We’ve entered the holiday season and the tail-end/Q4 of 2024, and cybercrime just continues to escalate. And while there may have been no singular headline-stealing breach or event in this period, that’s probably just because we’re so used to them.
By the end of November, we’d become aware of millions more records leaked across industries, from continued fallout of the 2023 MOVEit attacks impacting Amazon, Delta, HP, Lenovo, UBS, and more, to millions more records stolen from financial services, legal, and healthcare providers.
Stunningly effective Chinese telecom cyber attacks also made headlines, with successful hacks giving access to top-level government phone calls and text messages, as well as vast swaths of internet traffic, with Microsoft Azure slammed by hijacked routers.
We’ll check in on some specific cybersecurity vulnerabilities and look at AI cybersecurity risks for this period, considering NHI, invisible text, prompts that eject personal data, and its widespread use in scamming overall.
But before diving into the emerging cyber threats for October and November 2024, catch up on all the roundups for the year to date below:
AI Impacts
The best AI story of the period comes out of the UK, where O2 (mobile arm of Virgin Media) revealed its so-called AI Granny, named “Daisy.” This anti-scam system combines multiple AI models to generate the persona of an elderly caller capable of chatting up scammers for lengthy periods, sharing supposed family stories and a passion for knitting and even dolling out bogus personal data.
Detailed during International Fraud Awareness Week, Daisy has fooled numerous callers, keeping some engaged for as long as 40 minutes. And while she currently can’t take over from other targeted callers, the success of the program promises to see an expansion of such AI tech.
[For a look at other potential AI honeypot uses in cybersecurity, check out this edition of The PTP Report.]
The Non-Human Identities (NHI) cybercrime threat is one of those sneaky cybersecurity threats that often goes unaccounted for. While human access is an obvious area of focus, programmatic or automated access that systems need to access other systems (such as service accounts, API keys, cloud tokens, containers, and more) can be more challenging to monitor.
This NHI access is critical for automation, but it can also be compromised just like human access, opening the door to lateral movement like other forms of breach. And with the surge in AI automation, NHI use is exploding, rapidly getting ahead of monitoring and oversight, not to mention maintaining the sprawling list of credentials.
Some high-profile NHI hacks in news include Snowflake, theft of New York Times source code, HuggingFace platform breach, and the JetBrains GitHub plugin vulnerability. Security Magazine in November reported that nearly 1 in 5 organizations have already suffered security incidents from NHI attacks, be it from lack of credential rotation, insufficient logging and monitoring, or over-privileged accounts.
Speaking of over-privileged, check out this research from the University of California San Diego and Singapore’s Nanyang Technological University on AI prompt injection. Their method tricks chatbots into gathering a user’s personal information and sending it directly on to a hacker.
With a reported 80% success rate from tests on multiple public chatbots, the researchers used prompts of apparent garbage that carried effective meaning to the LLMs.
ArsTechnica reported on another form of prompt injection, invisible text, or “ASCII-smuggling,” to similarly hide messages in prompts that appear invisible to most browsers.
These prompts led Copilot to search a user’s inbox for secrets (sales figures and passwords in the provided cases), retrieve and encode them, and then append the information as non-rendered characters on a provided URL.
In response to the prompt, Copilot instructed the user to click on the link, and if they did, the stolen information was sent on to a target server.
Mistral and Microsoft have both claimed fixes as a result, though Claude continues to read and write hidden instructions with Google Gemini unreliably doing so, as examples.
While prompt injection is a hot area of research, one of the top AI-driven cyber threats remains similar to other top use cases: text output and media generation. AI is being heavily used in cybercrime to improve phishing attacks and scams overall, by breaking down language barriers, creating more personalized messages, improving fake content and fraudulent websites, revising scripts, and creating better fake profiles.
As we reported in our first Cybersec Risk Focus, this has led to a staggering 1,265% increase in phishing attacks overall in 2023.
And reported by the Cybernews, the Global Anti-Scam Alliance (GASA)’s 2024 report put the cost of such scams worldwide beyond $1 trillion for the past year.
Ransomware/Breaches Update
In follow-ups to prior reports, the Justice Department now estimates that 100 million people have been impacted by the UnitedHealth hack, and National Public Data, which filed for bankruptcy, was apparently run by a single individual, on as little as $2500 worth of gear.
American social security numbers are out there at an ever-increasing rate, and if you’re like me, you’ve been notified of several hacks that may have included yours in just the last two months. As we’ve recommended previously, it’s free and easy to freeze (and unfreeze, on need) your credit file at all the major consumer reporting bureaus, which makes sense given how much personal data usable for identity theft is available in the wild.
Other updates for this period:
- More MOVEit fallout: Amazon alone has had nearly 3 million records exposed by this hack. It did not include AWS systems but instead their own employee data. Other companies continuing to be impacted include MetLife, HSBC, Fidelity, Delta Airlines, Charles Schwab, Lenovo, 3M, TIAA, UBS, McDonalds, and more.
