2024 was an eventful year in cybersecurity with many significant attacks that caused extensive disruption – not just in businesses but even across nations. Cybersecurity practitioners were kept busy defending against these attacks but can also gain lessons from such cyberthreat activity, enabling us to counter cyberthreats and resourceful adversaries in 2025 and beyond.
Cyberattacks and Cybersecurity Learnings from 2024
We will discuss what we have learnt about cybersecurity in 2024 with takeaways on improving cyber defences. Some of the attacks analysed occurred in 2024, and some occurred in previous years but we gained insight from these attacks in 2024; all of them give us much to think about on bolstering enterprise cyber defences to prevent the attacks of the future.
1. Lack of MFA Leads to Impact on 100 Million People, $22 Million Ransom, $1.1 Billion in Costs
A ransomware attack on Change Healthcare, part of the UnitedHealth Group, resulted in the leak of personal information of 100 million Americans – the largest ever healthcare data breach – and financially impacted 94% of hospitals, with 60% of hospitals that experienced a cash flow impact reporting revenues were affected by more than $1 million per day. The company paid a ransom of $22 million in Bitcoin, incurred costs of $1.1 billion that could rise to $2.45 billion, and provided more than $9 billion in advances and no-interest loans. Threat actors entered Change Healthcare’s network by compromising a server that lacked Multi-Factor Authentication (MFA) which is standard across UnitedHealth; the group had been in the process of upgrading Change Healthcare’s technology, after its acquisition in 2022, when the attack occurred.
Similarly, a North American fashion chain experienced a data breach that impacted 57 million customers due to a cloud account lacking MFA.
Takeaway
It takes just one device that lacks adequate protection to open the doors to a cyberattack that can wreak havoc across a nation. Cybersecurity audits must be conducted at regular intervals to ensure that every device is secured. Cybersecurity should also form part of an investor’s due diligence when an organisation is acquired; cybersecurity, of both organisations individually and of the combined organisation, must be prioritised when merging the operations of both entities.
MFA is an important layer in cybersecurity that can prevent credential abuse, and should be deployed for both on-premises and cloud-hosted solutions.
2. Server Compromise Begins Within Hours of Vulnerability Information Being Published
A vulnerability in JetBrains TeamCity, that allowed threat actors to gain administrative control over TeamCity servers through authentication bypass, was exploited by threat actors within hours of publication of information related to the vulnerability. The vulnerability was exploited to create administrator accounts on more than 1,400 servers, with up to 300 user accounts created on compromised servers. Any user running a vulnerable version of the software had to proceed assuming compromise, and isolate the server from internal and external networks.
Takeaway
This incident illustrates why effective cybersecurity requires immediate action. Patches must be applied as soon as they become available, as threat actors will immediately (within hours, in this case) try to compromise organisations that have not applied the patches. If an unpatched vulnerability is known to exist, mitigation measures must be deployed immediately to prevent exploitation until a patch is released.
3. Social Engineering Campaigns Leverage IT Disruptions
The CrowdStrike outage, of crashing Windows operating systems, was not a cybersecurity incident but threat actors leveraged the disruption caused by the outage to launch social engineering attacks by impersonating support staff through email and phone to sell software scripts that claimed to automate recovery or distribute malware disguised as recovery tools.
Similarly, threat actors contacted customers of an automobile Dealer Management System vendor after a ransomware attack crippled the vendor’s software and hampered customers’ operations, and tried to gain access to customers’ systems by pretending to represent the vendor.
Takeaway
Social engineering attempts can be devious, and include impersonating legitimate vendor staff to compromise vendor’s customers when any service disruption (which may or may not be cybersecurity related) is encountered. Employees must be trained to verify all unexpected messages from vendors by contacting the vendor directly through known communication channels before performing any action based on communication from those claiming to represent the vendor.
4. Cyberattack Ends 25-Year Partnership
The UK’s Post Office ceased providing services of MoneyGram, a global money transfer service, following a cyberattack that disrupted MoneyGram’s services for several days. The attack occurred 10 days before a new contract period commenced, and ended a partnership of over 25 years.
Takeaway
Cybersecurity is not just an IT issue. Cyberattacks can significantly impact business results through varied consequences, including cessation of long-standing partnerships. Cybersecurity should, therefore, be considered a business and strategic priority, and proactive investment in cyber defences should be initiated to preserve business relationships and stakeholder value.
