In late January, a cybersecurity researcher with the help of Cybernews made a stunning find: 12 Terrabytes of carefully compiled, stolen personal information—in a database containing 26 billion records.
Dubbed MOAB (Mother of all Breaches), this international collection of exposed, reindexed records (luckily including some duplicates), combines personal information from prior breaches alongside many records believed to be new, and comes from a startling array of sources, including: Chinese IM app Tencent QQ (1.4 billion records), Weibo (504 million), MySpace (360 million), X/Twitter (281 million), LinkedIn (251 million), Adobe (153 million), Canva (143 million), and more, as well as records from international governments, including the US, Brazil, Germany, and Turkey.
MOAB is by far the largest such find in history, dwarfing prior leaks like the 2021 Compilation of Many Breaches (COMB), which was considered shocking at the time, at (just) 3.2 billion records.
MOAB also makes it likely that 2024 will witness a surge in credential stuffing attacks, where usernames and passwords from one site are tried at countless others.
The protection for users from this form of attack is theoretically easy—change passwords regularly and always after breaches and do not re-use passwords across sites—but in practice, with hundreds of logins scattered across various devices, and seemingly constant notifications of leaks, it can be hard for users, let alone businesses, to keep up.
This is why we’re launching a new edition of the PTP Report, called the CyberSecurity Roundup, where we report on the major cybersecurity events of the month. Like our Emerging AI report, it will be bi-monthly, covering events since our last roundup.
We hope to keep you informed on the key events, so you can be as proactive as possible in keeping yourselves, and your organizations, protected against myriad emerging cyberthreats.
[Check out our 2023 Cybersecurity roundup, which focuses on one key event for each month of the prior year.]
January
The Trello Breach
We open 2024 with an attack in January involving the Atlassian product Trello, which resulted in 15 million users having usernames, full names, email addresses, and other account information traded on the dark web.
Trello insists this hack did not involve a traditional breach of their databases, but rather was generated by scraping publicly available API data. While email addresses are not publicly available, the hacker reportedly worked from broad lists of email addresses already in their possession, hitting the Trello API to fish out any matching account information.
This incident showcases how APIs are regularly exploited by brute force attacks, a process made easier with the use of AI.
Indian Telecom
Dwarfing the Trello scrape in size, a database with information on 750 million Indians, or 85% of the nation’s population, was discovered in January by cybersecurity firm CloudSEK. This database was also transacted on the dark web, and includes names, mobile phone numbers, addresses, and Aadhaar details (UIDAI number, a unique identifier).
The information obtained spans India’s major telecom providers, and kicked off internal investigations which are still ongoing. This list has also been offered up by multiple sources, one of which asserts the details were obtained through law enforcement channels.
Multiple hacks may have contained some of the information to this database, such as the October 2023 breach of the Indian Council of Medical Research (ICMR), which impacted 815 million Indians.
[Check out IT and Telecommunication: Rethinking Transformation Strategies for insight from our CEO on the challenges the telco industry is facing as it works to stay abreast of technological innovations and demands.]
MOAB
January’s discovery of the so-called Mother of All Breaches (MOAB) is similar to the Indian telecom breach, in that when and how its 26 billion, carefully compiled records were obtained remains largely unknown. As discussed in our lead-in, this dataset spans a startling number of sites, and the list was only discovered when a firewall failure left a website containing it unsecured.
Worse than our prior two January examples, MOAB contains passwords, sensitive financial data, and even medical records, and, compiled as it is, becomes useful as cybercrime’s own form of big data, easily wrangled by tools such as AI. While many of the list’s records are old, experts believe others are new, pointing to unknown security vulnerabilities that may persist across these sectors.
AI
In late January, Anthropic AI became the latest of the major AI providers to suffer a data leak, though this reportedly involved an old-fashioned cybersecurity event: a contractor emailing private customer information to a third party.
Also in January, NIST (National Institute of Standards and Technology) published a report on what it calls “adversarial machine learning,” identifying four major types of attacks that manipulate AI system behaviors. These include:
- Evasion: Attacks that manipulate input to AI systems, to divert their behavior. One example is altering recognizable road signs to confuse an autonomous vehicle’s reading of them. (Another is provided below.)
- Poisoning: This refers to giving an AI corrupt data in the training phase, such as by putting profanity regularly into conversation data, to fool a chatbot into thinking it’s acceptable parlance.
- Privacy: Attacks during deployment, these are aimed at learning sensitive information from the training data by asking a bevvy of legitimate questions and then reverse engineering responses to find weak spots.
- Abuse: Like poisoning training data, this involves inserting bad information into otherwise valid sources for AI that it may reference, causing it to ingest and act on mistakes as facts, or otherwise manipulate its behavior.
