November 2024: Recent Cyber Attacks, Data Breaches, Ransomware Attacks

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

November 01, 2024

The Housing Authority of the City of Los Angeles (HACLA)

Los Angeles housing agency confirms another cyber attack after 2023 ransomware incident

Cactus ransomware 

The Housing Authority of the City of Los Angeles (HACLA) said it was dealing with a cyber attack following claims of data theft made by a ransomware gang. The statement came after the Cactus ransomware gang claimed it stole 861 GB of data that included personal information, backups, financial documents and more.

The Housing Authority of the City of Los Angeles (HACLA) ransomware attack

November 01, 2024

AEP, a German pharmaceutical wholesaler

Ransomware attack hits German pharmaceutical wholesaler, disrupts medicine supplies

Unknown

AEP, a German pharmaceutical wholesaler based in Bavaria, said it was hit by a ransomware attack that could disrupt the supply of medicine to thousands of pharmacies. In a statement on the AEP website, the company described the cyber attack as “targeted and criminal” and resulting in the partial encryption of AEP’s IT systems.

Source: The Record

November 03, 2024

City of Columbus, Ohio

Ohio's capital says July ransomware attack leaked info of 500,000

Rhysida ransomware

A ransomware attack on the city of Columbus, Ohio that stirred up a high-profile lawsuit this summer exposed the information of more than 500,000 current and former residents, according to data breach filings made on Friday as that time, the ransomware attack was claimed by the Rhysida ransomware group, which said it stole 6.5 terabytes of information from the city’s systems and declared that the stash contained emergency services data, access to city cameras and more.

Source: The Record

November 03, 2024

Schneider Electric

Schneider Electric says hackers accessed internal project execution tracking platform

HellCat ransomware

Schneider Electric confirmed that it is investigating a cyber attack following reports of a breach as  the HellCat ransomware gang took credit for the most recent attack, claiming it accessed Schneider Electric’s Atlassian Jira system, allowing them to allegedly steal about 40GB worth of project data and user information, and the gang threatened to leak the information if it was not paid a $125,000 ransom.

Source: The Record

November 06, 2024

Memorial Hospital and Manor in the town of Bainbridge

Georgia hospital unable to access record system after ransomware attack

Embargo ransomware 

A ransomware attack on Memorial Hospital and Manor in southwest Georgia knocked out access to the electronic health record system as the attack was claimed by the Embargo ransomware gang, which is trying to extort a ransom out of the hospital by threatening to leak 1.15 terabytes of purportedly stolen data by November 8.

Source: The Record

November 08, 2024

Newpark Resources

Texas-based oilfield supplier faces disruptions following ransomware attack

Unknown

In a regulatory filing, Newpark Resources said it discovered the ransomware attack on October 29 that affected internal information systems. It said the incident has caused disruptions and limitation of access to certain of the Company’s information systems and business applications supporting aspects of the Company’s operations and corporate functions, including financial and operating reporting systems.

Source: The Record

November 13, 2024

Wisconsin city of Sheboygan 

Wisconsin city of Sheboygan says ransom demanded after cyber attack

Unknown

The city said: Since late October, the city of more than 50,000 has been dealing with technology outages. On Sunday the city provided an update, confirming that hackers gained “unauthorised access” to the city’s network. We have reported this incident to law enforcement, and while we have received a request for payment of a ransom, we are cooperating fully with law enforcement and incorporating their guidance into our response.

Source: The Record

November 25, 2024

Blue Yonder

Retailers struggle after ransomware attack on supply chain tech provider Blue Yonder

Unknown

A major technology provider for hundreds of large retailers, Blue Yonder is struggling to recover from a ransomware attack. The company warned customers that the “Blue Yonder team is working around the clock to respond to this incident and continues to make progress.” Its customers range from supermarket chains like Morrisons to consumer goods companies like Amway, Anheuser-Busch, Dole and Gap. Other customers include Microsoft, Ford, Lenovo, Mitsubishi and Nestle.

