Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
Malware
Ransomware
Phishing
Threat Actor Group
Threat Intelligence
Vulnerability Intelligence
12
mins read

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

CloudSEK TRIAD
October 10, 2024
Green Alert
Last Update posted on
October 10, 2024

Schedule a Demo
Table of Contents
Author(s)
No items found.

Overview

Over the past few months, we have closely monitored the evolving landscape of cyber threats and attacks targeting the United States. Our findings indicate a significant surge in ransomware incidents from June to October 2024, impacting over 800 victims across various sectors, with a notable concentration in Business Services and Manufacturing. The Play ransomware group has emerged as the most active threat actor during this period, alongside other notable groups such as RansomHub, Lockbit, Qilin, and Meow. These groups have primarily targeted critical infrastructure, capitalizing on existing vulnerabilities to execute their attacks.

Significant incidents, such as the Rhysida ransomware attack on the City of Columbus, resulted in the compromise of sensitive data, underscoring the urgent need for enhanced security measures. Furthermore, several high-profile data breaches have affected key institutions, including TIDE, Virginia's Department of Elections, and Healthcare.gov, with threat actors selling sensitive personal information and RDP access on underground forums. We have also included the top initial attack vectors (IAVs) used by these threat actors, which include phishing emails and the exploitation of software vulnerabilities, enabling unauthorized access to critical systems.

In addition to these attacks, our report highlights China's espionage campaign, dubbed "Salt Typhoon," which is targeting the U.S. Internet Service Providers (ISPs). We also observed hacktivist activities from various groups advocating pro-Palestinian and pro-Russian positions, further complicating the cyber threat landscape.

The effects of these cyber threats extend beyond immediate financial losses, impacting public trust and the resilience of critical infrastructure across all sectors. Continuous monitoring and analysis of threat actor tactics are essential for organizations to stay ahead of potential attacks. By understanding these patterns, businesses can implement proactive measures to enhance their defenses and protect sensitive information. Investing in cybersecurity is crucial not only for safeguarding assets but also for maintaining the stability of the broader economy.

Recent Cyber Attacks on the United States

Ransomware:

In the United States, ransomware attacks have had a significant impact across various sectors, with over 800 victims reported from June to now. Numerous ransomware groups are behind these attacks, with the Play ransomware group being the most prominent. These cyberattacks have affected a wide range of industries, causing major disruptions and financial losses.

The charts below provide statistics that illustrate the sectors impacted by ransomware in the United States over the past five months. You'll also find data on the active ransomware groups during this period and monthly statistics on ransomware attacks.


In the past five months, ransomware attacks have significantly impacted various industries across the United States. The most affected sectors include:

Industry affectedNumber of attacks
Business Services152
Manufacturing121
IT & Technology87
Healthcare & Pharma84
Construction57
Education44
Non-Profit40
Government31
Transport & Logistics30
Engineering25

In addition to these, several other sectors have also been affected, including Retail, Finance & Banking, Real Estate, FMCG, Hospitality, Energy, Oil & Gas, Agriculture, Media, Entertainment & Marketing, Environmental Services, Food & Beverage, Communication, Insurance, Automobile, Telecommunications, Legal, E-commerce, and Export/Import. This highlights the widespread nature of ransomware threats across multiple industries.

Ransomware industry specific June-October 2024 statistics

Top 5 active ransomware groups targeting the United States in last 5 months:

Ransomware GroupDescription
PlayPlay ransomware, also known as PlayCrypt, is a cybercriminal group recognized for its double-extortion tactics. In the past five months, it has emerged as the most active ransomware group in the United States, targeting approximately 106 organizations. The sectors most affected by Play ransomware include Business Services, Manufacturing, Construction, Hospitality, and Transport & Logistics, among others.
RansomHubRansomhub is famous for targeting critical infrastructure and has been observed exploiting known vulnerabilities. As the second most active ransomware group in the United States over the past five months, it has attacked approximately 89 organizations. The sectors most affected by Ransomhub include Business Services, Manufacturing, IT & Technology, Healthcare & Pharma, and Transport & Logistics, among others.
LockbitLockbit is a notorious ransomware group recognized for its aggressive and widespread attacks across various industries. Utilizing advanced encryption techniques, they demand substantial ransoms from their victims. In the last five months, Lockbit has targeted approximately 44 organizations in the United States, affecting a diverse range of sectors, including Healthcare & Pharma, Finance & Banking, IT & Technology, Manufacturing, Business Services, and others.
QuilinQilin, the fourth most active ransomware group in the United States, has targeted 42 organizations over the past five months. Known for exploiting vulnerabilities and using phishing and spear-phishing emails, Qilin gains access to credentials and spreads laterally within networks. The group has affected sectors such as Business Services, Healthcare & Pharma, IT & Technology, Non-Profit, and Finance & Banking, among others.
MeowMeow, the fifth most active ransomware group in the United States, has targeted 40 organizations over the past five months. Based on the latest data, the top five affected industries by Meow ransomware are Business Services, Healthcare & Pharma, Manufacturing, IT & Technology, and Environmental Services, among others

Most active ransomware groups in the United States June-October 2024 statistics

In the past five months, ransomware attacks in the United States increased from 175 in June 2024 to 214 in July, peaked at 217 in August, and then decreased to 199 in September, with 66 attacks reported so far in October 2024.

Monthly statistics on number of ransomware attacks 

City of Columbus Targeted by Rhysida Ransomware

On July 31, 2024, Rhysida ransomware listed the City of Columbus, Ohio, as a victim on their leak site. The group exfiltrated 6.5TB of data, which included internal employee logins and passwords, a complete dump of servers housing emergency services applications, and access to city video camera feeds. Rhysida claimed that 55% of the stolen data was sold, while the remaining 45% was uploaded to their leak site for free and was not part of the sale. The attack on the City of Columbus poses significant risks, including potential exposure of sensitive employee information, disruption of emergency services, and compromised security of city surveillance systems.

 Rhysida’s post on their leak site 

Data Breaches:

This section highlights recent significant data breaches affecting the United States, focusing on the compromised databases of key institutions and the sale of sensitive personal information. These incidents underscore the serious risks linked to unauthorized access to personal and financial data, which can lead to identity theft, financial fraud, and operational disruptions. In addition to the breaches listed below, numerous other incidents have been reported on underground forums, impacting both large and small organizations across various sectors in the United States.

TIDE NATO Data Leak:

On July 7, 2024, a threat actor known as "natohub" posted on an underground forum, claiming to have obtained a significant data leak from TIDE (Think-Tank for Information Decision and Execution Superiority), a NATO-affiliated organization. The leak reportedly includes 643 CSV files containing sensitive information such as user data, user groups, physical and virtual servers, and event logs. A large portion of the data pertains to users from the United States.

Threat actor’s post on TIDE NATO

Data posted by the threat actor contains data belonging to users from United States

Virginia Department of Elections Database Leaked on Underground Forum:

A reputed threat actor known as IntelBroker has leaked a database belonging to the Virginia Department of Elections. The database contains sensitive information such as voter names, addresses, and party affiliations.

Virginia Department of Elections Database posted on an Underground forum

Healthcare.gov Database posted on Underground Forum:

A threat actor known as HealthDontCare was seen posting a healthcare.gov database. The actor claims to have exploited several vulnerabilities to gain access to the data and is offering the database for free as the threat actor wasn’t paid an extortion fee. The database includes Personally Identifiable Information (PII) of users, such as names, addresses, phone numbers, and email addresses.

Threat actor’s post on healthcare.gov

Classified Federal Bureau of Investigation (FBI) data posted on a forum:

A reputed threat actor known as komi posted on the underground forum, claiming to have hacked the Federal Bureau of Investigation (FBI) and obtained sensitive user data.

Threat actor’s post on FBI

Leaked Data of National Security Agency:

On July 8, 2024, A threat actor known as Gostingr posted on an underground forum, claiming to possess 1.4 GB of sensitive data belonging to the National Security Agency (NSA) of the United States. The data includes full names, email addresses, office numbers, personal cell numbers, and classified information. Gostingr claims to have obtained the data by breaching into Acuity Inc., a company that works directly with the US Government and its allies.

Threat actor’s post on NSA

Florida Department of State data breach:

A threat actor known as HikkI-Chan has posted on the underground forum, offering to sell a massive database allegedly belonging to the Florida Department of State (FDOS). The database is claimed to contain over 17 million unique email addresses and Personally Identifiable Information (PII) of approximately 5 million individuals. The data includes full names, IDs, addresses, phone numbers, and more. Additionally, the database reportedly contains information on 83,211 organizations associated with the FDOS, including legal names, DBA names, phone numbers, work titles, work emails, cities, and other details. 

