As 2024 draws to a close, the cybersecurity landscape continues to evolve, marked by both familiar adversaries and emerging threats with newer technologies and improved tactics. Rather than merely cataloguing breaches, we look into the anatomy of significant cyber attacks, associated vulnerabilities that led to such events, and relevant controls. We’ve chronicled key developments month by month, offering a comprehensive view of the cyber attacks of 2024 narrative that would help you learn lessons.

Cyber Attacks Today, Tomorrow & Forever

Whether discussing recent cyber attacks, the most recent or today’s, or in a couple of years from now. You can make your own views based on my observation over a few years. When you read any attack anatomy, it’s likely to come under one of the ten steps to cyber security by NCSC. What this maps to is the fundamentals may not change as fast as technologies are changing, therefore, the ground work will always hold the truth more dearly than any other layers on the top. This means compliance may be a requirement by the business, but cyber security fundamentals done in the right manner would add a solid foundation to your organisation.

Without much ado, let’s start with the main happenings of this year.

January 2024

The Return of TA866 with an email malware distribution campaign

The TA866 threat actor, also known as Asylum Ambuscade, has been known for their intrusion activities since 2020 and launched a significant email campaign distributing emails with OneDrive URLs linked to the malicious payload that is a variant of WasabiSeed and Screenshotter. When users interacted with the OneDrive URL embedded in the PDF, it triggered a chain reaction that began with a JavaScript file and resulted in the execution of the WasabiSeed VBS script, which not only deployed the Screenshotter utility but also established a persistent connection to download additional, undisclosed payloads form the attacker’s infrastructure. The threat actor demonstrated enhanced techniques to evade detection, including using legitimate services and complex encoding methods.

💡Author’s Tip: This campaign highlights the critical importance of implementing and reviewing robust email security controls and ongoing user awareness training, even those appearing to originate from inside or legitimate business communications.

Australia’s Court Services Victoria (CSV) Incident

CSV Australia was hit with a ransomware attack that affected its internal systems. The attackers got into the records and an audio-visual archive containing sensitive 2016 hearing recordings, and the exact technical root cause is unknown. The breach was discovered on 8th Jan 2024, and access to court recordings from Nov 2023 was unauthorised.

This is a wake-up call for the entire public sector including critical functions such as judicial system and the need for more security in the public sector.

Capital Health Ransomware Attack

The LockBit ransomware group executed a ransomware attack against Capital Health, compromising sensitive patient data back in Nov 2023. This attack exposed patients’ protected health information (PHI) and impacted healthcare operations bringing operational challenges.

This demands an emphasis on stepping up a holistic security approach such as implementing zero-trust architecture, simpler and more effective approaches such as network segmentation, privilege access management, deploying robust multi-factor authentication, and maintaining comprehensive offline backups. Regular security assessments and tabletop exercises should be conducted to test incident response capabilities.

Southern Water Ransomware Attack

This Southern England utility provider confirmed its attack after the Russian-speaking Black Basta ransomware threat actor appeared to leak customer information on 22nd January 2024. The company confirmed the breach, admitting that a limited amount of data (5-10% of customers affected) has been published. The small sample of Southern Water cyber attack leaked info included:

• Scanned copies of passports and driving licenses

• HR-related data that includes PII

• Corporate car scheme documents

Attack timelines and technical details have never been published online, which is a good step given the critical infrastructure issue. Southern Water issued an updated page with FAQs on the cyber incident.

Mandiant Account Hack

A crypto drainer-as-a-service gang (CLINKSINK) brute forced Mandiant’s X (Twitter) account. A crypto threat actor group targeted Solana users through compromised websites and malicious browser extensions. ClinkSink attacks stole around $4.4m from 7,000 victims between Dec 2023 and March 2024. 75% of the losses were from the browser extensions.

Google’s Threat Analysis Group (TAG) found the attack pattern where threat actors compromised legitimate websites, injected malicious JavaScript, and created fraudulent browser extensions that manipulated Web3 transactions. They used advanced evasion techniques to hide their activity, including intermediary wallets and multiple drainer services. The malicious extensions were removed after Google intervened and worked with browser vendors, and compromised websites were notified.

💡A learning lesson here is to ensure your marketing teams are updated with relevant processes and procedural training to ensure MFA and browser-based controls are in place.

