Major Cyber Attacks in Review: December 2024

December 2024 saw a series of significant cyber attacks that targeted multiple industries, from healthcare to telecommunications. Ransomware groups like Black Basta and Cl0P exploited companies to steal sensitive data, while state-sponsored actors such as Salt Typhoon and TraderTraitor carried out cyber espionage, impacting major organizations. Healthcare giants, as well as tech companies, faced major breaches that compromised millions of individuals’ personal information.

It is important to say that while the year 2024 in general was marked by significant cyber incidents, defenders did not remain passive. Law enforcement’s takedowns of criminal activity, such as the recent dismantling of the MATRIX platform, Manson Market, and 27 DDoS-for-hire platforms, were significant developments. However, cybercriminals continue to push forward, targeting organizations and individuals with new tactics and vulnerabilities. As we enter 2025, we reflect on how cyber threats persist, underscoring the need to refine our cybersecurity strategies in the new year.

This December 2024 Major Cyber Attacks blog post will review the latest attacks that shook the landscape in the past year and highlight the importance of evolving defenses as we move into 2025.

Chinese APT Group Exploited BeyondTrust Vulnerabilities in U.S. Treasury Breach

In December 2024, a sophisticated cyber attack attributed to Chinese state-sponsored actors targeted the U.S. Treasury Department, exploiting vulnerabilities in BeyondTrust’s Remote Support platform. The attackers used a stolen API key to gain unauthorized access to systems of the U.S. Treasury, primarily impacting the Office of Foreign Assets Control (OFAC).

The breach was traced to two zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in BeyondTrust’s service. While CISA confirmed that no other federal agencies were affected, the attack highlights growing risks from compromised third-party services.

This incident, part of a broader trend of Chinese APT attacks, emphasizes stronger cybersecurity defenses, particularly in relation to third-party vendors and remote access tools.

Monitor your supply chain with SOCRadar’s Supply Chain Intelligence

SOCRadar’s Supply Chain Intelligence module identifies vulnerabilities within your supply chain and provides real-time visibility into third-party companies’ exposure status. This approach helps secure operations from both direct attacks and indirect risks from vendors and partners.

North Korean ‘TraderTraitor’ Stole $308 Million from DMM Cryptocurrency Exchange

In May 2024, North Korean cyber actors, identified as TraderTraitor, carried out a significant theft of $308 million from the Japanese cryptocurrency exchange DMM. This attack, recently attributed to the TraderTraitor group (also known as Jade Sleet, UNC4899, and Slow Pisces), involved targeted social engineering aimed at multiple employees at the exchange.

The breach began in late March 2024, when a cyber actor posing as a recruiter contacted an employee at Ginco, a Japanese cryptocurrency wallet software provider. The employee, who had access to Ginco’s wallet management system, was tricked into running a malicious Python script from GitHub, compromising their system.

TraderTraitor threat actors stole $308 million from DMM

By mid-May 2024, TraderTraitor actors leveraged session cookie data to impersonate the compromised employee and gain access to Ginco’s unencrypted communications system. Using this access, they manipulated a transaction request from DMM, leading to the theft of 4,502.9 BTC, valued at $308 million. The stolen funds were moved to wallets controlled by TraderTraitor.

ESA’s Online Store Compromised in Cyberattack, Payment Details Exposed

The European Space Agency (ESA) experienced a cybersecurity breach when its third-party-managed online store was compromised by a malicious script. The attackers used the ESA’s domain with a different top-level domain to redirect users to a counterfeit Stripe payment page, aiming to steal payment card details and other sensitive customer information.

Investigations revealed that the malicious script was designed for data exfiltration, and it raised concerns about the potential risk to ESA employees due to the integration with the agency’s systems.

Despite the persistence of the malicious code in the site’s source code, ESA clarified that the store was managed externally by a third party. The attackers’ use of a fake payment page and the script’s continued presence highlighted the ongoing security risks and the potential long-term impact of the breach.

Protect your organization from phishing attacks with SOCRadar LABS’ free Phishing Radar service. Using AI-driven Digital Risk Protection, Phishing Radar scans millions of domain registrations to identify malicious domains and delivers real-time alerts on suspicious activity, protecting your organization and customers from targeted scams.

Phishing Radar is a part of the free SOC Tools provided on SOCRadar LABS

Chrome Extension Phishing Attacks

In late 2024, a phishing attack targeted Chrome extension developers, compromising the Cyberhaven Chrome extension, among others. The attack affected over 2.6 million users across at least 36 extensions, with Cyberhaven being the first to report the breach. The attackers used malicious OAuth applications to gain control over the extensions, enabling them to steal cookies and access tokens from social media and AI platforms.

The campaign, which began in December 2024, used phishing emails to trick developers into granting permissions, bypassing Multi-Factor Authentication (MFA) and gaining access to Chrome Web Store extensions. The threat actors also targeted Facebook accounts linked to the affected extensions, attempting to bypass two-factor authentication by searching for QR codes related to Facebook’s security protocols.

A recent wave of phishing attacks targeted Chrome extension developers

The breach’s extensive impact, with compromised extensions like VPNCity and Internxt VPN, highlights the growing threat to browser extensions.

Ascension Healthcare Data Breach Exposed Nearly 5.6 Million Patients and Employees

Ascension released a notification regarding a cyber attack from May 2024, during which 5.6 million patients’ and employees’ personal and health data was stolen.

The breach occurred after an employee unknowingly downloaded a malicious file. It was attributed to the Black Basta ransomware group; the group’s growing focus on healthcare made them the prime suspect in the attack.

The stolen data included medical records, insurance information, and personal identifiers. The attack disrupted Ascension’s MyChart system, forcing the healthcare provider to pause some services and rely on paper-based tracking.

SOCRadar’s Dark Web Monitoring module can help you uncover and mitigate cyber threats before they escalate. Monitor hidden forums and marketplaces to identify compromised data and track emerging threats.

SOCRadar’s Dark Web Monitoring

Salt Typhoon Targeted Numerous U.S. Telecoms

The Salt Typhoon hacking group, a Chinese state-sponsored APT, resumed operations after two years of no activity, targeting major U.S. telecommunications companies, including Verizon, AT&T, T-Mobile, and Lumen Technologies. The group, known for its cyber espionage activities, exploited vulnerabilities in telecom networks to gather intelligence, exfiltrate data, and conduct espionage, focusing on sensitive communication data.

SOCRadar Threat Actor Card for Salt Typhoon tactics

By December 2024, the U.S. government confirmed that a ninth telecom company had been compromised, with officials noting the growing sophistication of Salt Typhoon’s tactics.

The telecommunications industry is critical, because such breaches not only jeopardize sensitive communications but also pose a broader threat to national interests. To learn more about the impact of these attacks on the telecom industry, visit SOCRadar’s article: Major Cyber Attacks Targeting the Telecommunication Industry (2023-2024).

Texas Tech University Data Breach Exposed 1.4 Million Personal, Medical, and Financial Records

Texas Tech University notified over 1.4 million individuals that their personal and health information had been compromised in a ransomware attack targeting its Health Sciences Center and Health Sciences Center El Paso.

1.4 million records were exposed in the Texas Tech University breach (Source)

The breach occurred between September 17 and 29, 2024, disrupting systems and leading to the theft of sensitive data, including names, addresses, Social Security numbers (SSNs), health insurance details, and medical information. The Interlock ransomware group claimed responsibility for the attack, which involved the exfiltration of approximately 2.5 terabytes of data, including medical records and SQL databases.

Texas Tech University provided affected individuals with free credit monitoring services and filed breach reports with the U.S. Department of Health and Human Services. Despite Interlock’s claim, other ransomware groups were also reported to have targeted the institution.

ConnectOnCall Hit by Data Breach: Over 900,000 Patients’ Personal and Health Information Exposed

In May 2024, Phreesia, a healthcare SaaS company, disclosed a data breach involving its newly acquired subsidiary, ConnectOnCall. The breach, which occurred between February 16 and May 12, 2024, exposed personal and health information of 914,138 patients. The breach affected a telehealth platform and after-hours call service that facilitates patient-provider communication.

ConnectOnCall breach exposed over 900,000 patients’ information

The unauthorized access involved provider-patient communications, including names, phone numbers, medical record numbers, health conditions, treatments, prescriptions, and in some cases, Social Security numbers (SSNs). Upon discovering the breach, Phreesia took ConnectOnCall offline and engaged federal law enforcement and cybersecurity specialists to assess the damage – the company has also confirmed that no other services were affected.

Cl0P Ransomware Group Targets Cleo Vulnerabilities in Latest Exploitation Campaign

In December 2024, Cl0P ransomware claimed that it exploited vulnerabilities in Cleo’s file transfer software, gaining Remote Code Execution (RCE) and exfiltrating sensitive data from products like Cleo Harmony, VLTrader, and LexiCom. The exploitation was initially linked to the Termite ransomware group, but Cl0P later claimed responsibility, targeting at least 66 organizations.

The breaches affected numerous Cleo hosts, including businesses in the retail, logistics, and healthcare sectors. Attackers utilized the flaws to bypass security, steal confidential data, and deploy backdoors, with reports indicating the theft of patient information and financial data.

Blue Yonder, one of the affected organizations, denied any connection to the Cleo vulnerability, though it was the only company publicly named by Cl0P in their data leak. The vulnerability exploitation highlights the growing risk to supply chain platforms and emphasizes the importance of patching and securing file transfer systems.

Reduce your organization’s risk with SOCRadar’s Vulnerability Intelligence and Attack Surface Management (ASM) modules. Continuously monitor your digital footprint and identify vulnerabilities across your entire attack surface, from internal systems to third-party providers.

SOCRadar’s Vulnerability Intelligence

SOCRadar provides real-time insights on exploitable vulnerabilities, enabling your security team to prioritize and patch weaknesses before they are exploited. With ASM, gain full visibility into your digital assets and proactively manage your exposure to cyber threats. Enhance your cybersecurity posture with SOCRadar’s integrated approach to risk management.