Threat actor’s post on Florida Department of State 

ADT Internal Documents Leaked on an Underground Forum: 

On July 8, 2024, a threat actor known as Abu_Al_Sahrif leaked internal documents belonging to ADT, an American security company, on an underground forum. The leaked data includes over 2400 files related to ADT technical support and its clients. The same threat actor claimed to possess a collection of internal documents belonging to Leidos, a US-based information technology company. The dates of both the leaks range from 2020 to 2023.

Threat actor’s post on ADT

Threat actor’s post on Leidos

Sale of credit cards from USA:

A user named Staffyyyy on the dark web forum posted about selling credit cards of USA citizens obtained through sniffing. The data includes highly sensitive details such as CardNumber, CardExp, CardCvv, CardHolder information (first and last name, address, city, region, zip code, country), CardHolderIP, email, phone number, Social Security Number (SSN), password, and company details. We have observed other threat actors selling similar data across underground forums and marketplaces, often using the stolen credit cards for fraudulent transactions, identity theft, and unauthorized purchases.

Sale of credit cards and PII data on underground forum 

Sale of RDP Access to US-based organizations posted on an Underground Forum: 

Several threat actors on underground forums have been observed selling RDP (Remote Desktop Protocol) access to various U.S.-based companies across multiple sectors. These actors claim to have compromised local admin accounts or multiple hosts within organizations and typically offer this access in exchange for payment.

Sale of RDP access on Underground forums 

Top Initial Attack Vectors (IAVs) Exploited by Threat Actors:

In recent months, threat actors have been observed exploiting various vulnerabilities and misconfigurations to gain unauthorized access to systems. Below are some of the most common initial attack vectors:

Top Initial Attack Vectors (IAVs) Exploited by Threat Actors:Threat Description
Exploiting Misconfigured Cloud ResourcesMisconfigurations in cloud-based repositories such as GitHub, Bitbucket, and AWS S3 buckets are common targets, allowing attackers to steal sensitive code and data.
Compromising Active DirectoryAttackers frequently target Active Directory (AD) environments to escalate privileges and access sensitive systems across enterprise networks.
Misconfigured Databases and ServersPublicly exposed or misconfigured databases (e.g., MySQL) and servers (e.g., SMB, Apache Solr) provide attackers easy access to sensitive data or remote control capabilities without needing credentials
Exploiting Stealer Logs and Pastebin ScrapingThreat actors utilize stealer logs, which contain leaked credentials, to infiltrate systems. They also scrape Pastebin for leaked code, credentials, or other sensitive information that can be used to gain unauthorized access.
Brute-forcing PasswordsWeak or default passwords are often brute-forced, allowing attackers to access critical systems.
Exploiting Web Application VulnerabilitiesVulnerabilities in web applications, such as SQL injection or remote code execution, are often exploited to gain initial access.

China's Espionage Campaign "Salt Typhoon" Targeting U.S. ISPs: 

Salt Typhoon, possibly a Chinese government-backed APT group distinct from APT41, is suspected of engaging in espionage campaigns targeting U.S. ISPs, using sophisticated tactics similar to other Chinese state-sponsored cyber activities.
The motivation behind China's Salt Typhoon campaign involves espionage to access sensitive data on ISP networks, pre-positioning for potential cyber disruptions during conflicts (especially concerning Taiwan), and gathering intelligence on U.S. critical infrastructure and cyber defense vulnerabilities for future exploitation.

The primary focus is U.S.-based ISPs using Versa Networks software, with potential secondary impacts on government agencies, military contractors, and critical infrastructure users of these ISPs. The group exploits zero-day vulnerabilities in ISP network management software, maintains persistent access using backdoors, and moves laterally through compromised systems to high-value targets.

Hacktivist Activities: 

Hacktivist groups such as ᴛᴇɴɢᴋᴏʀᴀᴋᴄʏʙᴇʀᴄʀᴇᴡ Official, Anonymous Egypt, CyberArmy of Russia, Alixsec, UserSec, and Dark Storm Team, along with their allies, have been actively targeting the United States. Many of these groups advocate pro-Palestinian and pro-Russian positions and have conducted a range of cyber operations, including DDoS attacks, website defacement, and leaking databases they claim belong to their targets. These hacktivist groups primarily focus on government entities and organizations with ties to Russia and Israel but do not limit their attacks to specific sectors, instead targeting various industries across the board.

Hacktivists groups targeting entities from United States 

Impact on the United States:

  • Identity Theft and Financial Fraud: Compromised databases can lead to unauthorized access to sensitive personal information, resulting in identity theft and financial fraud.
  • Operational Disruption: Cyber attacks, especially DDoS and ransomware, can disrupt operations of critical infrastructure and services, impacting both businesses and government agencies.
  • Data Breaches: Leaked databases and sensitive information can undermine public trust in organizations and government entities, leading to reputational damage.
  • National Security Risks: Espionage activities targeting government and defense-related organizations can lead to the theft of sensitive information, jeopardizing national security.
  • Increased Cybersecurity Costs: Organizations may face increased costs to enhance their cybersecurity measures in response to growing threats.

Economic Impact: Disruptions caused by cyber incidents can result in significant economic losses for affected organizations and industries.

Recommendations:

  • Enhanced Security Protocols: Implement robust security measures, such as multi-factor authentication and encryption, to protect sensitive data.
  • Regular Security Audits: Conduct frequent audits and vulnerability assessments to identify and address security weaknesses in systems and networks.
  • Employee Training: Provide cybersecurity awareness training to employees to recognize phishing attempts and other social engineering attacks.
  • Incident Response Plans: Develop and regularly update incident response plans to ensure quick and effective responses to potential breaches or attacks.
  • Collaboration with Cybersecurity Agencies: Engage with federal and local cybersecurity agencies, like CISA, for guidance on threat intelligence and best practices.
  • Monitoring and Threat Detection: Utilize advanced monitoring tools to detect unusual activities in networks and respond promptly to potential threats.
  • Public Awareness Campaigns: Educate the public on the risks of cyber threats and promote safe online practices to mitigate the impact of identity theft and fraud.

Indicators of Compromise (IoCs)

SHA256
86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498
d5c2f87033a5baeeb1b5b681f2c4a156ff1c05ccd1bfdaf6eae019fc4d5320ee
3e6317229d122073f57264d6f69ae3e145decad3666ddad8173c942e80588e69

References

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
July 29, 2024

Exposing the Exploitation: How CVE-2024-23897 Led to the Compromise of Github Repos via Jenkins LFI Vulnerability

This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.

Blog Image
Adversary Intelligence
July 22, 2024

Telegram Bots Masquerade as Digital Wallet Brands to push Referral Reward Scams to Indonesian Customers

In Indonesia, scammers are using Telegram bots to impersonate digital wallet brands, promoting fake referral reward schemes. These scams deceive users into sharing their account details, leading to significant financial losses. Discover the full details and protective measures in CloudSEK's comprehensive blog report.

Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
Malware
Ransomware
Phishing
Threat Actor Group
Threat Intelligence
Vulnerability Intelligence

12

min read

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Overview

Over the past few months, we have closely monitored the evolving landscape of cyber threats and attacks targeting the United States. Our findings indicate a significant surge in ransomware incidents from June to October 2024, impacting over 800 victims across various sectors, with a notable concentration in Business Services and Manufacturing. The Play ransomware group has emerged as the most active threat actor during this period, alongside other notable groups such as RansomHub, Lockbit, Qilin, and Meow. These groups have primarily targeted critical infrastructure, capitalizing on existing vulnerabilities to execute their attacks.

Significant incidents, such as the Rhysida ransomware attack on the City of Columbus, resulted in the compromise of sensitive data, underscoring the urgent need for enhanced security measures. Furthermore, several high-profile data breaches have affected key institutions, including TIDE, Virginia's Department of Elections, and Healthcare.gov, with threat actors selling sensitive personal information and RDP access on underground forums. We have also included the top initial attack vectors (IAVs) used by these threat actors, which include phishing emails and the exploitation of software vulnerabilities, enabling unauthorized access to critical systems.

In addition to these attacks, our report highlights China's espionage campaign, dubbed "Salt Typhoon," which is targeting the U.S. Internet Service Providers (ISPs). We also observed hacktivist activities from various groups advocating pro-Palestinian and pro-Russian positions, further complicating the cyber threat landscape.

The effects of these cyber threats extend beyond immediate financial losses, impacting public trust and the resilience of critical infrastructure across all sectors. Continuous monitoring and analysis of threat actor tactics are essential for organizations to stay ahead of potential attacks. By understanding these patterns, businesses can implement proactive measures to enhance their defenses and protect sensitive information. Investing in cybersecurity is crucial not only for safeguarding assets but also for maintaining the stability of the broader economy.

Recent Cyber Attacks on the United States

Ransomware:

In the United States, ransomware attacks have had a significant impact across various sectors, with over 800 victims reported from June to now. Numerous ransomware groups are behind these attacks, with the Play ransomware group being the most prominent. These cyberattacks have affected a wide range of industries, causing major disruptions and financial losses.

The charts below provide statistics that illustrate the sectors impacted by ransomware in the United States over the past five months. You'll also find data on the active ransomware groups during this period and monthly statistics on ransomware attacks.


In the past five months, ransomware attacks have significantly impacted various industries across the United States. The most affected sectors include:

Industry affectedNumber of attacks
Business Services152
Manufacturing121
IT & Technology87
Healthcare & Pharma84
Construction57
Education44
Non-Profit40
Government31
Transport & Logistics30
Engineering25

In addition to these, several other sectors have also been affected, including Retail, Finance & Banking, Real Estate, FMCG, Hospitality, Energy, Oil & Gas, Agriculture, Media, Entertainment & Marketing, Environmental Services, Food & Beverage, Communication, Insurance, Automobile, Telecommunications, Legal, E-commerce, and Export/Import. This highlights the widespread nature of ransomware threats across multiple industries.

Ransomware industry specific June-October 2024 statistics

Top 5 active ransomware groups targeting the United States in last 5 months:

Ransomware GroupDescription
PlayPlay ransomware, also known as PlayCrypt, is a cybercriminal group recognized for its double-extortion tactics. In the past five months, it has emerged as the most active ransomware group in the United States, targeting approximately 106 organizations. The sectors most affected by Play ransomware include Business Services, Manufacturing, Construction, Hospitality, and Transport & Logistics, among others.
RansomHubRansomhub is famous for targeting critical infrastructure and has been observed exploiting known vulnerabilities. As the second most active ransomware group in the United States over the past five months, it has attacked approximately 89 organizations. The sectors most affected by Ransomhub include Business Services, Manufacturing, IT & Technology, Healthcare & Pharma, and Transport & Logistics, among others.
LockbitLockbit is a notorious ransomware group recognized for its aggressive and widespread attacks across various industries. Utilizing advanced encryption techniques, they demand substantial ransoms from their victims. In the last five months, Lockbit has targeted approximately 44 organizations in the United States, affecting a diverse range of sectors, including Healthcare & Pharma, Finance & Banking, IT & Technology, Manufacturing, Business Services, and others.
QuilinQilin, the fourth most active ransomware group in the United States, has targeted 42 organizations over the past five months. Known for exploiting vulnerabilities and using phishing and spear-phishing emails, Qilin gains access to credentials and spreads laterally within networks. The group has affected sectors such as Business Services, Healthcare & Pharma, IT & Technology, Non-Profit, and Finance & Banking, among others.
MeowMeow, the fifth most active ransomware group in the United States, has targeted 40 organizations over the past five months. Based on the latest data, the top five affected industries by Meow ransomware are Business Services, Healthcare & Pharma, Manufacturing, IT & Technology, and Environmental Services, among others

Most active ransomware groups in the United States June-October 2024 statistics

In the past five months, ransomware attacks in the United States increased from 175 in June 2024 to 214 in July, peaked at 217 in August, and then decreased to 199 in September, with 66 attacks reported so far in October 2024.

Monthly statistics on number of ransomware attacks 

City of Columbus Targeted by Rhysida Ransomware

On July 31, 2024, Rhysida ransomware listed the City of Columbus, Ohio, as a victim on their leak site. The group exfiltrated 6.5TB of data, which included internal employee logins and passwords, a complete dump of servers housing emergency services applications, and access to city video camera feeds. Rhysida claimed that 55% of the stolen data was sold, while the remaining 45% was uploaded to their leak site for free and was not part of the sale. The attack on the City of Columbus poses significant risks, including potential exposure of sensitive employee information, disruption of emergency services, and compromised security of city surveillance systems.

 Rhysida’s post on their leak site 

Data Breaches:

This section highlights recent significant data breaches affecting the United States, focusing on the compromised databases of key institutions and the sale of sensitive personal information. These incidents underscore the serious risks linked to unauthorized access to personal and financial data, which can lead to identity theft, financial fraud, and operational disruptions. In addition to the breaches listed below, numerous other incidents have been reported on underground forums, impacting both large and small organizations across various sectors in the United States.

TIDE NATO Data Leak:

On July 7, 2024, a threat actor known as "natohub" posted on an underground forum, claiming to have obtained a significant data leak from TIDE (Think-Tank for Information Decision and Execution Superiority), a NATO-affiliated organization. The leak reportedly includes 643 CSV files containing sensitive information such as user data, user groups, physical and virtual servers, and event logs. A large portion of the data pertains to users from the United States.

Threat actor’s post on TIDE NATO

Data posted by the threat actor contains data belonging to users from United States

Virginia Department of Elections Database Leaked on Underground Forum:

A reputed threat actor known as IntelBroker has leaked a database belonging to the Virginia Department of Elections. The database contains sensitive information such as voter names, addresses, and party affiliations.

Virginia Department of Elections Database posted on an Underground forum

Healthcare.gov Database posted on Underground Forum:

A threat actor known as HealthDontCare was seen posting a healthcare.gov database. The actor claims to have exploited several vulnerabilities to gain access to the data and is offering the database for free as the threat actor wasn’t paid an extortion fee. The database includes Personally Identifiable Information (PII) of users, such as names, addresses, phone numbers, and email addresses.

Threat actor’s post on healthcare.gov

Classified Federal Bureau of Investigation (FBI) data posted on a forum:

A reputed threat actor known as komi posted on the underground forum, claiming to have hacked the Federal Bureau of Investigation (FBI) and obtained sensitive user data.

Threat actor’s post on FBI

Leaked Data of National Security Agency:

On July 8, 2024, A threat actor known as Gostingr posted on an underground forum, claiming to possess 1.4 GB of sensitive data belonging to the National Security Agency (NSA) of the United States. The data includes full names, email addresses, office numbers, personal cell numbers, and classified information. Gostingr claims to have obtained the data by breaching into Acuity Inc., a company that works directly with the US Government and its allies.

Threat actor’s post on NSA

Florida Department of State data breach:

A threat actor known as HikkI-Chan has posted on the underground forum, offering to sell a massive database allegedly belonging to the Florida Department of State (FDOS). The database is claimed to contain over 17 million unique email addresses and Personally Identifiable Information (PII) of approximately 5 million individuals. The data includes full names, IDs, addresses, phone numbers, and more. Additionally, the database reportedly contains information on 83,211 organizations associated with the FDOS, including legal names, DBA names, phone numbers, work titles, work emails, cities, and other details. 

Threat actor’s post on Florida Department of State 

ADT Internal Documents Leaked on an Underground Forum: 

On July 8, 2024, a threat actor known as Abu_Al_Sahrif leaked internal documents belonging to ADT, an American security company, on an underground forum. The leaked data includes over 2400 files related to ADT technical support and its clients. The same threat actor claimed to possess a collection of internal documents belonging to Leidos, a US-based information technology company. The dates of both the leaks range from 2020 to 2023.

Threat actor’s post on ADT

Threat actor’s post on Leidos

Sale of credit cards from USA:

A user named Staffyyyy on the dark web forum posted about selling credit cards of USA citizens obtained through sniffing. The data includes highly sensitive details such as CardNumber, CardExp, CardCvv, CardHolder information (first and last name, address, city, region, zip code, country), CardHolderIP, email, phone number, Social Security Number (SSN), password, and company details. We have observed other threat actors selling similar data across underground forums and marketplaces, often using the stolen credit cards for fraudulent transactions, identity theft, and unauthorized purchases.

Sale of credit cards and PII data on underground forum 

Sale of RDP Access to US-based organizations posted on an Underground Forum: 

Several threat actors on underground forums have been observed selling RDP (Remote Desktop Protocol) access to various U.S.-based companies across multiple sectors. These actors claim to have compromised local admin accounts or multiple hosts within organizations and typically offer this access in exchange for payment.

Sale of RDP access on Underground forums 

Top Initial Attack Vectors (IAVs) Exploited by Threat Actors:

In recent months, threat actors have been observed exploiting various vulnerabilities and misconfigurations to gain unauthorized access to systems. Below are some of the most common initial attack vectors:

Top Initial Attack Vectors (IAVs) Exploited by Threat Actors:Threat Description
Exploiting Misconfigured Cloud ResourcesMisconfigurations in cloud-based repositories such as GitHub, Bitbucket, and AWS S3 buckets are common targets, allowing attackers to steal sensitive code and data.
Compromising Active DirectoryAttackers frequently target Active Directory (AD) environments to escalate privileges and access sensitive systems across enterprise networks.
Misconfigured Databases and ServersPublicly exposed or misconfigured databases (e.g., MySQL) and servers (e.g., SMB, Apache Solr) provide attackers easy access to sensitive data or remote control capabilities without needing credentials
Exploiting Stealer Logs and Pastebin ScrapingThreat actors utilize stealer logs, which contain leaked credentials, to infiltrate systems. They also scrape Pastebin for leaked code, credentials, or other sensitive information that can be used to gain unauthorized access.
Brute-forcing PasswordsWeak or default passwords are often brute-forced, allowing attackers to access critical systems.
Exploiting Web Application VulnerabilitiesVulnerabilities in web applications, such as SQL injection or remote code execution, are often exploited to gain initial access.

China's Espionage Campaign "Salt Typhoon" Targeting U.S. ISPs: 

Salt Typhoon, possibly a Chinese government-backed APT group distinct from APT41, is suspected of engaging in espionage campaigns targeting U.S. ISPs, using sophisticated tactics similar to other Chinese state-sponsored cyber activities.
The motivation behind China's Salt Typhoon campaign involves espionage to access sensitive data on ISP networks, pre-positioning for potential cyber disruptions during conflicts (especially concerning Taiwan), and gathering intelligence on U.S. critical infrastructure and cyber defense vulnerabilities for future exploitation.

The primary focus is U.S.-based ISPs using Versa Networks software, with potential secondary impacts on government agencies, military contractors, and critical infrastructure users of these ISPs. The group exploits zero-day vulnerabilities in ISP network management software, maintains persistent access using backdoors, and moves laterally through compromised systems to high-value targets.

Hacktivist Activities: 

Hacktivist groups such as ᴛᴇɴɢᴋᴏʀᴀᴋᴄʏʙᴇʀᴄʀᴇᴡ Official, Anonymous Egypt, CyberArmy of Russia, Alixsec, UserSec, and Dark Storm Team, along with their allies, have been actively targeting the United States. Many of these groups advocate pro-Palestinian and pro-Russian positions and have conducted a range of cyber operations, including DDoS attacks, website defacement, and leaking databases they claim belong to their targets. These hacktivist groups primarily focus on government entities and organizations with ties to Russia and Israel but do not limit their attacks to specific sectors, instead targeting various industries across the board.

Hacktivists groups targeting entities from United States 

Impact on the United States:

  • Identity Theft and Financial Fraud: Compromised databases can lead to unauthorized access to sensitive personal information, resulting in identity theft and financial fraud.
  • Operational Disruption: Cyber attacks, especially DDoS and ransomware, can disrupt operations of critical infrastructure and services, impacting both businesses and government agencies.
  • Data Breaches: Leaked databases and sensitive information can undermine public trust in organizations and government entities, leading to reputational damage.
  • National Security Risks: Espionage activities targeting government and defense-related organizations can lead to the theft of sensitive information, jeopardizing national security.
  • Increased Cybersecurity Costs: Organizations may face increased costs to enhance their cybersecurity measures in response to growing threats.

Economic Impact: Disruptions caused by cyber incidents can result in significant economic losses for affected organizations and industries.

Recommendations:

  • Enhanced Security Protocols: Implement robust security measures, such as multi-factor authentication and encryption, to protect sensitive data.
  • Regular Security Audits: Conduct frequent audits and vulnerability assessments to identify and address security weaknesses in systems and networks.
  • Employee Training: Provide cybersecurity awareness training to employees to recognize phishing attempts and other social engineering attacks.
  • Incident Response Plans: Develop and regularly update incident response plans to ensure quick and effective responses to potential breaches or attacks.
  • Collaboration with Cybersecurity Agencies: Engage with federal and local cybersecurity agencies, like CISA, for guidance on threat intelligence and best practices.
  • Monitoring and Threat Detection: Utilize advanced monitoring tools to detect unusual activities in networks and respond promptly to potential threats.
  • Public Awareness Campaigns: Educate the public on the risks of cyber threats and promote safe online practices to mitigate the impact of identity theft and fraud.

Indicators of Compromise (IoCs)

SHA256
86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498
d5c2f87033a5baeeb1b5b681f2c4a156ff1c05ccd1bfdaf6eae019fc4d5320ee
3e6317229d122073f57264d6f69ae3e145decad3666ddad8173c942e80588e69

References