Hujumlar Bazasi

Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.

ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.

Indian Critical Infrastructure Intrusions is a sequence of intrusions from 2021 through early 2022 linked to People’s Republic of China (PRC) threat actors, particularly RedEcho and Threat Activity Group 38 (TAG38). The intrusions appear focused on IT system breach in Indian electric utility entities and logistics firms, as well as potentially managed service providers operating within India. Although focused on OT-operating entities, there is no evidence this campaign was able to progress beyond IT breach and information gathering to OT environment access.

RedEcho is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. RedEcho overlaps with various other PRC-linked threat groups, such as APT41, and is linked to ShadowPad malware use through shared infrastructure.

Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.

Chinese hackers breached AT&T, Verizon, T-Mobile for months, accessing wiretap systems and senior government officials' communications.

Faulty CrowdStrike sensor update caused 8.5M Windows systems to BSOD globally. Airlines, hospitals, banks disrupted. $5.4B+ estimated losses.

BlackSuit ransomware crippled CDK Global software used by 15,000+ US auto dealerships. Industry lost ~$1B during weeks-long outage.

KV Botnet Activity consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. KV Botnet Activity was used by Volt Typhoon to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster. This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.

Qilin ransomware hit Synnovis pathology lab, disrupting blood transfusions across London NHS hospitals. 10,000+ appointments cancelled.

Black Basta ransomware crippled Ascension Health, one of largest US hospital chains. Staff used paper records for weeks, patient safety at risk.

Threat actors used stolen credentials to access Snowflake cloud accounts of 165+ organizations including Ticketmaster, Santander, and AT&T.

ShinyHunters stole 560M Ticketmaster customer records via Snowflake breach. Data included names, addresses, partial payment cards.

AT&T confirmed data breach exposing 73 million customer records including SSNs, passcodes from 2019 data. Separately, call records of nearly all customers stolen.

Social engineering attack over 2+ years planted backdoor in XZ Utils compression library, nearly compromising SSH authentication on major Linux distros.

ALPHV/BlackCat ransomware group attacked Change Healthcare payment system, disrupting US healthcare for weeks. UnitedHealth paid $22M ransom.

Multiple threat actors exploited zero-days in Ivanti Connect Secure VPN. Thousands of organizations globally compromised, including US CISA itself.

ALPHV ransomware hit LoanDepot mortgage company, exposing 16.9M customer SSNs, financial data. Systems offline for weeks.

Rhysida ransomware crippled British Library systems, leaking 600GB of HR data. Recovery took months and cost £6-7M.

Scattered Spider social-engineered MGM IT helpdesk, deploying ALPHV ransomware. MGM lost $100M+, casino operations halted for days.

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.

North Korean Lazarus stole $35M from Atomic Wallet users in June 2023 through a supply chain compromise of the crypto wallet application.

Cl0p exploited MOVEit Transfer zero-day, stealing data from 2,700+ organizations including US government agencies. 95M+ people affected.

North Korean Lazarus compromised 3CX VoIP software supply chain, targeting crypto and defense firms. First supply chain attack chained from prior supply chain attack.

BlackBasta ransomware hit Capita, UK's largest government IT outsourcer. Multiple NHS trusts, councils and pension funds affected. £25M recovery cost.

LockBit ransomware disrupted UK Royal Mail international shipping for weeks. LockBit demanded $80M ransom. Service restored after 6 weeks.

Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction. Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.

Iranian state hackers (HomeLand Justice) launched destructive attack on Albanian government, wiping systems and leaking data. Albania expelled Iranian diplomats.

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.