How did we weather the cyber storm in 2024?

If you ask National Public Data (NPD), Stoli Group’s U.S. Operations, Gotham Restaurant chain, and potentially others, they may tell you it was the worst year for the business since their inception. This is because they all filed Chapter 11 bankruptcy following a data breach. If you read about these companies, you’ll find they were all suffering financial difficulties prior to the breach, but the breach certainly exacerbated the decision to file.

Financial struggles due to the cost of doing business, forensics investigators, fines, lawsuits, and penalties would cause most businesses to struggle to return to business as usual, if not close shop permanently.

After researching data breaches, trends, and root causes, I decided to write a post about how we can better secure our organization in 2025, inspired by some of the most prominent data breaches of 2024.

Let’s start with the U.S. Treasury. I’m not referring to the downstream breach resulting from the SolarWinds catastrophe in 2020. I’m referring to the breach first detected on December 8th and disclosed in late December of 2024.

What can we learn from these breaches?

U.S. Department of the Treasury, Reported December 30, 2024
Again, the Treasury fell victim due to its relationship with a third party. As we see more and more third-party breaches leading to downstream compromise, more stringent cybersecurity assessments, closer monitoring, and due diligence language in contracts should be seriously considered.

The threat actors gained access by using a stolen API key, which allowed them access to their remote support SaaS platform. Least privilege, API key encryption, and key rotation may have prevented this breach.

Unfortunately, the attack was allegedly linked to a well-funded, very sophisticated group referred to as Salt Typhoon, a nation-state threat actor group sponsored by the Chinese government, “allegedly”—I have to say that. Yes, this is the same group linked to recent major telecom company data breaches (Verizon, AT&T, T-Mobile) and seven others.

National Public Data (NPD), Reported August 16, 2024
Have you had a background check performed on you? If so, your data may have been stolen during this massive breach and data exfiltration attack affecting Canada, the United States, and the United Kingdom. A suspected 2.9 billion records containing highly sensitive personal data were compromised.

This April 2024 attack was executed by the hacker group USDoD, which openly confirmed its identity. Don’t worry—the head honcho was arrested in Brazil as part of Brazil’s Federal Police initiative, “Operation Data Breach.”

While the technical details have yet to be released, based on the actors’ normal TTPs, it is suspected that the breach was a result of unpatched vulnerabilities, phishing/smishing, or weak access controls. Regardless, prioritizing patch management is critical. Currently, exploitable vulnerabilities and actively exploited vulnerabilities should be a priority for patch management.

Snowflake Inc., June 2024
This cloud-based data warehousing company suffered a breach, which began in April 2024, affecting over 100 customers and leading to unauthorized access and exfiltration of huge amounts of sensitive data.

Scattered Spider appears to have targeted Snowflake, obtaining login credentials through infostealer malware. Scattered Spider is well known for being English-speaking and very competent at the art of social engineering via phishing and vishing and is credited with the breaches of Western Digital, MGM Resorts, and Caesars Entertainment, to name a few.

Unfortunately, with this attack, the threat actors were able to steal credentials and gain access. Well-trained employees and help desk personnel, along with frequent password rotation or password less solutions, encryption, and strong multi-factor authentication practices, may have dissuaded the attacker from spinning its web and forced it to move elsewhere.  

Ticketmaster/Live Nation, April – May 2024, Publicly Disclosed May 15, 2024
Huh, I’m beginning to see a pattern here. Guess who the third party was involved with this downstream breach? You got it—Snowflake. You may be thinking that since Scattered Spider was responsible for the breach of Snowflake, they were also responsible for the Ticketmaster breach. Wrong. Shinyhunters stole Ticketmaster data from Snowflake.

1.3GB of data was offered in a one-time sale for $500,000, according to a Dark Web post. Oh, the complex web we weave!

Shinyhunters obtained credentials by way of information-stealing malware and a remote access trojan against a fourth party, EPAM Systems. They accessed unencrypted credentials used by an employee to access EPAM Systems’ customers, which were then used to infiltrate the Snowflake account owned by Ticketmaster.

Here again, even if I give you my username and password, you won’t be able to log in without my MFA token—preferably not an SMS message. SIM swapping is a common tactic used by Scattered Spider, LAPSUS$ Group, and REvil, to name a few.

AT&T, March, April, and July of 2024
Wow, talk about having a target on your back. AT&T suffered multiple breaches in 2024, most likely the work of Scattered Spider and Salt Typhoon. I won’t discuss all the incidents because that’s not the intent of this post.

I’m beginning to sound like a broken record. Yet again, it’s all about training and MFA. Yes, this was a downstream attack fueled by the Snowflake breach.

Change Healthcare, February 21, 2024
Ransomware attack… I shudder just thinking about one of the companies I vCISO for getting attacked by ALPHV/BlackCat, which is exactly what happened to Change Healthcare in February of this year (or last year, if you’re reading this tomorrow). It turns out this was the largest known data breach of protected health information in history.

Over 100 million personal health records were stolen in the double extortion attack, where the attackers exfiltrated the data prior to encrypting it and then demanded a ransom. A $22 million ransom was demanded, and some was paid, according to word on the street.

The HIPAA Journal reports that in the nine months ending on September 30, 2024, Change’s parent firm, United Health Group, had incurred $1.521 billion in direct breach response costs and $2.457 billion in total cyberattack impacts (KrebsOnSecurity).

This was another case of the lack of MFA. It was later determined that the attackers gained access using stolen or purchased (access broker) credentials for a Citrix portal.

Key Takeaways

• It appears we must continue the discussions around Multi-Factor Authentication (MFA). Yes, there are ways around it, but without it, you are surely looking for trouble.
• Why aren’t we patching critical vulnerabilities? No matter how big you are, identify and scan your crown jewels, scan your perimeter, and prioritize patching based on exploitable vulnerabilities and vulnerabilities currently being exploited, and if you find zero days, implement compensating controls.
• Apparently, we need to come up with a better, more secure way to validate users. We all have smartphones. Why not FaceTime or a Zoom call to validate users? We could have them send a picture of their driver’s license. It sure beats losing your job or being responsible for a catastrophic data breach.
• Third-party data breaches have become a prominent vector for cyber-attack which is why we need to re-think our strategy.  More comprehensive risk assessments, regular monitoring, and adequate cybersecurity due-diligence language in the contracts.
• APIs have always been discussed as being an attack vector.  Now, we’re seeing more and more activity where attackers are leveraging poorly secured keys to access sensitive data.

Keep your API keys out of your source code.  Implement strong encryption only to be decrypted during runtime.  Use an API Gateway for an additional layer of security.

There are so many lessons to be learned from these breaches. One of them is the fact that we can never let our guard down. We must be diligent and informed and have our eyes wide open.

Happy New Year, my friends!

By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA