreign police operation in February. Internet servers and domain names connected to the gang were seized, malicious accounts were closed, and suspects were arrested in Poland and Ukraine as part of Operation Cronos.
Despite the removal, attacks with LockBit ransomware or variants of it were subsequently reported, and reports also began to emerge that elements of the organization intended to restart their operations. As before, those scams typically involve attempts to extort money from their victims in exchange for threats to reveal stolen data, as well as demands for payment for decryption keys.
LockBit — a major ransomware-as-a-service operation — made an estimated $90 million from attacking US victims alone between January 2020 and June 2023.
Once again, despite significant law enforcement activity, ransomware continues to get faster, smarter and nastier, with new teams emerging after takedowns and corporations forced to load new chapters in their ransomware trading manuals and debate whether They must pay the price. extortion prices.
The year was marked by an acceleration in the use of synthetic intelligence for malicious purposes.
Attackers can use AI to evolve and refine their techniques, making ransomware and phishing attacks more effective. For example, AI technologies can be misused to generate audio and video files, known as deeps.
Arup, the London-based multinational design and engineering company, was the victim of a deepfake scam that cost it HK$200 million ($25. 6 million). A finance employee in its Hong Kong office was tricked into authorizing the transaction after attending a video conference in which fraudsters used deepfake technology to impersonate its UK-based finance director.
Deepfakes are also starting to feature as an element in North Korean fake IT worker scams. North Korean operatives posing as legitimate IT professionals in attempts to gain employment at Western firms. If hired, these “remote workers” exploit their insider access to steal sensitive or proprietary information while collecting a salary that is funnelled back to the North Korean regime.
More than three hundred corporations are believed to have fallen victim to this computer scam that generated millions of dollars in profits for the North Korean government, allowing it to evade foreign sanctions while funding its weapons programs.
A breach of U. S. corporate public background screening dataThe U. S. Department of Homeland Security exposed the data of hundreds of millions of people by exposing 2. 9 billion records. The attack took place in December 2023, but only became public knowledge after a sale of 4TB of data stolen from a cybercrime forum in July 2024.
The breach exposed the Social Security numbers, names, mailing addresses, emails, and phone numbers of an estimated 170 million people, in the US, UK, and Canada.
In October 2024, National Public Data, which suffered several lawsuits following the breach, filed for bankruptcy.
Typhoon Salt’s cyber espionage attacks on telecom providers, attributed to China, have led to plans to force telecom operators to protect themselves.
Stricter cybersecurity was also planned in Europe with the extension of the EU’s Information and Network Security Directive. NIS2 covers more industries and sectors, introducing stricter cybersecurity threat control and incident reporting measures.
The U. S. Securities and Exchange Commission’s revised violation disclosure regulationsThe U. S. Securities and Exchange Commission (SEC) have placed greater responsibility on CISOs, i. e. , those of publicly traded companies. Security administrators face private liability for cybersecurity errors or misleading disclosures.
Increasing regulatory complexity and personal responsibility are just a few of the points that create a difficult balancing act for CISOs (and contribute to developing CISO dissatisfaction with work and attrition mindset), as they reflect the key takeaways of 2024 going forward. to the new year.