The Major Cyber Breaches and Attack Campaigns of 2024

Welcome to Picus Security's annual Cyber Threat Intelligence Roundup!

The year 2024 witnessed an unprecedented surge in cyberattacks, as nation-state actors from China, Russia, and Iran executed highly sophisticated campaigns targeting critical infrastructure across the globe. These operations showcased the use of advanced tactics, including zero-day exploits, stealthy malware, and living-off-the-land (LOTL) techniques, often blending multiple methods to maximize their impact.

In this blog, we delve into the most significant cyber incidents of the year, analyze their implications, and highlight key takeaways to bolster your organization's defenses.

The Major Cyber Breaches of 2024 & Lessons Learned

Salt Typhoon Exposes the Cost of Neglected Patching for Nine Telecommunications Giants

Picture a fortress with strong walls but gates left wide open—and a "Do Not Enter" sign for good measure. Salt Typhoon, a Chinese state-sponsored hacking group, didn’t need a second invitation. Exploiting well-documented vulnerabilities, they breached nine U.S. telecommunications giants, including AT&T, Verizon, T-Mobile, and Lumen Technologies, siphoning off sensitive communications data and geolocation information as if it were left on the table [1].

The vulnerabilities exploited (CVE-2023-46805, CVE-2024-21887, CVE-2023-48788, CVE-2022-3236, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) are well-documented in CISA's Known Exploited Vulnerabilities (KEV) Catalog. The concerning aspect is that patches for these vulnerabilities have been available for a significant period, yet some systems remain unpatched, leaving them exposed to exploitation.

The takeaway? Neglecting patches is like handing over your house keys to strangers and hoping for the best. Proactive patch management, robust security frameworks, and continuous assessments aren’t optional—they’re fundamental to keeping adversaries at bay.

U.S. Treasury Confirms Salt Typhoon Cyberattack; China Denies Allegations

In December 2024, the U.S. Department of the Treasury experienced a significant cyberattack attributed to the Salt Typhoon group. The attackers exploited critical vulnerabilities in BeyondTrust’s remote support software (CVE-2024-12356 and CVE-2024-12686) to gain unauthorized access to workstations and unclassified documents. These vulnerabilities, which enabled command injection and unauthorized system control, made BeyondTrust a high-value target.

BeyondTrust first detected suspicious activity on December 2 and confirmed the breach by December 8. In response, the company swiftly revoked compromised API keys and released patches to address the exploited vulnerabilities. On December 19, the Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities catalog, setting a remediation deadline of December 27 [2].

This incident underscores the reality that even the most secure organizations remain vulnerable, particularly through third-party solutions. It highlights the importance of adopting a proactive approach to cybersecurity by establishing strong security baselines, continuously monitoring for vulnerabilities, and enforcing best practices to minimize risk. While no system is impervious, taking these steps can significantly reduce the likelihood and impact of such breaches.

Change Healthcare Breach: When the Digital Skeleton Key Finds Its Match

Imagine storing treasure in a high-tech vault but leaving the key under the mat. That’s essentially what happened to Change Healthcare, where a vulnerability in a Citrix remote access portal—lacking multi-factor authentication (MFA)—served as the perfect skeleton key for the ALPHV/BlackCat ransomware group [3]. Once inside, the attackers roamed freely, exfiltrated sensitive data, and locked the company out of its own systems with ransomware.

The impact? Over 100 million individuals had their personal data—health insurance details, medical records, and Social Security numbers—exposed. Essential services across 80% of U.S. hospitals and 60% of pharmacies ground to a halt, all while Change Healthcare paid a staggering $22 million ransom to regain access.

The analogy here is clear: cybersecurity without foundational measures like MFA is like investing in an indestructible safe but using a toy lock to secure it. Hackers thrive on these small oversights, turning minor gaps into major catastrophes.

The lesson? In a world where cyberattacks are the new frontier, organizations must think beyond patching holes—they need to rethink the entire door. MFA, proactive monitoring, and incident response are no longer just tools—they’re the armor every digital treasure needs. Because in cybersecurity, the smallest crack is all it takes to let chaos in.

The National Public Data Breach: Lessons from a Digital Catastrophe

In April 2024, the National Public Data Breach exposed sensitive information belonging to nearly 2.9 billion individuals, including Social Security numbers and phone numbers. Much like a massive ship ignoring warnings of an iceberg ahead, National Public Data relied heavily on centralized systems without sufficient safeguards, creating a single point of failure. The cybercriminal group USDoD exploited this vulnerability, gaining unauthorized access in late 2023 and going undetected for months [4]. By April, they had listed the stolen database on the dark web for $3.5 million, leaving millions vulnerable to identity theft and fraud.

The breach underscores the risks of centralized data storage. While centralization offers convenience, it also concentrates risk, making it a prime target for attackers. Organizations must consider decentralizing sensitive data or adopting zero-trust architectures to limit exposure. Equally important is the need for robust detection and response systems. National Public Data’s delayed discovery of the breach highlights the importance of constant monitoring and frequent security audits to identify and address threats early.

Transparency also emerged as a critical factor. National Public Data delayed notifying the public until months after the breach was discovered, leaving affected individuals unaware and unprepared. Organizations should establish clear protocols for swift disclosure, ensuring stakeholders can take timely steps to mitigate potential harm.

Iranian, Chinese, Russian: The Most Active Malware Operations of 2024

Iranian Tickler Backdoor: A Persistent Threat Over a Decade

In August 2024, cybersecurity researchers uncovered that Peach Sandstorm (also known as APT33), an Iranian state-sponsored hacking group, had been clandestinely operating for over a decade, targeting critical infrastructure sectors, including the space industry. Their latest tool, a multistage backdoor malware dubbed "Tickler," facilitated remote access and persistence within victim networks. Initial compromises were achieved through password spraying and social engineering tactics. 

Lesson Learned: Even the most secure sectors can fall prey to prolonged cyber-espionage. Organizations must adopt a proactive cybersecurity posture, regularly updating defenses and educating personnel to recognize and thwart social engineering attacks.

Chinese GhostSpider Backdoor & KV Botnets: A Salty Two-Year Streak

September 2024 brought to light a two-year cyber-espionage campaign by the Chinese APT group Salt Typhoon (also known as Earth Estries, Ghost Emperor, Famous Sparrow, or UNC2286). They infiltrated multiple U.S. telecommunications providers, including Verizon, Lumen Technologies, T-Mobile, and AT&T, employing the modular GhostSpider backdoor. This sophisticated malware featured a "heartbeat" command for periodic communication, ensuring persistent access. 

Additionally, Chinese actors like Volt Typhoon and Salt Typhoon utilized a mix of malware for cyberattacks. Volt Typhoon relied on the KV botnet, which hijacks routers in small offices to launch DDoS attacks and steal data.

Lesson Learned: The telecommunications sector remains a prime target for state-sponsored cyber threats. Patch management, implementing advanced intrusion detection systems and conducting regular security audits are essential to detect and mitigate such sophisticated attacks.

Russian Malware: ROOTSAW, WINELOADER and GooseEgg

Russian cyber-espionage group APT29 employed advanced malware in its campaigns, notably the ROOTSAW (also known as EnvyScout) malware dropper and a new variant named WINELOADER. ROOTSAW delivered obfuscated JavaScript to download encrypted payloads, while WINELOADER utilized DLL sideloading for stealth and modular functionalities. These tools marked a departure from older loaders like DONUT and DAVESHELL, introducing unique command-and-control mechanisms.

Another Russian state-sponsored group, Forest Blizzard (also known as APT28), deployed new malware named GooseEgg for credential theft.

Lesson Learned: The continuous evolution of malware by threat actors like APT29 and APT28 underscores the necessity for organizations to stay abreast of emerging threats. Regularly updating security protocols and investing in threat intelligence are crucial steps in defending against such advanced persistent threats.

Rise of Living off the Land Techniques Among Threat Actors

In 2024, several advanced persistent threat (APT) groups have increasingly turned to Living off the Land (LOTL) techniques, leveraging legitimate system tools to conduct malicious activities while avoiding detection. These methods allow threat actors to blend seamlessly into normal system operations, making their activities harder to identify and mitigate. Below are some prominent groups employing LOTL strategies:

Volt Typhoon: This Chinese state-sponsored group has targeted U.S. critical infrastructure sectors, including communications, energy, and transportation systems. They gain initial access by exploiting vulnerabilities in public-facing network appliances such as routers and VPNs. Once inside, they use LOTL techniques, leveraging built-in Windows tools like PowerShell and Windows Management Instrumentation (WMI) to conduct reconnaissance, move laterally, and maintain persistence without deploying traditional malware. This approach allows them to blend with normal system activities, making detection challenging. 

GruesomeLarch (APT28/Fancy Bear): A Russian APT group, GruesomeLarch has developed novel attack methods that exploit nearby Wi-Fi networks for covert access. They primarily utilize LOTL techniques, including exploiting zero-day privilege escalation vulnerabilities, to gain unauthorized access and execute commands using legitimate system tools [5]. This strategy enables them to conduct operations stealthily, avoiding the deployment of detectable malware. 

BianLian Extortion Group: Known for extortion-based attacks, BianLian targets U.S. critical infrastructure sectors. True to its name, which translates to "the art of changing faces," the group demonstrates adaptability by leveraging LOTL techniques for reconnaissance and lateral movement. By using legitimate system tools, BianLian gathers information and infiltrates networks, maintaining a low profile to evade detection.

To counter these tactics, security professionals should enhance monitoring and logging to capture detailed system activities and adopt application whitelisting to restrict unauthorized tool use. Implementing a Zero Trust Architecture minimizes internal exploitation risks, while regular security assessments and network segmentation help uncover vulnerabilities and limit lateral movement. Educating staff on LOTL threats strengthens human defenses, and deploying advanced behavioral detection tools enables identification of subtle anomalies. These measures collectively improve resilience against LOTL attacks, fortifying an organization’s overall cybersecurity posture.

References

[1] J. Lyons, “More telcos confirm China Salt Typhoon security breaches as White House weighs in,” The Register, Dec. 30, 2024. Available: https://www.theregister.com/2024/12/30/att_verizon_confirm_salt_typhoon_breach/. [Accessed: Jan. 03, 2025]

[2] The Hacker News, “CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List,” The Hacker News, Dec. 20, 2024. Available: https://thehackernews.com/2024/12/cisa-adds-critical-flaw-in-beyondtrust.html. [Accessed: Jan. 03, 2025]

[3] “Website.” Available: https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/

[4] A. Zilber, “National Public Data admits hackers stole Social Security numbers in massive breach reportedly affecting nearly all Americans,” New York Post, New York Post, Aug. 19, 2024. Available: https://nypost.com/2024/08/19/business/national-public-data-admits-hackers-stole-social-security-numbers/. [Accessed: Jan. 03, 2025]

[5] S. Adair, “The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access,” Volexity, Nov. 22, 2024. Available: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/. [Accessed: Jan. 03, 2025]