Major Cyber Attacks in Review: November 2024

November 2024 brought several high-profile cyber attacks that targeted critical sectors, including telecommunications, supply chain management, and healthcare.

From disruptions at Blue Yonder affecting global supply chains to an emerging wave of MOVEit data leaks involving major companies like Amazon and HSBC, these incidents underscore the risks organizations face in today’s threat landscape.

This article examines the biggest breaches of November 2024 and their implications for industries worldwide.

T-Mobile Was Also Targeted in Latest Telecom Breach Campaign

T-Mobile disclosed that it was among the targets in a series of telecom breaches, which are linked to Salt Typhoon, a Chinese state-sponsored threat group. These attacks, which reportedly compromised several U.S. telecommunications providers, sought access to sensitive information, including private communications and law enforcement requests.

The company emphasized that its security measures effectively protected customer data, with no evidence of unauthorized access or data exfiltration. Even so, Salt Typhoon’s recent campaign has reportedly affected at least eight U.S. telecom firms, including major providers like AT&T, Verizon, and Lumen.

To address these risks, government authorities across the U.S., Australia, Canada, and New Zealand issued joint guidance outlining defense strategies against PRC-affiliated threat actors’ techniques.

Ransomware Attack Disrupted Blue Yonder and Affects Major Clients

In November 2024, Blue Yonder, a leading supply chain management solutions provider, suffered a ransomware attack attributed to the emerging Termite ransomware group. The attack disrupted services for several high-profile clients, including UK grocery chains Morrisons and Sainsbury, and US-based Starbucks, highlighting vulnerabilities in third-party supply chain platforms.

Blue Yonder confirmed the intrusion on November 21, disclosing that its managed services hosting environment had been targeted. Subsequent updates detailed ongoing recovery efforts and defensive measures. By December 1, the company had restored several customer systems, but on December 6, it acknowledged Termite’s claims of data theft involving 680GB of sensitive information.

The incident impacted operations globally. Morrisons reverted to manual processes for warehouse management, while Starbucks shifted to manual payroll systems for employees. French manufacturer BIC faced shipping delays, emphasizing the interdependence of enterprises on supply chain platforms.

Learn the details of this incident on SOCRadar blog:

Termite Ransomware Attack on Blue Yonder: What You Need to Know

Finastra Data Breach: 400GB Stolen from Secure File Transfer Platform

Finastra, a prominent financial software provider, is investigating a breach of its Secure File Transfer Platform (SFTP), detected on November 7, 2024. Attackers used compromised credentials to access the system, but preliminary findings show no lateral movement or tampering with customer files. The SFTP platform was not the company’s default file-sharing solution.

On November 8, a threat actor named “abyss0” claimed responsibility on BreachForums, advertising 400GB of stolen data, including configuration files and database backups, linked to major banking clients. Earlier, SOCRadar’s Dark Web News flagged a related access sale post by the same actor, offering the data for $20,000, later reduced to $10,000. The actor’s online presence has since vanished, leaving the data’s fate unclear.

Finastra has isolated the affected platform, implemented a secure alternative, and is notifying impacted customers while providing Indicators of Compromise (IOCs).

Mitigating Threats with SOCRadar’s Dark Web Monitoring

Finastra’s breach underscores the importance of proactive monitoring to mitigate risks posed by stolen credentials and data leaks. SOCRadar’s Dark Web Monitoring module equips organizations to:

• Detect leaked data early: Identify exposed credentials and sensitive files before they are exploited.
• Track threat actor chatter: Monitor discussions and posts linked to your organization.
• Respond rapidly: Receive real-time alerts to emerging threats.

By leveraging actionable intelligence, SOCRadar enables businesses to safeguard against breaches like this. Stay ahead of cyber threats with SOCRadar’s Dark Web Monitoring and protect your organization’s digital footprint.

French Hospital Data Breach Exposes Over 750,000 Patient Records

A cyber attack compromised the medical records of 758,912 patients after a threat actor named “nears” exploited a privileged MediBoard account belonging to French hospital Aléo Santé.

MediBoard, an Electronic Patient Record (EPR) solution by Softway Medical Group, serves multiple healthcare facilities in France. Softway Medical clarified that its software was not directly responsible; instead, the breach stemmed from stolen credentials used by the hospital.

The stolen data included patients’ full names, dates of birth, addresses, contact details, physician information, prescriptions, and health card histories.

The threat actor began selling access to MediBoard accounts for several hospitals with this post, including Clinique Jean d’Arc and Hôpital Privé de Thiais, mentioning that 1.5 million patient records may be accessible. While no buyers have been confirmed, the data remains at risk of being leaked.

Softway Medical emphasized that the affected health data was hosted by the hospital, not by them, and confirmed no software vulnerabilities were exploited.

DemandScience Data Breach Exposed 122 Million Business Records

A dataset containing the business contact details of 122 million individuals, circulating since February 2024, has been confirmed as stolen from DemandScience, a B2B demand generation platform.

In February 2024, the threat actor ‘KryptonZambie’ began selling 132.8 million records on BreachForums, claiming they originated from an exposed system associated with DemandScience (by Pure Incubation).

The dataset includes full names, email addresses, phone numbers, job titles, physical addresses, and social media links – valuable information for targeted marketing campaigns.

Initially, DemandScience denied a breach, but by August 2024, the data was leaked for just a few dollars. Security researcher Troy Hunt verified its authenticity in November 2024, linking the records to a decommissioned system inactive for two years.

Hot Topic Data Breach Exposed Over 50 Million Records

Hot Topic, a well-known retail brand, suffered a data breach exposing sensitive customer information from over 54 million accounts.

The leaked data included email addresses, phone numbers, physical addresses, purchase histories, and weakly encrypted credit card details. The breach also affected its associated brands, Box Lunch and Torrid.

On October 21, 2024, a threat actor identified as “Satanic” claimed responsibility for the breach on BreachForums. Initially demanding $20,000, the actor later reduced the price to $4,000. Security experts confirmed that the database, approximately 730GB in size, contains unique records with a significant portion of the email addresses not previously found in past breaches.

The attack was linked to a stealer malware infection that compromised login credentials for third-party services.

Latest MOVEit Data Leaks by ‘Nam3L3ss’ Threat Actor

A new wave of data leaks tied to the MOVEit vulnerability (CVE-2023-34362) has surfaced, this time attributed to a new threat actor, Nam3L3ss. Like the Cl0p ransomware group’s exploits last year, Nam3L3ss targeted prominent organizations, including Amazon and HSBC, releasing sensitive employee data through a Dark Web forum.

The leaked datasets for Amazon and HSBC contain employee directories with contact information, job titles, and internal organizational details. Researchers verified these breaches by cross-referencing email addresses with public profiles and other sources.

The threat actor Nam3L3ss has since leaked employee and patient data from multiple organizations, attributing the source of these breaches to MOVEit. However, they deny any affiliation with ransomware groups, describing themselves as observers rather than hackers.

For detailed insights into this recent activity, check out our blog post: MOVEit Data Leak Reveals Employee Data from Amazon, HSBC, and More.

Halliburton’s August Cyberattack Led to $35 Million in Charges

RansomHub reported a $35 million financial impact from a cyber attack in August, which, along with Gulf storms, reduced earnings by 2 cents per share. The attack delayed billing and collections, temporarily affecting free cash flow, though the company expects to recover.

The oil services provider confirmed the attack was linked to RansomHub, a prominent ransomware group flagged by the FBI and CISA earlier this year. Systems were taken offline during the response, and data theft was reported.

CFO Eric Carre noted the incident did not materially impact the company’s financial condition, although a related SAP S4 implementation project has been delayed by 3 – 6 months, with costs increasing by $20–30 million.

Nokia Data Leak Traced to Third-Party Vendor Breach

Nokia has confirmed that recent claims of a data breach stem from a third-party vendor’s security incident, not its own systems. This clarification follows the release of leaked source code on a Dark Web hacker forum by the threat actor known as IntelBroker, who claimed to have obtained the data through a poorly secured SonarQube server.

IntelBroker initially tried to sell the stolen data, which allegedly included SSH keys, RSA keys, and other sensitive credentials. After Nokia denied the breach, the hacker leaked the information, alleging it contained critical elements of the company’s operations. However, Nokia’s investigation revealed that the leaked source code belonged to a third-party-developed application, built exclusively for a Nokia client’s network.

Nokia emphasized that the breach posed no risk to its systems or customer data, stating, “Our customers are in no way impacted, including their data and networks.”

Protect Your Organization from Data Breaches Using Dark Web Insights

Cyber threats are evolving rapidly, and staying ahead of malicious activities is essential for organizations. SOCRadar’s Dark Web Monitoring module provides actionable insights, enabling businesses to detect and respond to emerging threats.

Furthermore, SOCRadar’s Dark Web News provides users with the ability to monitor the latest discussions across Deep Web and Dark Web forums, including hacker activity on platforms like Telegram. This feature ensures organizations stay informed about emerging threats and can proactively address potential risks before they escalate.

By offering real-time visibility into underground forums and illicit marketplaces, SOCRadar XTI helps organizations identify exposed data, act swiftly on critical alerts, and mitigate risks before they escalate into major incidents.

Beyond individual defense strategies, global law enforcement efforts are also making strides in combating cybercrime. Recently, INTERPOL’s Operation HAECHI-V resulted in over 5,500 arrests tied to financial crimes and the seizure of more than $400 million in assets. This operation, spanning 40 countries, underscores the importance of international collaboration to dismantle criminal networks.

Law enforcement’s success doesn’t stop there. Notable recent takedowns also include the shutdown of Matrix, a sophisticated encrypted messaging service exploited by cybercriminals, and the dismantling of the Manson Market, an online fraud platform. Learn more about these impactful operations and their implications for cybersecurity on SOCRadar blog: