Major Cyber Attacks in Review: May 2024

May 2024 saw several major cyber attacks across diverse sectors, including cryptocurrency, cloud services, and online archives.

Notable incidents include the $308 million cryptocurrency heist from DMM Bitcoin, significant data breaches at Snowflake affecting clients like Santander Bank and Ticketmaster, and a DDoS attack on the Internet Archive.

This post examines these incidents, providing an overview of the major cyber attacks of May 2024, and their impact on cybersecurity.

$308 Million Was Stolen from DMM Bitcoin in Major Crypto Heist

On May 31, 2024, Japanese cryptocurrency exchange DMM Bitcoin reported the theft of 4,502.9 Bitcoin (BTC), valued at approximately $308 million. This heist marks the largest cryptocurrency theft of 2024.

Although DMM Bitcoin has not disclosed how the breach occurred, similar thefts typically involve accessing corporate systems or exploiting vulnerabilities in smart contracts or websites. The exchange assured customers that all BTC deposits would be fully guaranteed with support from group companies.

Cryptocurrency intelligence firm Elliptic reported that the stolen Bitcoin has been split into multiple new wallets, likely to evade detection and exchange blocks. If confirmed, this incident ranks as the eighth-largest crypto heist ever.

Snowflake Incident Led to Data Breaches of High-Profile Companies

In May 2024, Snowflake, a prominent cloud-based data storage and analytics provider, faced a significant cybersecurity incident. Unauthorized access to Snowflake’s systems allegedly compromised the sensitive data of high-profile clients, including Santander Bank and Ticketmaster. The breach potentially affects 30 million Santander customers and 560 million Ticketmaster users.

The breach likely started with a compromised machine used by a Snowflake sales engineer, infected with Lumma Stealer malware. The attacker, known as “Whitewarlock,” first appeared on a Russian dark web forum, offering the stolen data for sale.

Following the breach, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging Snowflake users to take immediate action. CISA recommended enabling Multi-Factor Authentication (MFA), reviewing Indicators of Compromise (IoCs), disabling suspicious users, resetting credentials, monitoring executed queries, and analyzing sessions for unusual applications to prevent further unauthorized access.

Internet Archive Suffered 3-Days DDoS Attack

Late May 2024, the Internet Archive website became a target of a Distributed Denial-of-Service (DDoS) attack, which disrupted its services for three days. Despite assurances that its collections and web archives remain safe, service has been inconsistent for the online library and its Wayback Machine.

An anonymous gang calling itself SN_Blackmeta has claimed responsibility for the DDoS attacks, though their motives remain unclear. The flood of phony network traffic has been “sustained, impactful, targeted, adaptive, and importantly, mean,” as Brewster Kahle, founder and digital librarian of the Archive, has described it.

The Archive, which offers free access to vast digitized materials and hosts the Wayback Machine, is also facing significant legal battles against major US book publishing companies and record labels for alleged copyright infringement.

Sav-Rx Data Breach Exposed 2.8 Million Customers’ Personal Data

On October 8, 2023, Sav-Rx, a prescription management company, experienced a data breach that exposed the personal information of 2.8 million people in the United States. Sav-Rx provides prescription drug management services to employers, unions, and other organizations across the U.S.

The breach was discovered when Sav-Rx identified an interruption to its computer network. Immediate steps were taken to secure their systems, and third-party cybersecurity experts were engaged. Although their IT systems were restored the next business day, confirming whether personal data was stolen took almost eight months, with the investigation concluding on April 30, 2024.

The investigation revealed in May 2024 that hackers first accessed customer data on October 3, 2023. The exposed data includes full names, dates of birth, Social Security Numbers (SSNs), email addresses, physical addresses, phone numbers, eligibility data, and insurance identification numbers.

Hacker Pleaded Guilty to $37 Million Cryptocurrency Fraud

Chirag Tomar, a 30-year-old Indian national, pleaded guilty to wire fraud conspiracy for stealing over $37 million through a fake Coinbase website.

Tomar and his co-conspirators created a phishing site mimicking the Coinbase Pro platform, tricking users into entering their login credentials and two-factor authentication codes. The scheme involved social engineering tactics, where victims were deceived into allowing remote access to their computers.