5. Cyberattacker Hired as Remote Employee
A cyberattacker faked his personal information and employment history to be hired as a remote IT employee and used his remote access to login to the company’s network and download business data. After he was fired for poor performance, the company received samples of stolen data with a six-figure ransom demand.
In a similar instance, a cyberattacker used a valid, stolen identity and an AI-altered photo to get hired as a remote employee and immediately began uploading malware to the corporate system which was identified by the security system. The employer restricted access for all new employees and therefore did not suffer adverse consequences.
Takeaway
Remote work allows organisations to access talent that would otherwise be unavailable to them due to location constraints, but poses new cybersecurity challenges due to difficulties in ensuring the integrity of employee activity. Background verification of new hires is also a challenge in the AI era, as convincing deepfakes are relatively easy to create.
Enterprises must adopt stringent background verification to ensure the legitimacy of new employees. Access restrictions must also be imposed on new employees for an appropriate period of time to ensure that threat actors masquerading as job candidates are unable to launch attacks soon after joining.
6. Organisation Suffers Multiple Attacks Due To Unaddressed Vulnerabilities
Hackers used an exposed GitLab configuration file, which had been vulnerable since 2022, to access source code and download the user database. A second attack occurred in the same month, with attackers exploiting API tokens that had been exposed in the previous attack but had not been rotated or replaced; the threat actors accessed a support platform where the tickets included users’ personal identification documents.
Similarly, the Australian arm of a UK-based food and support services company suffered two data breaches within the same month.
Takeaway
Being successfully attacked once sends a signal to threat actors that the organisation’s cyber defences have gaps that allow entry, and cyberattackers will try to compromise the organisation again. Security audits must be conducted immediately after a cyberattack to quickly identify and address any weaknesses even as other investigations and restoration are in progress, to prevent follow-on attacks.
7. Discussing Incident Response Report with Media Leads to Loss of Legal Professional Privilege
A class action lawsuit that followed a cyberattack was granted access to an external forensic investigation report as the CEO discussed the findings of the report with the media, which lifted the veil of confidentiality and therefore legal professional privilege no longer applied.
Takeaway
A business’s disaster recovery plan must include a communication and media management strategy. Information that is shared with the public cannot be later considered to be confidential, and legal teams should request cybersecurity investigations to ensure the investigation reports fall under privileged communication.
8. Vulnerability Patched in 2021 is Still Exploited
The US government added an improper access control bug in Apache Flink to its Known Exploited Vulnerabilities (KEV) catalogue, indicating the vulnerability was being actively exploited in 2024. Updated versions of the software that addressed the vulnerability were released in January 2021, signalling that patches are not installed even years after being released.
Similarly, a remote code execution (RCE) flaw in Microsoft COM for Windows that was patched in 2018 was also added to the KEV catalogue in 2024.
Takeaway
Old vulnerabilities are never forgotten by threat actors, and enterprises must conduct vulnerability assessments to ensure that all patches are installed and security gaps are closed. Older machines in storage that are reinstated in operations should be evaluated and have all patches applied before they are connected to enterprise networks.
9. Employee Deletes 180 Virtual Servers, Resulting in SGD 918,000 Cost
An employee who was fired for poor performance used administrator credentials to login to his former employer’s systems over a year after he was fired, and used programmed scripts to remove 180 virtual servers over a weekend.
In another instance, an airline’s ground handling contractors abused their employee access to alter bookings, steal frequent flyer points, and potentially access passports of almost a thousand customers using a partner booking system.
Takeaway
Any disgruntled employee could turn into an attacker. Securing the enterprise against internal attacks can be challenging as many employees have the technical knowledge to carry out internal attacks; cyberthreats are available for sale and can be weaponised by employees without technical knowledge; and not all cyberattacks require technical knowledge.
In addition to cybersecurity measures, such as deploying endpoint and network security solutions, supervisory controls, such as a maker-checker process, and least privilege access should always be in force to preserve the security of enterprise operations. Access privileges of departing employees should be immediately revoked, and such revocation should be part of the employee exit process.
10. Ransomware Attack Caused Death of Cow
A ransomware attack on the computer systems of a dairy farm also impacted the farm’s milking robots. Without access to data from his animals, the farmer did not realise that a calf had died in the womb which eventually resulted in the death of the cow.