- Set Forth Inc.—an account administrator and processor for debt relief services—notified 1.5 million people that their personal information (again, including social security numbers) had been stolen in a breach.
- RRCA collection agency suffered a ransomware attack that leaked extensive personal information of more than 100,000 individuals.
- Several big law firms have already been sued for reasons related to data breaches, including: Gunster Yoakley & Stewart, Orrick Herrington & Sutcliffe, and Bryan Cave Leighton Paisner. The latest, from November, is Thompson Coburn.
- In the healthcare arena, Summit Pathology is the latest large-scale victim reported, with records for some 1.8 million people leaked by the Medusa ransomware group, with investigations ongoing.
- OnePoint Patient Care (OPPC) disclosed a breach in October impacting an additional 800,000 people, including medical records, prescriptions, social security numbers, and more.
- Cisco confirmed a breach occurred in October, with a known broker peddling data they claim covers a wide swath of arenas, from GitHub projects to source code to cloud credentials to encryption keys.
There’s been a major shakeup in the world of ransomware-as-a-service, with one of the major players fading away only to be replaced by another.
LockBit, responsible for some 40% of all known ransomware victims in 2022 and 2023, has dropped off after crackdowns this year by global law enforcement. In October, authorities seized critical servers and arrested several members after previously unmasking their leader in May.
The new service leader appears to be RansomHub, which is thought to have ties to BlackCat/ALPHV. Their focus at present has been on manufacturing and healthcare.
Chinese-Sourced Cybercrime Spikes
There’s a long history of Chinese-backed cyberattacks in the US, from the theft of intellectual property to military tech to security clearance files.
Still, the current wave, which includes a stunningly vast penetration of US telecom companies, may be the worst yet. Impacting at least AT&T, Verizon, T Mobile, and Lumen (CenturyLink), it’s enabled hackers to listen in on top government phone calls and read text messages. And it isn’t only limited to government.
It’s believed the hackers penetrated the network security of broadband providers to get to systems used for court-ordered wiretaps. This also gave them access to broad swaths of general internet traffic.
It’s known that data was also exfiltrated from Verizon using reconfigured Cisco routers, which they managed to change without drawing attention.
Similar attacks were carried out by Chinese hackers in South Asia and Africa in 2020.
It’s also known that a botnet of TP-Link routers (used mostly for personal or small business) has been used in brute force attacks, with each only used three or less times a day to avoid drawing attention. As malware can’t write to these devices, rebooting provides an immediate, if potentially short-term, fix.
Microsoft noticed a spike in TP-link botnet attacks hitting their cloud services, rising near the end of October.
The chairman of the Senate Intelligence Committee, Senator Mark Warner of Virginia, gave his take in an interview late last week with The New York Times. With a history in telecom and insight from Congressional hearings, he called these attacks “far and away the most serious telecom hack in our history.”
Even though the attackers have gone dormant, he acknowledged there is much still to learn, with investigations unclear on the full extent of and methodology behind these attacks.
“We’ve not found everywhere they are.”
Conclusion
This ends our coverage of the major cybersecurity news from October and November.
Sadly, it only touches on the events we have room to cover—so stay tuned to The PTP Report’s coming editions with more in-depth reporting on cybersecurity trends and best practices.
And as always, if you are in need of cybersecurity experts, you can always contact PTP for onsite or remote assistance!
References
Summit Pathology: 1.8 Million Individuals Affected by Ransomware Attack, The HIPAA Journal
O2’s AI granny knits tall tales to waste scam callers’ time, The Register
Non-Human Identity Management: Best Practices And Key Considerations, Forbes
NHI Attacks Making Waves: Insights on Latest 5 Incidents, Cloud Security Alliance
Scammers steal over $1 trillion in a year, report reveals, Cybernews
One in five organizations have experienced a NHI security incident, Security Magazine
This Prompt Can Make an AI Chatbot Identify and Extract Personal Details From Your Chats, Wired
Invisible text that AI chatbots understand and humans can’t? Yep, it’s a thing., ArsTechnica
From Amazon to McDonald’s: what do we know about the latest major data leak?, Cybernews
Set Forth, Inc. and Centrex, Inc. Data Breach Alert: Issued by Wolf Haldenstein Adler Freeman & Herz LLP, Morningstar
RRCA Accounts Management Sends Data Breach Letters on Behalf of Health Care Providers, JD Supra
Law firm Thompson Coburn and healthcare client hit with data breach lawsuit, Reuters
OnePoint Patient Care Data Breach Impacts Nearly 800,000 People, Security Week
Cisco investigates breach after stolen data for sale on hacking forum, Bleeping Computer
China’s Hacking Reached Deep Into U.S. Telecoms, The New York Times
RansomHub dethrones LockBit as top ransomware cartel, Cybernews
Reports: China hacked Verizon and AT&T, may have accessed US wiretap systems, ArsTechnica