Orange Spain

Snow, a threat actor by this name on X, hijacked Orange Spain’s RIPE account which was infected with stealer malware, and caused BGP routing disruptions. Snow authenticated into the company’s RIPE account to mess with the BGP and RPKI config.

The infostealer injection attack demonstrated how compromised routing infrastructure could lead to traffic hijacking and network disruptions.

There’s no silver bullet. The attack demonstrates the importance of regular checks on infostealer malware. Our top tips against such issues include:

1. Regular auditing of BGP configurations and PKI infrastructure, including management of devices

2. Strong authentication through MFA and passkeys

3. Logging and monitoring controls to identify, respond, and recover from suspicious issues

Russian Space Center breach

BO Team, a Ukrainian hacking group officially working with the Ukrainian Ministry of Defence, has claimed responsibility for a massive attack on the Russian Centre for Space Hydrometeorology (Planeta). They deleted 2 petabytes (over 2,000 terabytes) of satellite data from the Planeta servers in their far-eastern division. This is a significant breach of Russia’s satellite service infrastructure. Hacktivists have compromised over 280 servers of the Russian space monitoring organisation.

M9Com Revenge Data Breach

Pro-Ukraine hackers hit Russian ISP M9Com in revenge for the Kyivstar attack. Unpatched vulnerabilities in perimeter systems and weak passwords gave them initial access to the ISP networks. As ISPs are critical to today’s connectivity, ISPs must be prepared for security incidents.

This shows the importance of having robust network defences through regular vulnerability assessments and patch management and being prepared for politically motivated attacks through threat intelligence and incident response.

Microsoft Corporate Email Breach

Russian state-sponsored hackers (Midnight Blizzard/NOBELIUM) were in Microsoft’s corporate email systems for a month. Here’s what happened:

1. They did a password spray attack on a legacy non-production test tenant account that didn’t have MFA.

2. Once in, they used the account’s existing OAuth apps and permissions.

3. They created more malicious OAuth apps to persist.

4. Those apps were used to read and exfiltrate emails from specific Microsoft corporate email accounts.

5. Targets included senior leadership and employees in cybersecurity, legal, and other departments looking for intel on Microsoft’s knowledge of Midnight Blizzard.

Microsoft said threat actors didn’t get into customer environments, production systems, source code, or AI systems.

This incident highlights the need for zero-trust security models, more robust email security with advanced auth, segregated credentials and environments, regular review and update of access privileges, and robust logging and monitoring to detect sophisticated, persistent threats.

Cyber Attacks Of February 2024

Lockbit Disruption – An example of International Law Enforcement Effectiveness

The NCA ran a major international operation against LockBit, the world’s most dangerous cybercrime group. The operation resulted in an extensive disruption campaign, and one of the group’s key leaders was unmasked and sanctioned through a joint effort between the UK, US, and Australian governments.

The investigation showed the devastating impact of ransomware on the UK’s economy and security, and the group was linked to many attacks. As part of the takedown, 7 Russian cyber criminals associated with the organisation were exposed and sanctioned by UK authorities, showing the international community is working together to tackle cyber threats.

MOAB (Mother of All Breaches)

A massive data leak, “MOAB”, exposed 26 billion records, including data from major platforms like Dropbox, LinkedIn, and Twitter. This supermassive leak comprised 12TB of aggregated data from previous breaches, combined with newly exposed information that is the biggest to date.

Leak-lookup claimed to be the holder of the leaked dataset, saying the underlying issue was a firewall misconfiguring that led to the leak. This MOAB contains billions of records combining multiple data breach records across over 3800 folders.

OpenAI Account Takedowns

On February 14, 2024, OpenAI discovered and took down sophisticated state-sponsored AI weaponisation attempts. OpenAI’s broader security research uncovered multiple nation-state threat actors, most notably North Koreans, using AI for malicious cyber operations.

This was the first in the AI cybersecurity space and highlights the need for AI companies to have robust security against state-sponsored threats while balancing AI innovation and security.

Facial Recognition Data Breach

Group-IB researchers have found a banking trojan campaign targeting Southeast Asian financial institutions. This is a new approach to bypassing facial recognition security. Cybercriminals are getting smarter at countering advanced authentication.