Source: The Record

November 26, 2024

BIC, Starbucks, Morrisons

BIC, Starbucks, Morrisons continue recovery after Blue Yonder ransomware attack

Unknown

Several major companies are in the process of recovering after a ransomware attack on a third-party technology provider impacted several systems ahead of the Thanksgiving holiday.  Starbucks spokesperson Abigail Covington told Recorded Future News that the attack on Blue Yonder disrupted a back-end Starbucks process that manages how employees view and manage their schedules, and see the number of hours people worked. Sainsbury’s UK said its services have been restored since it was impacted by the ransomware attack. Another large U.K. supermarket chain, Morrisons, explained that the attack impacted the company’s warehouse management systems for fresh foods and produce. Food manufacturing giant Dole and Oxford University Press declined to comment.

Source: The Record

November 27, 2024

The city of Hoboken

Hoboken closes city hall, local courts after pre-Thanksgiving ransomware attack

Unknown

The city of Hoboken shut down its government offices after an early morning ransomware attack caused widespread issues. Officials published several messages on city websites and social media around 10 a.m. EST warning local residents that the attack will cause a range of outages and service shutdowns ahead of the Thanksgiving holiday.

Source: The Record

November 27, 2024

Texas city, Minneapolis agency

RansomHub gang says it broke into networks of Texas city, Minneapolis agency

RansomHub gang

Ransomware attacks on two municipal governments have been claimed by a notorious cybercriminal operation responsible for dozens of high-profile incidents in 2024 as the RansomHub operation took credit for damaging attacks on the city of Coppell, Texas, and the Minneapolis Park and Recreation Board.

Source: The Record

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

November 01, 2024

France’s Ministry of Labor and Employment

Young people’s data feared stolen in cyber attack on French government contractor

Unknown

France’s Ministry of Labor and Employment announced on Thursday that it discovered a cyber attack suspected to have impacted the data of young people it was helping get into employment.

Source: The Record

November 04, 2024

Cisco

Cisco notifies ‘limited set’ of customers after hacker accessed non-public files

IntelBroker

Cisco said it has notified a limited set of customers about files that were accessed by a hacker during an incident announced in October. 

Source: The Record

November 04, 2024

Nokia

Nokia investigates breach after hacker claims to steal source code

IntelBroker

"Nokia is aware of reports that an unauthorised actor has alleged to have gained access to certain third-party contractor data and possibly data of Nokia," the company told BleepingComputer. "Nokia takes this allegation seriously and we are investigating. To date, our investigation has found no evidence that any of our systems or data are being impacted. We continue to closely monitor the situation." The statement came after a threat actor known as IntelBroker claimed to be selling Nokia source code that was stolen after they breached a third-party vendor's server.

Source: Bleeping Computer

November 05, 2024

SelectBlinds

SelectBlinds says 200,000 customers impacted after hackers embed malware on site

Unknown

More than 200,000 who shopped for blinds or window dressing this year had their credit card information and other data stolen after hackers placed malware on SelectBlinds’s website. In addition to login information, the company learned that hackers likely obtained names, emails, shipping and billing addresses, phone numbers and payment card numbers alongside expiration dates and security/CVV codes.

Source: The Record

November 11, 2024

Amazon

Amazon confirms employee data breach after vendor hack

Nam3L3ss, a BreachForums name

Amazon confirmed a data breach involving employee information after data allegedly stolen during the May 2023 MOVEit attacks was leaked on a hacking forum. The threat actor behind this data leak, known as Nam3L3ss, published over 2.8 million lines of Amazon employee data, including names, contact information, building locations, email addresses, and more. Amazon spokesperson Adam Montgomery confirmed Nam3L3ss' claims, adding that this data was stolen from systems belonging to a third-party service provider.

Amazon Data Breach

November 11, 2024

Hot Topic, Box Lunch, and Torrid

HIBP notifies 57 million people of Hot Topic data breach

Satanic, a BreachForums name

Have I Been Pwned warns that an alleged data breach exposed the personal information of 56,904,909 accounts for Hot Topic, Box Lunch, and Torrid customers. According to HIBP, the exposed details include full names, email addresses, dates of birth, phone numbers, physical addresses, purchase history, and partial credit card data for Hot Topic, Box Lunch, and Torrid customers.

Source: Bleeping Computer

November 11, 2024

US govt officials

US govt officials’ communications compromised in recent telecom hack

A Chinese hacking group tracked as Salt Typhoon (aka Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286)

CISA and the FBI confirmed that Chinese hackers compromised the "private communications" of a "limited number" of government officials after breaching multiple U.S. broadband providers. The attackers also stole other information from the companies' compromised systems, including information related to customer call records and law enforcement requests. 

Source: Bleeping Computer

November 14, 2024

Hungary’s defence procurement agency (VBÜ)

Hungary confirms hack of defence procurement agency

INC ransomware

Hungarian officials confirmed to local media that the country’s defence procurement agency (VBÜ) was attacked by an international group of hackers as the cybercrime group known as INC Ransomware claimed access to the agency's data and posted sample screenshots on its dark web portal.

Source: The Record

November 16, 2024

T-Mobile

T-Mobile confirms it was hacked in recent wave of telecom breaches

Chinese state-sponsored threat actors known as Salt Typhoon (Allegedly mentioned)

T-Mobile confirmed it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests.

Source: Bleeping Computer

November 18, 2024

US space tech company Maxar

US space tech giant Maxar discloses employee data breach

“post” a BreachForums name 

Hackers breached U.S. satellite maker Maxar Space Systems and accessed personal data belonging to its employees, the company informed in a notification to impacted individuals.

Source: Bleeping Computer

November 19, 2024

Ford

Ford rejects breach allegations, says customer data not impacted

EnergyWeaponUser and IntelBroker,  BreachForums names

Ford investigated allegations that it suffered a data breach after a threat actor claimed to leak 44,000 customer records on a hacking forum. The leak was announced by threat actor 'EnergyWeaponUser,' also implicating the hacker 'IntelBroker,' who supposedly took part in the November 2024 breach. The threat actors leaked on BreachForums 44,000 Ford customer records containing customer information, including full names, physical locations, purchase details, dealer information, and record timestamps.

Source: Bleeping Computer

November 19, 2024

Fintech Giant Finastra

Fintech Giant Finastra Investigating Data Breach

Abyss0, BreachForums Name

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has supposedly learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

Finastra data breach

November 19, 2024

MediBoard by Software Medical Group

Cyber attack at French hospital exposes health data of 750,000 patients

A threat actor using nickname 'nears' (previously near2tlg) on BreachForums

A data breach at an unnamed French hospital exposed the medical records of 750,000 patients after a threat actor gained access to its electronic patient record system. A threat actor using the nickname 'nears' (previously near2tlg) claimed to have attacked multiple healthcare facilities in France, alleging that they have access to the patient records of over 1,500,000 people as the hacker claimed they breached MediBoard by Software Medical Group, a company offering Electronic Patient Record (EPR) solutions across Europe.

Source: Bleeping Computer

November 22, 2024

An unnamed US company

Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack'

APT28 (Fancy Bear/Forest Blizzard/Sofacy)

Russian state hackers APT28 (Fancy Bear/Forest Blizzard/Sofacy) breached a U.S. company through its enterprise WiFi network while being thousands of miles away, by leveraging a novel technique called "nearest neighbor attack." The threat actor pivoted to the target after first compromising an organisation in a nearby building within the WiFi range. The attack was discovered on February 4, 2022, when cybersecurity company Volexity detected a server compromise at a customer site in Washington, DC that was doing Ukrainian-related work.

Source: Bleeping Computer

Date

Victim

Summary

Threat Actor

Business Impact

Source Link 

November 01, 2024

The San Joaquin County Superior Court

California court suffering from tech outages after cyber attack

Unknown

The San Joaquin County Superior Court said nearly all of its digital services have been knocked offline due to a cyber attack as the attack knocked out all of the court’s phone and fax services, websites containing juror reporting instructions, the e-filing platform, credit card payment processing and more. Some jurors scheduled for this week were excused.

Source: The Record

November 03, 2024

Irish technology university

Cyber attack disrupts classes at Irish technology university

Unknown 

The South East Technological University (SETU) in Ireland has announced experiencing a cybersecurity incident targeting its IT systems. In a statement on SETU’s website, students were advised that classes at its Waterford campuses would be postponed.

Source: The Record

November 07, 2024

Washington’s courts in the counties of Thurston, Monroe, Renton, Puyallup, Bainbridge, King, Pierce, Whatcom, and Lewis 

Outages impact Washington state courts after ‘unauthorised activity’ detected on network

Unknown

The Washington State Administrative Office of the Courts (AOC) warned state residents that it “recently identified unauthorised activity on the Washington Courts network.” The outages have affected courts in the counties of Thurston, Monroe, Renton, Puyallup, Bainbridge, King, Pierce, Whatcom, and Lewis as well as municipal courts in several cities.

Source: The Record

November 11, 2024

Hyp’s CreditGuard product

Cyber attack causes credit card readers to malfunction in Israel

Unknown

Devices used across Israel to read credit cards malfunctioned due to a suspected cyber attack that disrupted the communications services underpinning customers at supermarkets and gas stations were reportedly unable to make payments due to the incident, which reports suggest lasted around an hour. The report said the cause was a distributed denial-of-service attack (DDoS) that targeted the payment gateway company Hyp’s CreditGuard product.

Source: The Record

November 18, 2024

iLearningEngines

AI company tells SEC that $250,000 stolen in cyber attack

Unknown

An artificial intelligence company, iLearningEngines said a hacker breached its network and stole a $250,000 wire payment in an incident likely to have a material impact on the firm’s bottom line. 

Source: The Record

November 20, 2024

BlueSky

BlueSky hit with crypto scams as it crosses 20 million users

Unknown

As many more users are flocking to BlueSky from social media platforms like X/Twitter, so are threat actors. BleepingComputer has apparently spotted cryptocurrency scams popping up on BlueSky just as the decentralized microblogging service surpassed 20 million users.

Source: Bleeping Computer

November 22, 2024

International Game Technology (IGT)

Gambling and lottery giant disrupted by cyber attack; working to bring systems back online

Unknown

One of the largest gambling companies in the U.S. International Game Technology (IGT) said a cyber attack caused massive disruptions to their operations, forcing them to take some systems offline.

Source: The Record

November 26, 2024

Wirral University Teaching Hospital NHS Foundation Trust

British hospital group declares ‘major incident’ following cyber attack

Unknown

A statement on the website for Wirral University Teaching Hospital NHS Foundation Trust says: “A major incident has been declared at the Trust for cyber security reasons.” The nature of the incident has not been disclosed. Outpatient appointments have been cancelled, and patients are being asked not to attend the hospital unless they have a “genuine emergency.” A staff member at the Trust told local newspaper the Liverpool Echo: “Everything is down. Everything is done electronically so there’s no access to records, results or anything so we are having to do everything manually, which is really difficult. The damage is huge.”

Wirral University Teaching Hospital NHS Foundation Trust cyber attack

New Ransomware

Summary

Interlock

A relatively new ransomware operation named Interlock attacks organisations worldwide, taking the unusual approach of creating an encryptor to target FreeBSD servers.

Pigmy Goat

UK's National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named "Pigmy Goat" created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors.

BlueNoroff’s Hidden Risk

North Korean threat actor BlueNoroff has been targeting crypto-related businesses with a new multi-stage malware for macOS systems as researchers are calling the campaign Hidden Risk and say that it lures victims with emails that share fake news about the latest activity in the cryptocurrency sector.

A new ransomware family, 'Ymir'

A new ransomware family called 'Ymir' has been spotted in the wild, encrypting systems that were previously compromised by the RustyStealer infostealer malware.

New version of KV-Botnet malware

The Chinese state-sponsored hacking group Volt Typhoon has begun to rebuild its "KV-Botnet" malware botnet after it was disrupted by law enforcement in January.

New Glove Stealer malware

New Glove Stealer malware can bypass Google Chrome's Application-Bound (App-Bound) encryption to steal browser cookies.

Ghost Tap malware

Cybercriminals have devised a novel method to cash out from stolen credit card details linked to mobile payment systems such as Apple Pay and Google Pay, dubbed 'Ghost Tap,' which relays NFC card data to money mules worldwide.

WolfsBane malware

A new Linux backdoor called 'WolfsBane' has been discovered, believed to be a port of Windows malware used by the Chinese 'Gelsemium' hacking group.

Date

New Malware/Flaws/Fixes

Summary

November 05, 2024

CVE-2024-43047 and CVE-2024-43093

Google fixed two actively exploited Android zero-day flaws as part of its November security updates, addressing a total of 51 vulnerabilities.

November 07, 2024

CVE-2024-5910

CISA warned that attackers are exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS. 

November 08, 2024

CVE-2024-8355, CVE-2024-8359, CVE-2024-8360, CVE-2024-8358, CVE-2024-8357, CVE-2024-8356

Attackers could exploit several vulnerabilities in the Mazda Connect infotainment unit, present in multiple car models including Mazda 3 (2014-2021), to execute arbitrary code with root permission.  

November 08 and 13, 2024

CVE-2024-10914

More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit. Attackers now target a critical severity vulnerability with publicly available exploit code that affects multiple models of end-of-life D-Link network-attached storage (NAS) devices. 

November 08, 2024

CVE-2024-40711

After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware. 

November 13, 2024

CVE-2024-43451

Suspected Russian hackers were caught exploiting a recently patched Windows vulnerability as a zero-day in ongoing attacks targeting Ukrainian entities. 

November 14, 2024

CVE-2024-9463, CVE-2024-9465

CISA warned that two more critical security vulnerabilities in Palo Alto Networks' Expedition migration tool are now actively exploited in the wild. 

November 15, 2024

PAN-SA-2024-0015

Palo Alto Networks is warning that a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces, currently tracked as 'PAN-SA-2024-0015,' is actively being exploited in attacks.

November 15, 2024

CVE-2024-11120

A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks. 

November 17, 2024

CVE-2024-10924

A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin 'Really Simple Security' (formerly 'Really Simple SSL'), including both free and Pro versions. 

November 18, 2024

CVE-2024-38812, CVE-2024-38813

Broadcom warned that attackers are now exploiting two VMware vCenter Server vulnerabilities, one of which is a critical remote code execution flaw. 

November 18, 2024

CVE-2024-0012, CVE-2024-9474

Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW). 

November 19, 2024

CVE-2024-21287

Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287, which was actively exploited as a zero-day to download files.

November 19, 2024

CVE-2024-1212, CVE-2024-0012 and CVE-2024-9474

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three new flaws in its Known Exploited Vulnerabilities (KEV) catalog, including a critical OS command injection impacting Progress Kemp LoadMaster. 

November 19, 2024

CVE-2024-44308, CVE-2024-44309

Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems. 

News Type

Summary

Warning

LastPass has warned about an ongoing campaign where scammers were writing reviews for its Chrome extension to promote a fake customer support phone number. However, this phone number was part of a much larger campaign to trick callers into giving scammers remote access to their computers.

Report

Russia is behind the latest election disinformation video as Russian actors “manufactured” a bogus viral video that showed Haitians illegally voted several times in the state of Georgia.

Report

Canadian authorities have arrested a man suspected of having stolen the data of hundreds of millions after targeting over 165 organisations, all of them customers of cloud storage company Snowflake.

Report

The Canadian government has ordered the dissolution of TikTok Technology Canada following a multi-step review that provided information and evidence of the social media company posing a national risk.

Report

Pro-Russia hacker groups have ramped up attacks on South Korean organisations following Seoul’s decision to send observers to Ukraine after North Korean troops joined Russian forces on the frontlines as the South Korean president’s office said the country’s cyber agencies have detected an increase in Russia-linked attacks, primarily targeting civilian and government websites.

Warning

The cybersecurity agencies of the Five Eyes intelligence alliance (the U.S., U.K., Australia, Canada and New Zealand) issued a warning that hackers were increasingly exploiting zero-day vulnerabilities to access their targets’ networks.

Report

A malicious Python package named 'fabrice' has been present in the Python Package Index (PyPI) since 2021, stealing Amazon Web Services credentials from unsuspecting developers.

Report

As the winter season kicks in, scammers are not missing the chance to target senior British residents with bogus "winter heating allowance" and "cost of living support" scam texts. The scam campaign is opportunistic given the UK government's recent controversial stance on cutting winter fuel payments from approximately 10 million pensioners across Britain.

Report

Hackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without security solutions detecting them. as the technique exploits the different methods ZIP parsers and archive managers handle concatenated ZIP files.

Report 

In a report, Halliburton has revealed that an August ransomware attack has led to $35 million in losses after the breach caused the company to shut down IT systems and disconnect customers.

Report

In April 2022, about four months after Kazakhstan’s government violently cracked down on nationwide protests, cybersecurity researchers discovered that authorities in the country were deploying spyware on smartphones to eavesdrop on citizens. The tool wasn’t developed by Kazakhstan, nor was it purchased from Israel or other countries typically associated with spyware. Instead, researchers linked it to RCS Labs, a relatively unknown Italian firm that has been operating since 1992.

Report

North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.

Report

U.S. law enforcement agencies confirmed previous reports that hackers connected to the People's Republic of China (PRC) breached the systems of commercial telecommunications infrastructure in order to steal the call record data of prominent politicians.

Report

The business contact information for 122 million people circulating since February 2024 is now confirmed to have been stolen from a B2B demand generation platform. The data comes from DemandScience (formerly Pure Incubation), a B2B demand generation company that aggregates data.

Report

A financially motivated Chinese threat actor dubbed "SilkSpecter" is using 4,695 fake online stores to steal the payment card details of online shoppers in the U.S. and Europe.

Warning

Switzerland’s Federal Office for Cybersecurity (OFCS) issued a warning about “fake letters” from the country’s meteorological agency being used to spread malware. The postal letters, dated to 12 November, claim to be offering people in the country a new weather app developed by the agency, MeteoSwiss; however they contain a QR code redirecting people to a malicious application developed by fraudsters.

Report

Delhi police have arrested a suspect allegedly linked to the theft of at least $230 million worth of cryptocurrency from the India-based platform WazirX earlier this year.

Report

Akira, a ransomware-as-a-service gang with a growing profile in the cybercrime underworld, has published a record number of new victims to its darknet leak site in a single day, with 35 published as of writing, and more apparently still being added.

Report

Meta has taken down more than 2 million accounts this year connected to pig butchering scams conducted from Southeast Asia and the United Arab Emirates, the company. 

Report

A threat actor known as Mysterious Elephant has been observed targeting Pakistani entities in a new espionage campaign.

Report

A 2020 report detailing the hack of a Canadian medical testing company was released after a court ruled it could be made public, ending a four-year battle during which the company sought to keep the details of the investigation secret.