Takeaway
The automation of business systems and processes, including robotics and remote monitoring, increase the destructive potential of cyberattacks in ways that decision makers may not anticipate. Businesses should periodically conduct risk assessments, identify how and where they are at risk, and proactively improve cyber defences to ensure that cyberattacks are stopped and life-threatening consequences are avoided.
11. Legitimate URLs Used to Gain Victim’s Trust
Threat actors sent invitations to the victim to appear as a guest on a podcast which required entering passwords to access legitimate podcasts. Messages delivering intelligence-gathering malware were sent once the victim’s trust was gained and they became conditioned to accessing links sent by the attacker.
Phishing attacks have also used the reCAPTCHA dialogue to gain users’ trust and insert a malicious PowerShell command instruction into the user’s clipboard.
Takeaway
Threat actors may not strike quickly or in obvious ways and social engineering campaigns may extend over a period of time, slowly gaining the victim’s trust and conditioning them to perform actions at the request of the attacker without being suspicious. In addition to endpoint protection, employees should be trained to be sceptical of all communication and request the IT team to verify any IT-related activity requested by a 3rd party.
12. Organisation Fined for Cybersecurity Shortfalls Despite Not Being Attacked
A nuclear site in the UK was prosecuted by the nuclear regulator and fined £332,500, along with prosecution costs of £53,253.20, for failing to ensure adequate protection of sensitive nuclear information, and not arranging for annual health checks of its operational technology and information technology systems by an authorised tester. No evidence was discovered of vulnerabilities being exploited due to these failings.
Takeaway
A business does not need be attacked to invite regulatory action and penalties. Every enterprise should initiate a Governance, Risk, and Compliance (GRC) practice to ensure both internal and external security mandates are complied with to avoid regulatory scrutiny.
13. Legal Counsel and Theft Protection are more than 50% of Cyberattack Cost
The Columbus Department of Technology, in the USA, budgeted the cost of a cyberattack on the city at $7,000,000: $2,401,052 for system forensics, systems remediation, data mining, data forensics and cyber threat monitoring; $1,000,000 for systems, endpoint and cyber threat monitoring for long-term use by the city; $2,500 for expenses such as hard drives and tools; $1,644,348 for identity theft protection services, including credit and dark web monitoring; $1,952,100 for legal counsel related to the incident response; and $300,000 for legal counsel related to litigation.
Takeaway
Legal counsel and theft protection services ($3,896,448) formed 53.38% of the cost incurred due to the attack, while technical costs such as forensics, cyberthreat monitoring, and hard drives ($3,403,552) amounted to 46.62% of the cost. The cost of legal counsel and theft protection is significant – more than half the cost of the attack. When analysing return on cybersecurity investment, organisations must factor in legal and theft protection costs as expenses that would be saved due to the cybersecurity investment.
14. APT Group Used Multiple Malware to Target Air Gapped Systems
An APT group targeted air-gapped systems in governmental organisations using a range of cyberthreats that included malware which facilitated the transfer of malicious files via USB drives; a modular backdoor for data collection and exfiltration; and a tool to gather and exfiltrate data from compromised devices. The malware targeted different systems in the victim organisation and used the host devices for different purposes such as distributing configuration files, collecting files, and exfiltrating files.
Takeaway
Cyberattacks use multiple methods, and can combine malware, to compromise an organisation. Therefore, effective cyber defences must be capable of stopping such multi-faceted attacks and organisations should invest in multi-layered endpoint protection to prevent attacks that utilise a basket of different malware.
15. Cyberattack Discovered Due to Chatter on the Dark Web
A cyberattack on a ticketing platform occurred in July but the victim became aware of the attack after being alerted by the police in September about chatter on the dark web about the incident. The threat actors had compromised a staging database used for testing to access user data.
Takeaway
As previously discussed, every digital asset must be adequately secured. A staging database used for testing is just as likely to be attacked as a database used for operations. The dark web (and the surface web) should be continuously monitored, either by internal security teams or external specialists, for indications of data leaks and other evidence of compromise.
16. Popup in Free Software used to Distribute Malware
Threat actors distributed malware by compromising an online advertising agency’s server. The agency broadcast ads using free software that displayed popup ads on users’ screens. The popups used Internet Explorer, which is still available through Microsoft Edge via IE mode; a zero-day vulnerability in Internet Explorer was used to create a zero-click attack when the popup loaded an ad from the compromised server.
Takeaway
A browser-based attack can be launched without requiring the victim to use a browser, as browser engines are used for rendering content, and other functionality, by applications that launch such sessions without requiring user action. Internet Explorer continues to be used by the enterprise sector to maintain backwards compatibility for legacy applications. Enterprises can protect themselves by using endpoint security that provides browser security and legacy platform protection.
17. 192 Government Websites Shut Down by Breach of Disaster Recovery Centre
192 government websites in Uttarakhand were shut down to malware being introduced into the virtual servers of a disaster recovery centre in Bengaluru from where it spread to the Uttarakhand IT Development Agency’s data centre in Dehradun and crippled the state’s IT infrastructure.
Takeaway
It may be considered ironic that a cyberattack was initiated from a disaster recovery centre, but this incident also highlights the importance of ensuring cybersecurity is maintained both within the organisation and in partner/vendor organisations that digitally integrate with the enterprise as cyberattacks can spread quickly and easily across digital channels. The security of the digital supply chain should be enforced with contractual requirements for cybersecurity measures and periodic cybersecurity assessments.
18. Ransomware Attack Destroys Data on Missing Boy
Information held by Ireland’s child and family agency was lost in a ransomware attack on Ireland’s Health Service Executive (HSE). The data was stored on a device that was not restored following the attack, as the system was based on old technology.
Takeaway
Resilience – the ability to recover from an attack – is an important component of enterprise digital defence. Data that cannot be recovered, or restored from a backup, cannot be considered to be secure as either cybersecurity events or hardware failure are inevitable. All data must be backed up following the 3-2-1 rule (3 copies, 2 types of media, 1 offsite) and restoration of backups must be tested periodically to ensure that backups can be quickly, easily, and reliably restored.
19. Brute Force Attack Results in $500,000 Settlement
A plastic surgery provider entered into a $500,000 settlement with a US regulator for potential violations of HIPAA following a ransomware attack that compromised information of over 10,000 individuals. Threat actors accessed the victim’s network through a brute force attack and deployed ransomware in 9 workstations and 2 servers. The victim was unable to restore affected servers from backups and paid a ransom of over $27,000 to obtain decryption keys and regain access to patients’ data.
Takeaway
A brute force attack, where an attacker repeatedly tries variations of credentials until access is obtained, allows threat actors to gain access by guessing, rather than stealing, credentials. This incident indicates that even simple attacks can have severe consequences for the victim organisation. Such attacks can be prevented by limiting the number of unsuccessful login attempts. Enterprises must periodically conduct Vulnerability Assessment and Penetration Testing (VAPT) exercises to identify and mitigate weak login protection and other cybersecurity weaknesses.
20. Organisation Attacked through Compromise of Wi-Fi Devices in Nearby Building
Threat actors used credential stuffing to obtain victim’s passwords to a web service platform, but couldn’t login due to MFA requirements. The attackers then compromised a Wi-Fi enabled device in a nearby building, from which they compromised a Wi-Fi enabled device in another organisation which was within range of the victim’s Wi-Fi network. The previously compromised credentials allowed access to the victim’s Wi-Fi network without requiring MFA.
Takeaway
Modern organisations have complex digital infrastructure with interconnected elements, and any one of them can lead to a cyberattack if inadequately protected. Cybersecurity is only as strong as the weakest link, and in this instance the WI-FI network was the weakest link: it reused credentials that were used for a web service, and was not protected by MFA, allowing the organisation to be compromised from a device in a nearby building even if the attackers themselves were far away. MFA must be implemented for all logins to ensure robust cybersecurity.
It must be noted that MFA can also be compromised if improperly implemented. Cybersecurity assessments, such as VAPT, can be used to ensure that MFA cannot be compromised.
The digitalisation of business operations has increased the emphasis on cybersecurity as the conveniences of digital workflows, such as speed and remote access, can also be used by threat actors against the organisation. The cyberthreat landscape has been further complicated by the use of generative AI which enables the quick creation of convincing messages used to distribute cyberthreats. Contact Us to learn more about how K7’s enterprise cybersecurity products and services can help you secure your organisation in, and beyond, 2025 against the constant increase in cyberattacks.