The campaign, detailed by Group-IB researchers, shows how threat actors deployed Android banking trojans that hijacked users’ facial verification process during legitimate banking sessions. And get this, the malware can manipulate real-time facial recognition systems – a robust security feature. The malware overlays fake banking interfaces while recording and sending the victim’s facial verification data to the attackers. This is a new level of sophistication for financial malware and raises serious questions about biometric authentication as it is today.

NHS Scotland Trust Ransomware Attack

NHS Dumfries and Galloway faced a ransomware attack that significantly impacted trusts’ healthcare services.

The threat actor published a ‘proof pack’ to demonstrate the validity of the stolen data of six individual NHS Dumfries and Galloway patients. NHS Trust mentioned that this incident has impacted no operations or critical tasks.

With Cyphere’s expertise across healthcare systems and supply chains, such NHS trusts and healthcare providers must be prepared for cybersecurity incidents. This includes adapting to good security practices such as IT security health checks, penetration testing of critical assets, and cyber security maturity reviews to ensure blind spots are effectively mitigated.

Know more about our healthcare sector cyber security expertise and offerings.

Hotel Door Lock RFID Exploit

A team of security researchers exposed severe vulnerabilities in the dormakaba’s Saflok electronic RFID locks, popularly used in hotels and multi-family housing environments. This is an almost two-year disclosure process. Looking at the timelines, the research had contact between vendors and security researchers that varied between August 2022 and March 2024. It took this long due to the need for new solutions for implementation and testing—additionally, third-party integrations, manual updates, upgrades, and other complexities needed to be resolved.

An attacker must read one keycard to attack against any door. This could also be an expired keycard (readily available if you have done a social engineering gig or two!).

How do you know if a hotel uses Saflok or is vulnerable?

Just look at encoders that are often visible during check-in. Older-style encoders are likely vulnerable.

Microsoft SharePoint RCE Vulnerability

CISA (Cybersecurity and Infrastructure Security Agency) has identified active exploitation of two critical Microsoft SharePoint vulnerabilities that pose a severe threat when chained together. The vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, signaling their immediate risk to vulnerable organisations. The first vulnerability (CVE-2023-24955) allows authenticated attackers to perform code injection attacks on SharePoint Server. In contrast, the second flaw (CVE-2023-29357) enables remote attackers to escalate their privileges to the admin level on unpatched systems. These vulnerabilities create a dangerous attack chain that can result in pre-authentication remote code execution.

Cyber Incidents Of April 2024

PSTI Bill Enactment

The UK Product Security and Telecommunications Infrastructure Act came into force, marking a significant milestone in IoT security legislation. This bill would undoubtedly push secure design awareness across manufacturers and the global IoT market.

The technical requirements mandate manufacturers to:

1. eliminate default passwords,

2. implement vulnerability disclosure policies,

3. maintain transparency about security update availability.

The legislation targets explicitly easily guessable passwords like “admin” or “12345” and requires clear security update commitments. This groundbreaking law affects all consumer-connectable products sold in the UK market.

Cyber security lessons for manufacturers to improve their current state include implementing secure-by-design principles in product development, establishing robust vulnerability disclosure programs, and maintaining comprehensive security update mechanisms throughout product lifecycles.

Get in touch with our team to get advice on these areas.

GPT 4 / AI Assisted Exploits

In a first, security researchers examining AI models’ capabilities in cybersecurity exploitation, researchers have revealed striking differences between various language models’ abilities to understand and exploit vulnerabilities.

Here’s a snapshot of the technical comparison of the findings:

During this experiment, GPT -4 showed great success by successfully exploiting 13 out of 15 one-day vulnerabilities (87% success rate). On the contrary, nine other models, including GPT-3.5 and Meta’s Llama 2 Chat, did not reach the expectations, failing to exploit any vulnerabilities. Therefore, GPT-4 is ahead of other LLM models to understand and operationalise security advisories.

• Autonomous Exploitation: GPT-4 demonstrated the ability to exploit web and non-web vulnerabilities autonomously, even for vulnerabilities published after its knowledge cutoff date of 26th November 2023.

• Critical Vulnerability Handling: The study included vulnerabilities categorised as critical severity in CVE descriptions, with GPT-4 successfully understanding and exploiting them based solely on advisory information.

Compared to previous benchmarks, GPT-4 showed significant improvements in security awareness, producing code vulnerable to SQL injection only 5% of the time. This research, conducted by computer scientists from the University of Illinois Urbana-Champaign, demonstrates the significant gap between GPT-4 and other language models.

MITRE Nation State Attack

MITRE was hit with a sophisticated nation-state attack on its infrastructure targeting one of its R&D networks called NERVE (Networked Experimentation, Research, and Virtualization Environment). The investigation found advanced persistent threat (APT) tactics including custom malware and evasion techniques. The attackers knew MITRE’s systems and security controls inside and out.

The vulnerabilities used in this attack were two Ivanti Connect Secure zero-day vulnerabilities that allowed MFA to be bypassed using session hijacking. Then web shells and backdoors were used to add persistence and harvest credentials.

As soon as the incident was detected, MITRE contained the incident, including taking the NERVE environment offline and bringing in third-party DFIR teams to perform an independent analysis alongside internal experts.

Tips on detecting such incidents include an organisation must have these capabilities:

• Anomaly detection (DS0029) by monitoring VPN traffic for unusual patterns such as spikes.

• Behaviour analysis (DS0002, DS0028) looks for deviations in user behaviour, such as unusual login times and accessing unfamiliar resources.

• Network segmentation (DS0029) limits lateral movement to a great extent.

• Threat intel feeds to identify known maliaddressesIPdresses (DS0029), domains, and file hashers (DS0022).

• Deploying adversary engagement resources in your environment, such as canary/deception environment or honey tokens that trigger quality signals and provide insights into threat actor TTPs.

Github Vulnerability

An interesting attack through Github repo comments was found to push malware. This analysis showed that attackers use Github’s infrastructure to host and distribute malware and evade detection. The technique bypassed traditional controls by using trusted domains. For example, a threat actor can upload a malicious binary in an installer repo that pretends to be an updated installer to fix issues. URLs would look like they belong to the company’s repositories, making them way more trustworthy.

You should include advanced URL filtering, repository scanning, and specific detection for Github-based threats.

Cyber Attacks Of May 2024

Snowflake – Ticketmaster Breach

Get ready to read about the most relevant supply chain attack example of 2024.

The Snowflake incident represents a classic example of a 2024 supply chain attack cascading through major global organisations. Here’s how the attack unfolded:

Snowflake Breach Attack Anatomy and MITRE ATT&CK Tactics

Here’s how the attack anatomy unfolded, including MITRE ATT&CK tactics and techniques used by threat actors:

1. Initial compromise of Snowflake credentials. MITRE techniques include T1078: Valid Accounts, T1199: Trusted Relationship, and T1552: Unsecured Credentials.

2. Lateral movement through cloud infrastructure to gain further access and escalate privileges. MITRE ATT&CK tactics were T1021: Remote Services, T1548: Abuse Elevation Control Mechanism, T1068: Exploitation for Privilege Escalation, and T1563: Remote Service Session Hijacking.

3. Access to customer environments via trusted connections as a service provider. MITRE tactics include T1098: Account Manipulation, T1136: Create Account, and T1550: Use Alternate Authentication Material.

4. Exploitation of third-party contractor access rights led to vast amounts of data access. This included MITRE tactics T1078.004: Valid Accounts (Cloud Accounts), T1562: Impair Defenses, and T1204: User Execution.

5. Data exfiltration from multiple victim organisations to attacker-controlled systems. MITRE ATT&CK tactics include T1530: Data from Cloud Storage Object, T1567: Exfiltration Over Web Service, and T1059: Command and Scripting Interpreter.

This incident highlights the cascading effect of supply chain attacks, where a single compromise of a primary service provider (Snowflake) led to widespread data breaches across their customer base. This is one of the most significant supply chain breaches, demonstrating how interconnected cloud services can amplify the impact of a single security breach.

💡Lessons learned

The breach highlighted the critical importance of trusted partners who help you advise and let you decide—the need to be aware of the security practices of third-party vendors. Get in touch with us to schedule a free strategy consultation.

Dell Data Breach

Dell disclosed a massive data breach affecting approximately 49 million customers. Technical investigation revealed unauthorised access to customer information databases through attack vectors. The breach exposed the names, physical addresses, and service tag information of the affected Dell customers.

Hugging Face Spaces Breach

AI platform Hugging Face reported the theft of authentication tokens from their Spaces feature. This incident doesn’t directly relate to AI security but to the hosting systems and underlying data.

Several tokens have been revoked by the company in question and were notified via email. Consider switching HF tokens to fine-grained access tokens; the new default setting opted for post-breach.

BBC Pension Data Incident

The BBC experienced a security breach affecting employee pension data. No evidence of ransomware attack was noticed at the time. This incident affects over 25000 current and former BBC employees linked to the corporation’s pension scheme.

FoxIT PDF Exploitation

A severe vulnerability affected Foxit PDF software, which allowed potential remote code execution. Checkpoint research showed these design flaws could be exploited to execute arbitrary code through specially crafted PDF files. These issues affect multiple software versions. Given the popularity of open-source PDF software, FoxIT’s name is right up there.

MoD Contractor Breach

A security incident occurred at the UK’s MoD Defence contractor, Shared Services Connected Limited (SSCL). SSCL became aware of the breach in February but failed to report it to the MoD until late.

Threat actors accessed PII data that included names, bank details, and, in some cases, addresses and National Insurance numbers. The number of affected personnel was estimated at 270,000 current and former armed forces members. The threat actor behind this breach is a suspected Chinese hacking group, although it has not been officially named the country.

The MoD launched a full review and ordered a full review of SSCL’s work across the government. The company may face sanctions once the investigation concludes – this isn’t known yet when writing this blog (Nov 2024).

Cyber Attacks Of June 2024

GitLab Vulnerability

A critical vulnerability (CVSS 9.6) in GitLab (CVE-2024-5655) enabled attackers to execute CI/CD pipelines as any user. The root cause analysis showed that the flaw stemmed from improper access control validation in GitLab’s pipeline execution framework, allowing privilege escalation through specifically crafted API requests. GitLab has fixed this vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5.

Ollama Remote Code Execution Vulnerability (Probllama)

A significant security bug in the open-source AI project, i.e., Ollama’s large language models. This bug (CVE-2024-37032) lets attackers execute arbitrary code by crafting malicious prompts that exploit memory handling bugs in the model’s inference pipeline. The attack vector was crafted inputs that triggered buffer overflows in the model’s text processing components.

The story’s moral is that robust security infrastructure (auth and authz) is needed when deploying models in exposed environments.

British Library Ransomware Attack

The British Library was hit by an attack that took down its digital services. The attack was attributed to the Rhysida ransomware group who claimed responsibility for the attack. The threat actors exploited library infrastructure vulnerabilities leading to service downtime for months and £7-10 million in recovery costs.

The impact went beyond the immediate service disruption, research capabilities and digital archives were impacted and they had to rebuild everything from scratch.

Lessons Learned

The following is a list of learning lessons shared from the official British Library attack report:

1. Improve Network Monitoring: Upgrade monitoring tools to ensure every corner of the network is covered, addressing the limitations of older systems.

2. Engage External Security Experts: Keep external security advisors on hand to boost our ability to respond quickly and analyse incidents effectively.

3. Implement Multi-Factor Authentication (MFA): Make sure MFA is applied to all internet-facing systems, including those of our suppliers, for an extra layer of security.

4. Strengthen Intrusion Response: Carry out thorough security reviews at the first hint of intrusion to stop attackers from getting a foothold.

5. Adopt Network Segmentation: Limit potential damage from attacks by breaking up the network, as older designs can make us more vulnerable.

6. Regularly Test Business Continuity Plans: Practice comprehensive plans for complete system outages to ensure we’re ready for anything that comes our way.

7. Maintain a Holistic Cyber Risk Overview: Ensure all IT security risks are shared with senior management for a clear picture of our overall risk landscape.

8. Manage Technology Lifecycles: Regularly update and replace outdated systems to keep our security and resilience strong.

9. Prioritise Legacy Technology Remediation: Tackle issues from older technology swiftly and at all levels of the organisation.

10. Balance Recovery and Security Investments: Understand that quick recovery capabilities are just as important as our security measures.

11. Enhance Cyber Risk Awareness at Senior Levels: Ensure senior management understands cyber risks to make smart and informed decisions.

12. Provide Regular Staff Training: Equip all employees with knowledge of cybersecurity basics and emerging threats, tailored to their specific roles.

13. Support Staff Wellbeing: Include support for staff wellbeing in our cyber incident plans, acknowledging the emotional toll attacks can take.

14. Review IT Usage Policies: Update guidelines on acceptable IT use to protect personal data and reduce risks tied to personal use of network resources.

15. Foster Sector Collaboration: Encourage sharing of information and best practices with peers to stay in the loop about cybersecurity threats.

16. Adhere to Government Standards: Regularly review and audit our cybersecurity policies and controls using maturity reviews, health checks and penetration testing to ensure we meet established standards, like Cyber Essentials Plus certification.

Cyber Attacks Of July 2024

Regresshion SSH Vulnerability

April started with “regreSSHion” (CVE-2024-6387), a critical SSH vulnerability discovered in OpenSSH servers. This marked the first unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH in nearly two decades. The flaw, identified by Qualys Threat Research Unit, affects OpenSSH server versions from 8.5p1 to versions before 9.8p1, specifically impacting glibc-based Linux systems.

A signal handler race condition in the SSH daemon (sshd) could allow attackers to achieve root-level access without authentication. This discovery emphasises the importance of regular security audits, even for well-established and security-focused software like OpenSSH.

Email Filtering Systems Vulnerability

A significant vulnerability in email filtering systems enabled attackers to bypass SPF, DKIM, and DMARC protections and abused Proofpoint systems to send millions of perfectly spoofed emails purporting to be from Disney, IBM, Nike, Best Buy, and Coca-Cola (Proofpoint customers).

This issue, dubbed ‘echospoofing’, showed the flaw that exploited inconsistencies in email header processing between different mail transfer agents (MTAs). This allowed threat actors to craft specially formatted headers that appeared legitimate while containing malicious content. The attack vector involved header manipulation techniques that confused filtering algorithms.

CrowdStrike Falcon Sensor Incident

CrowdStrike’s Falcon sensors experienced widespread crashes, causing significant service disruptions. The Falcon Sensor Incident was a global IT outage on 19th July 2024, when a faulty software update for CrowdStrike’s Falcon sensor caused widespread system crashes and affected flights, banks, and international organisations.

What happened?

A routine content update for the Falcon sensor triggered an “out-of-bounds memory read” that caused crashes across Windows hosts.

What was affected?

IT systems include healthcare, airlines, and banking services in multiple sectors.

What caused the outage?

A mismatch between the number of input fields in the IPC (Inter-Process Communication) Template Type and the actual inputs provided by the sensor code

What did CrowdStrike do?

Patched the conditions that led to the errors, including adding bounds checking on 25th July 2024 and a patch to validate the number of actual inputs on 27th July 2024

What to do if your host crashes?

Reboot the host, put it on a wired network, and boot Windows into Safe Mode or the Windows Recovery Environment.

ServiceNow Vulnerabilities

Critical remote code execution vulnerabilities in ServiceNow platforms have led to exposed databases being sold. Security advisories have found flaws in the platform’s authentication and authorisation mechanisms, allowing attackers to bypass access controls via specially crafted API requests. The vulnerabilities give unauthorised access to instance data and remote code execution through compromised workflow automation features.

RockYou2024 Password Leak

A massive leak by Cybernews researchers dubbed “RockYou2024” exposed nearly 10 billion passwords online. This compilation included previously leaked credentials and newly exposed passwords, with password-cracking techniques to reveal plaintext versions of hashed passwords. The dataset highlighted continued weaknesses in password storage practices and the cascading effect of multiple breach compilations.

Cyber Attacks Of August 2024

AI Data Leaks

A misconfiguration flaw revealed hundreds of exposed LLM servers leaking sensitive corporate and healthcare data found across two main OSS (Open Source Services), i.e. vector databases and LLM application builders.

The underlying vulnerabilities stemmed from misconfigured vector databases and improper access controls in LLM automation tools exposing Flowise servers. The exposed data included indexed corporate documents, healthcare records, and other sensitive information. The attack surface involved exposed REST APIs and unsecured vector database endpoints that allowed unauthorised access to training data and model outputs.

North Korean NPM Malware Campaign

A malware campaign linked to North Korean threat actors targeted the NPM ecosystem. Around 48 malicious packages attempting to deploy reverse shells through carefully crafted post-installation scripts were involved. The attack chain involved typosquatting popular package names and utilising obfuscated JavaScript code to establish command-and-control (C2) connections. The malware employed advanced evasion techniques, including multi-stage payload delivery and environment-aware execution. This underscores the need for due diligence when selecting and managing npm packages.