Tomar was arrested on December 20, 2023, following an investigation by the U.S. Secret Service and the FBI. From June 2021, the fake website “coinbasepro.com” lured users into sharing sensitive information, leading to unauthorized access to their cryptocurrency wallets.

Once in control of these accounts, Tomar and his associates transferred the funds to their wallets, converting the stolen cryptocurrency into cash and distributing it among themselves.

Cencora Data Breach Impacted Major Pharmaceutical Firms, Exposing Patient Data

A significant data breach at Cencora, formerly known as AmerisourceBergen, has affected some of the world’s largest pharmaceutical companies. The breach, which occurred in February 2024, has led to disclosures of data exposures from major drug firms.

Cencora, a prominent pharmaceutical services provider, reported the breach in a February SEC filing, noting that unauthorized parties accessed and exfiltrated personal data from its information systems. The extent of the breach and its impact on clients were initially undisclosed, and no ransomware groups claimed responsibility.

Late May 2024, the California Attorney General’s office published data breach notifications from several affected pharmaceutical firms, revealing the scope of the incident. The breach has impacted companies including Novartis, Bayer, AbbVie, and GlaxoSmithKline, among others.

These notifications confirmed that the exposed data includes full names, addresses, health diagnoses, medications, and prescriptions. Despite the breach, there is no evidence that the stolen data has been publicly disclosed or used fraudulently.

WebTPA Data Breach Impacted 2.5 Million Individuals

The WebTPA Employer Services data breach, disclosed earlier in May 2024, has affected approximately 2.5 million individuals, according to the U.S. Department of Health and Human Services.

WebTPA, a subsidiary of GuideWell Mutual Holding Corporation, provides administrative services to health plans and insurance companies.

The breach, which occurred between April 18 and April 23, 2023, was discovered in late December 2023 when WebTPA detected suspicious activity on its network. WebTPA notified benefit plan providers and insurance companies on March 25, 2024, and sent notices to affected individuals on May 8, 2024.

The exposed data includes full names, contact information, dates of birth, Social Security numbers, and insurance information. Notably, financial account details, credit card numbers, and medical treatment information were not compromised.

Among the impacted are customers from large insurance companies such as The Hartford, Transamerica, and Gerber Life Insurance. WebTPA advises affected individuals to monitor their credit reports and be cautious of potential fraud attempts, recommending a security freeze on credit files to mitigate risks.

Nissan Data Breach Led to Exposure Over 53,000 Employees’ Information

Nissan North America experienced a significant data breach last year when a threat actor targeted the company’s external VPN and shut down systems in a ransomware attack. The breach, discovered in early November 2023, has recently been found to have exposed the personal data of over 53,000 current and former employees.

In a notification to affected individuals, Nissan explained that the cyberattack was identified on November 7, 2023, and was promptly reported to law enforcement. Immediate actions were taken to investigate, contain, and terminate the threat with the help of external cybersecurity experts.

The investigation revealed that the attacker accessed files on local and network shares containing business information. However, on February 28, 2024, Nissan identified that personal information, including Social Security numbers, was also exposed. The company assured that no financial details were accessed.

Nissan is not aware of any misuse of the exposed data but has offered impacted individuals free 24-month credit monitoring and identity theft protection through Experian to mitigate potential risks.

Alleged Russian Threat Actors Defaced Numerous Newspaper Websites from the U.K.

On May 25, 2024, a group claiming to be “first-class Russian hackers” defaced potentially hundreds of local and regional British newspaper websites.

The affected websites belong to the Newsquest Media Group, the second-largest publisher of local newspapers in the UK.

The group published a breaking news story titled “PERVOKLASSNIY RUSSIAN HACKERS ATTACK” on the sites, though it did not appear in print. While the incident suggests a breach of a central or shared content management system, there is no concrete evidence that the attackers were actually Russian.

The hack raises concerns about the cybersecurity of local media outlets in the UK, especially with an election expected later this year. The attack reportedly follows a pattern of cyber incidents linked to Russian and Belarusian threat actors, such as the Ghostwriter group, known for publishing false stories to inflame tensions.

Article Link: Major Cyber Attacks in Review: May 2024 - SOCRadar® Cyber Intelligence Inc.