A Brief History of Mass Hacks | Cyber Security Timeline

The Paradox of Enterprise Cybersecurity

Enterprise cybersecurity tools – including essential components like routers, firewalls, and VPNs – are implemented to safeguard corporate networks against unauthorized access and the activities of malicious actors.

This protection is especially critical given the increasing prevalence of remote and hybrid work models.

Vulnerabilities Within Security Systems

Despite being marketed as safeguards against external threats, numerous cybersecurity products have repeatedly demonstrated the presence of software bugs.

These vulnerabilities can be exploited by malicious hackers, potentially compromising the networks the products were intended to defend.

The Rise of Mass-Hacking Campaigns

Such flaws have been directly linked to a significant increase in large-scale mass-hacking campaigns in recent years.

Hackers exploit these often readily available security weaknesses to infiltrate the networks of a vast number of organizations.

The ultimate goal of these intrusions is typically the theft of confidential and sensitive company data.

A Historical Overview of Mass Hacks

Below is a concise timeline detailing notable mass hack incidents.

This article will be continuously updated as new incidents are reported and become known.

January 2023: Security Breaches Affecting 130 Organizations via Fortra File-Transfer Tool

The beginning of the decade witnessed a significant wave of cyberattacks targeting organizations utilizing Fortra’s GoAnywhere managed file transfer software. This software is commonly employed by businesses for the secure exchange of large files and confidential data across networks.

A well-known ransomware group, Clop, capitalized on a security flaw within the GoAnywhere platform. This exploitation led to compromises affecting over 130 organizations and the exfiltration of personal information belonging to millions.

Zero-Day Vulnerability Exploitation

The vulnerability was actively exploited as a zero-day threat. This meant that Fortra was unaware of the issue and had no opportunity to implement a patch prior to the attacks commencing.

Following successful intrusions, Clop proceeded to publish data obtained from organizations that refused to comply with ransom demands.

Notable Victims of the Attacks

Several prominent entities reported experiencing breaches as a direct consequence of the software’s vulnerability. These included:

• Hitachi Energy
• Rubrik, a leading cybersecurity firm
• NationBenefits, a Florida-based healthcare technology company, where the data of over three million members was compromised.

The incident underscores the critical importance of robust security measures and prompt vulnerability patching in managed file transfer solutions.

May 2023: Data Breach Affecting 60 Million Individuals Linked to MOVEit Vulnerabilities

A significant data compromise stemming from vulnerabilities within the MOVEit file transfer software continues to be recognized as one of the most extensive mass breaches recorded.

This incident involved unauthorized access facilitated by a flaw in the software, created by Progress Software, impacting numerous organizations and resulting in substantial data theft.

Clop Ransomware Group Claims Responsibility

The Clop ransomware group has asserted responsibility for these attacks.

They exploited a security weakness in MOVEit to acquire data pertaining to over 60 million people, as reported by the cybersecurity firm Emsisoft.

Maximus as a Major Victim

Maximus, a prominent U.S. government services contractor, experienced the most significant impact from the MOVEit breach.

The company confirmed that malicious actors gained access to the protected health information of approximately 11 million individuals.

This breach underscores the critical importance of robust security measures for file transfer software and the potential consequences of software vulnerabilities.

October 2023: Cisco Zero-Day Vulnerability Led to Widespread Router Compromises

Throughout October of 2023, a significant wave of cyberattacks targeted network infrastructure. Hackers actively exploited a previously unknown zero-day vulnerability present within Cisco’s networking software.

This exploitation resulted in the compromise of a substantial number of devices. Affected systems included enterprise switches, wireless controllers, access points, and critical industrial routers.

Successful attacks provided malicious actors with complete administrative control over the affected devices. This level of access represents a severe security risk.

While Cisco did not release specific figures regarding the scope of the breach, independent analysis provided valuable insight. Censys, a leading internet-connected device search engine, reported observing nearly 42,000 devices demonstrably exposed and compromised.

The vulnerability allowed attackers to gain full control of the compromised systems. This highlights the importance of timely security patching and proactive vulnerability management.

November 2023: Citrix Vulnerability Exploited by Ransomware Group

In November 2023, a security flaw in Citrix NetScaler became a widespread target for malicious actors. This application delivery and VPN connectivity solution is commonly utilized by major corporations and governmental organizations.

The vulnerability, dubbed “CitrixBleed,” enabled the LockBit ransomware group – believed to have ties to Russia – to illicitly obtain confidential data from vulnerable NetScaler installations.

Notable Victims of the CitrixBleed Exploit

Several high-profile organizations reported being impacted by this breach. These included prominent entities such as Boeing, a leading aerospace manufacturer.

The international law firm Allen & Overy also confirmed its systems were compromised.

Furthermore, the Industrial and Commercial Bank of China was reportedly among those affected by the exploitation of this critical security flaw.

LockBit asserted responsibility for accessing sensitive information from these and other organizations through the CitrixBleed vulnerability.

January 2024: Chinese Hackers Leveraged Ivanti VPN Flaws for Corporate Breaches

The name Ivanti gained prominence in connection with widespread hacking incidents following the discovery that state-sponsored Chinese hackers were actively exploiting two critical, previously unknown (zero-day) vulnerabilities within Ivanti’s Connect Secure VPN appliance.

Initially, Ivanti indicated a limited scope of impacted customers. However, cybersecurity firm Volexity determined that over 1,700 Ivanti appliances globally had been compromised.

This widespread exploitation impacted organizations across several key sectors, including aerospace, banking, defense, and telecommunications.

Government Response and Affected Sectors

U.S. government agencies operating vulnerable Ivanti systems received directives to immediately disconnect those systems from their networks.

Investigations have connected the exploitation of these vulnerabilities to a China-affiliated espionage group identified as Salt Typhoon.

Recent findings reveal that Salt Typhoon has also successfully infiltrated the networks of at least nine U.S. telecommunications providers.

• Key Takeaway: The Ivanti VPN vulnerabilities presented a significant security risk to a diverse range of organizations.
• Attribution: The attacks are attributed to the Salt Typhoon espionage group, linked to Chinese state actors.
• Impact: Critical infrastructure and sensitive data were potentially compromised across multiple industries.

The incident underscores the importance of rapid vulnerability patching and robust network security measures.

February 2024: ConnectWise Customers Affected by Remote Access Tool Vulnerabilities

During February 2024, a security breach impacted customers of ConnectWise due to exploitable weaknesses within their ScreenConnect remote access software. This tool is widely used by IT professionals to deliver remote technical support directly to client systems.

Vulnerability Details

Cybersecurity firm Mandiant reported observing widespread exploitation of two specific vulnerabilities present in ConnectWise ScreenConnect.

• These flaws were characterized as being relatively simple to exploit.
• Multiple threat actors leveraged these vulnerabilities for malicious purposes.

The exploitation resulted in the deployment of various malicious software.

• Password stealers were used to compromise user credentials.
• Backdoors were installed to maintain persistent access to affected systems.
• In certain instances, ransomware was deployed, encrypting data and demanding payment for its release.

Mandiant’s research indicated a “mass exploitation” campaign was underway, targeting a broad range of users.

Ivanti Customers Targeted by New Exploits

In February 2024, Ivanti experienced another security incident, with attackers leveraging a newly discovered vulnerability. This affected customers utilizing the company’s enterprise VPN appliance.

The exploitation was brought to light by the Shadowserver Foundation, a nonprofit dedicated to internet threat monitoring. They reported observing over 630 distinct IP addresses actively attempting to exploit a server-side flaw.

Details of the Vulnerability

This particular vulnerability grants unauthorized access to devices and systems that were intended to be secured by the affected Ivanti appliances. Attackers were able to bypass security measures.

TechCrunch was informed by the Shadowserver Foundation regarding the scale of the exploitation attempts. The widespread targeting indicates a significant and coordinated attack campaign.

This incident follows previous security concerns surrounding Ivanti products, highlighting ongoing challenges in maintaining robust cybersecurity for enterprise solutions. The company had previously been in the news for similar vulnerabilities.

November 2024: Security Flaws in Palo Alto Firewalls Expose Thousands of Businesses

In late 2024, a significant security incident impacted potentially thousands of organizations globally. This breach stemmed from the exploitation of two previously unknown, or zero-day, vulnerabilities within software developed by leading cybersecurity provider, Palo Alto Networks.