Surge in Telecom Attacks

A significant increase in telecommunications infrastructure attacks was observed. Repeated attack patterns in this industry have revealed the targeting of SS7 and Diameter protocols and exploitation of 5G network vulnerabilities. Security researchers have demonstrated advanced capabilities in intercepting communications and exploiting interconnection vulnerabilities between telecom protocols, especially archaic trust-based SS7 architecture. Traditionally, SS7’s architecture was designed when security wasn’t a main design thought, operating largely on a trust-based model. This inherent trust has become a significant vulnerability in modern telecommunications, as the protocol lacks robust authentication and encryption mechanisms.

The attacks highlighted weaknesses in legacy telecommunications infrastructure integration with modern networks. These telco-driven attacks have various attack vectors and associated implications affecting business customers.

A proactive approach would look like this:

• Replace SMS and voice channels with push notifications, passwordless sign-ins, emails, and in-app chats, and use mobile apps for authentication (authenticators).

• Monitor unit costs and billing to ensure costs don’t add up and flag bills for excessive or beyond the threshold. Other tips include blocking PRN deliveries.

• Implement defensive measures on bots, toll frauds, and exposed endpoints.

Cyber Attacks Of September 2024

School cyber attacks

Ransomware attacks have hit Blackpool Trust based in Lancashire, and ten academies (high schools and primary schools) have been impacted. They had to go back to non-IT-based processes. This shows how important it is to protect your digital assets to have safe and secure school environments for staff and pupils.

Microsoft MacOS Applications Vulnerabilities

Critical vulnerabilities found in Microsoft’s MacOS applications. Multiple attack vectors, including privilege escalation and remote code execution, are used in the update mechanism. Attackers can bypass macOS security controls via specially crafted application inputs and exploit the trust relationship between Microsoft applications and the OS.

Fortinet Data Loss

Fortinet experienced a significant data breach affecting their small number of Fortinet customers (As per the company’s statement). A threat actor accessed files stored on Fortinet’s third-party cloud file storage instance. This did not impact the company’s operations or lead to any financial or operational difficulties.

GitHub Actions Typosquatting

An attack campaign targeted GitHub Actions through typosquatting techniques. Orca’s investigation showed attackers can exploit GitHub actions through several typosquatting techniques:

• Action Name Manipulation: Attackers create deceptive variations of legitimate action names, using subtle character alterations and visually similar characters to mislead users.

• Organisation Name Impersonation: They mimic trusted entities by crafting similar organisation names, strategically varying uppercase and lowercase letters, and adding subtle characters.

• Version and Tag Exploitation: Malicious code is deployed under popular version numbers and tags, exploiting version range specifications in workflow files to appear legitimate.

With poisoned dependencies executing arbitrary code within GitHub Actions runners, it was possible to compromise CI/CD pipelines. This campaign demonstrated advanced supply chain attack techniques targeting development infrastructure.

To ensure effective mitigation strategies against such attacks, technical safeguards, operational controls, and organisational security measures are required to maintain a small attack surface.

TfL Cyber Attack

On 1st September (reported towards the end of September), TFL (Transport for London) first noticed an unusual activity. It later clarified that around 5000 customers’ data may have been accessed. TfL doesn’t know how long this has been going on; it said this attack was ‘sophisticated’ and ‘aggressive’ and ongoing at the time of reporting (31st October 2024).

Tube and bus services remained unaffected; however, a few other services are unavailable. These include customers being unable to register cards, issue refunds, and process payments on the contactless app and Oyster cards. Payments can be made on the website. TfL engineers had to shut down some areas such as jam cams and dial a ride bookings.

NCA have arrested a 17-year-old in connection with this attack.

Revival Hijack Technique

A new hijacking technique called “Revival Hijack” has been discovered, targeting PyPI and potentially other package repositories. Infosecurity magazine reported attackers are exploiting package naming and ownership transfer mechanisms to take control of abandoned packages. The attack methodology is to monitor package repositories for recently expired names and register them to distribute malware. It bypasses traditional typosquatting detection by targeting legitimate, previously trusted package names.