As first reported by Wired, researchers at Cornell University also discovered a concerning new cyberthreat (of the evasion type above) in early 2024- an AI worm that attacks generative AI systems such as an email system. In a process akin to a SQL injection (wherein SQL code is imbedded in text input fields, for example, tricking a database to run code it does not intend), the research team created what they called an “adversarial self-replicating prompt” that tricks AIs (both ChatGPT and Gemini) into calling additional prompts in replies. They were also able to trigger this behavior using text embedded in images.
International Subterfuge
Cyberattacks are also increasingly used as weapons between nations in what amounts to a kind of cyber, cold warfare. We’ve seen numerous such events already in 2024, including:
- China Hacker Network: In January, the FBI revealed that hackers hired by the Chinese government are increasingly targeting US infrastructure, such as water treatment plants, oil and gas pipelines, transportation hubs and more. Also in January, the US and allies also disrupted a Chinese spying program running on hundreds of compromised routers, and in early February, documents were leaked showing this Chinese government-funded network hacking other Asian nations, such as Vietnam, at scale.
- Microsoft and Hewlett Packard hacked by Russian Intelligence: Newly tightened SEC rules force companies to report intrusions in a timely fashion, as discussed in this PTP Report article. This may well have nudged the prompt, January disclosures from Microsoft and HPE that Russia’s intelligence service (via hackers Midnight Blizzard/Cozy Bear) had gained access to their company systems, exposing sensitive emails. US cybersecurity statements in response included the US National Security Agency recommending customers audit their logs, limit the authority of users, and check recent activity.
Note that as of March 15, Microsoft has still not been able to close this breach, which is far more serious than initially believed, and could include source code, cryptographic secrets, authentication keys, and more.
- Russian Center for Space Hyrdometerology Research Center hit by Ukraine: a late January attack hit Planeta, a Russian organization handling data from satellites, causing the destruction of 2 petabytes of data, and 280 servers. A Ukrainian group, the BO Team, took credit, causing an estimated $10 million in losses for Russia.
February
Bank of America
In early February, Bank of America cybersecurity was in the news when they disclosed an attack from late last year that hit a third-party provider, called Infosys McCamish Systems (IMS). A LockBit ransomware operation reportedly swiped data from around 57,000 customers which includes social security numbers, addresses, and more. While the delay in contacting those affected is certainly troubling, the bank offered free, third-party identity protection services to the impacted parties, and suffered an estimated $30 million in damages.
This episode shows the danger that exists not only to an organization’s own cybersecurity defenses, but also to its partners, in the increasingly broad and varied networks forming supply chains.
Zero Day, Month Two
Just two months into the new year, major tech companies Apple and Google were already patching zero-day flaws. These types of flaws, as discussed in this PTP roundup, are previously unknown to the company and already out in the wild—meaning exposed to malicious actors—by the time they are discovered (hence they have “zero days” to get them fixed).
Apple’s patch to iOS 17.3 and associated updates fixed issues to their WebKit that allowed malicious code to be executed, while Google’s January Android Security Bulletin fixed several potentially serious issues, including one that could allow an attacker to escalate privileges even without a user’s interaction.
As always, staying up to date with patches and updates is a critical step users must take in the fight against cybercrime, as patches like these (with their explanations) can often be reverse-engineered, enabling criminals to target any who haven’t yet taken advantage of them in a timely fashion.
Healthcare
Unfortunately, cyberattacks in the healthcare sector doubled in 2023, with 1 in 3 Americans impacted by a healthcare-related data breach last year alone.
And in February, 2024, the problems continued to escalate, with a ransomware attack on a UnitedHealth component called Change Healthcare by ALPHV/Blackcat—the gang also blamed for the casino attacks last year on MGM and Caesars. This attack has paralyzed billing services, which remained down even in March, and brought many medical providers near to closure from the fallout.
Healthcare as a sector is heavily targeted, in part because of the large number of practices (of varying sizes) which can be interconnected, making for appealing targets. And despite a massive, long-planned and international law-enforcement operation to break up major ransomware players LockBit and ALPHV, the ransom attacks continue.
Of this specific attack, Rick Pollack, president and CEO of the American Hospital Association said in a statement that it was “the most significant and consequential incident of its kind against the U.S. health care system in history.”
March
American Express
While the attack on UnitedHealth struck a component they had recently acquired, AmEx (American Express Co), like Bank of America above, is facing fallout from a breach at a third-party provider used by their merchants. While details are still forthcoming, AmEx notified customers in March that the hack revealed prior and current customer’s names with their card account numbers, and potentially expiration dates and more.
No matter the nature of their own security, AmEx will still suffer repercussions due to the security of their partners, as with supply-chain vulnerabilities across industries.
Conclusion
2024 may be only three months old, but already there’s too much to cover from the world of cybercrime, one reason cybersecurity workers are in high demand. [For help with your cybersecurity, contact PTP to hire onsite or remote consultants!]
This article covers some of the more noteworthy cybersecurity events to kick off this new year (January–March).
Look for the next installment of this roundup in the final week of May.