Cyber Attacks Of Oct 2024

FortiManager CVE-2024-47575

Reported this month, A zero-day vulnerability in Fortinet’s FortiManager was found to be under active attack back in June 2024. Further analysis showed the flaw was due to missing authentication vital functions, allowing unauthenticated attackers to execute arbitrary commands on vulnerable systems. The attack chain exploited the authentication bypasses to get administrative access to FortiManager instances and collect extensive reconnaissance data about managed FortiGate devices. Mandiant’s investigation found threat actors use this vulnerability for mass exploitation, potentially impacting thousands of devices worldwide. The impact was made worse because it gives attackers complete visibility into FortiGate firewall configurations and network topology.

Mozilla AI Bug Bounty Program Finds ChatGPT-4 Jailbreak

Mozilla’s 0Din (0Day Investigative Network) bug bounty program found significant vulnerabilities in ChatGPT-4’s security controls. It showed researchers could bypass algorithm safeguards using hexadecimal encoding and emoji combinations. The attack methodology demonstrated how carefully crafted inputs could manipulate the model to bypass content filters and security boundaries. The research exposed critical LLM security implementation weaknesses, especially input sanitisation and context boundary enforcement.

Google Chrome Zero-Day Exploitation

The Lazarus Group is actively exploiting a zero-day in Google Chrome. Technical analysis showed exploitation techniques targeting the browser’s JavaScript engine. The attack chain was to create specially crafted web pages that trigger memory corruption vulnerabilities and remote code execution. This shows the capabilities of weaponising the vulnerability for targeted attacks, including custom shellcode and evasion techniques.

Internet Archive Breach

The Internet Archive had a significant security breach where authentication tokens were stolen. The data breach analysis showed attackers exploited vulnerabilities in the archive’s token management to get unauthorised access to stored data. The attack methodology was to harvest and exploit authentication tokens, potentially compromising millions of archived content and user data. The incident exposed long-term token storage and management practices.

Cyber Attacks Of November 2024

Free – French ISP cyber attack

Free, France’s second-largest ISP, has confirmed a major cyber attack that has resulted in a significant data breach of millions of customers. The attack involved unauthorised access to the company’s internal management tool, where attackers were able to extract customer personal data. The stolen data was then tried to be sold on Dark Web cybercrime forums. The impact is enormous, with a customer base of over 22.9 million mobile and fixed subscribers.

The company notified the relevant French authorities, ANSSI and CNIL, as soon as the incident occurred. This is the second attack on a French ISP in a row after SFR was hit in September, where customer bank details were compromised.

Thompson Coburn Law Firm Breach

Thompson Coburn declared a data breach concerning PII and PHI (Protected Health Information) belonging to patients of its client, Presbytrian healthcare services (PHS) was accessed or acquired by threat actors. The incident timeline relates to May 2024 and around 300,000 patients are reported to be affected by this breach.

Multiple Councils hit by DDoS

Multiple UK councils were hit by DDoS attacks, rendering their official websites offline. Some of these councils include Bradford, Eastleigh, Keighley, Salford, Tameside, and Trafford  and the famous football club Tottenham Hotspurs was also affected. 

How to Combat Cyber Attacks in the Future?

Be prepared.

There’s no one-word magic answer. A holistic approach that ensures your people, process, and technical security controls work together.

With today’s technology stack and ongoing developments, organisations regularly adopt cyber security maturity reviews, IT security health checks, and stringent penetration testing validations. With a responsible partner, your risk assessment and treatment would improve your risk management strategy overall, leading to long-term enabling of the business rather than ticking in the box for compliance or a short-term objective.

A few useful starts:

• 10 steps to cyber security – An absolute gem to know more about cyber security maturity

• IT Security Health Checks and Penetration Testing to identify your risks and how to mitigate them

• A holistic cyber security maturity review to know your current state of people, process and tech controls

How Cyphere Can Help?

With solid expertise and an experienced team, Cyphere’s insights into customer work embedding the business context and remediation plans are further than traditional security assessments or validation work.

We work with your development or administration teams to ensure they understand the real risks affecting the infrastructure and to remediate the issues on priority (strategically and tactically).

Our work includes CREST penetration testing services, IASME accredited Cyber Essentials Plus certification, security compliance and security audits and consultancy work.