These vulnerabilities were identified within PAN-OS, the operating system powering Palo Alto’s next-generation firewalls. Successful exploitation granted attackers the ability to compromise systems and illicitly extract confidential data from corporate networks.

Root Cause Analysis

Investigations conducted by watchTowr Labs security researchers, involving the detailed analysis of Palo Alto’s security updates, revealed the origin of these flaws. The issues were traced back to fundamental errors made during the software development lifecycle.

The researchers determined that these were not complex exploits, but rather stemmed from basic coding oversights. This suggests a potential weakness in the quality assurance processes employed by Palo Alto Networks.

The compromised firewalls acted as a gateway for attackers, allowing them to bypass established security measures. This highlights the critical importance of robust firewall security and rapid patching of vulnerabilities.

• Impact: Potential compromise of sensitive corporate data.
• Affected Systems: Palo Alto Networks next-generation firewalls running PAN-OS.
• Vulnerability Type: Zero-day vulnerabilities.

Organizations relying on Palo Alto Networks firewalls were strongly advised to apply the available security patches promptly. This action is crucial to mitigate the risk of exploitation and protect valuable data assets.

December 2024: Cleo Customers Affected by Clop

During December 2024, the Clop ransomware group initiated a new series of widespread cyberattacks, focusing on a commonly used file transfer technology. The group successfully exploited vulnerabilities within software developed by Cleo Software, a company based in Illinois specializing in enterprise-level solutions.

This exploitation allowed Clop to target a significant number of Cleo’s clientele. By early January 2025, the ransomware gang claimed to have compromised nearly 60 companies utilizing Cleo’s products.

Among the organizations allegedly impacted were prominent entities such as Blue Yonder, a major U.S. provider of supply chain software, and Covestro, a leading German manufacturing firm. Further disclosures followed, with Clop adding an additional 50 potential victims to its dark web leak site by the end of January.

Details of the Cleo Software Breach

The attacks leveraged weaknesses in Cleo’s file transfer tools, enabling unauthorized access to sensitive data. This incident highlights the ongoing risk posed by ransomware groups to organizations relying on third-party software.

Clop’s tactics involved exploiting these vulnerabilities to gain access to customer systems and subsequently exfiltrate data, threatening its release unless a ransom was paid. The scale of the breach underscores the importance of robust security measures and proactive vulnerability management.

The listing of affected companies on Clop’s dark web leak site served as public confirmation of the data compromise, putting pressure on the victims to negotiate with the attackers.

January 2025: Emerging Threats and Ivanti Vulnerabilities

The start of the new year saw Ivanti targeted by malicious actors, marking another security incident for the company. In early January 2025, the U.S.-based software developer informed its clientele of a newly discovered zero-day vulnerability present within its enterprise VPN appliance.

This flaw was actively being exploited by hackers to compromise the networks of Ivanti’s business customers. While Ivanti reported a “limited number” of affected organizations, the exact scope remains undisclosed.

Evidence of Widespread Exploitation

However, data collected by the Shadowserver Foundation suggests a considerably larger impact. Their findings indicate that hundreds of customer systems had been compromised and backdoored as a result of the vulnerability.

The exploitation of this zero-day represents a significant security challenge for organizations relying on Ivanti’s VPN solutions. It underscores the ongoing need for proactive security measures and rapid vulnerability patching.

• Zero-day vulnerability: A flaw in software unknown to the vendor and for which no patch exists.
• Enterprise VPN appliance: A hardware or software solution used to provide secure remote access to a corporate network.

The incident highlights the critical importance of maintaining robust cybersecurity defenses, particularly for systems handling sensitive data and providing network access. Continuous monitoring and threat intelligence are essential for mitigating risks.

Fortinet Firewall Vulnerabilities Exploited for Months

Following the recent disclosure of vulnerabilities affecting Ivanti products, Fortinet has acknowledged that its firewalls have been the target of ongoing exploitation. Hackers have been leveraging a security flaw within Fortinet’s FortiGate firewalls to gain unauthorized access to the networks of businesses and larger organizations.

Security research teams indicate this vulnerability has been actively exploited since at least December 2024, operating as a zero-day exploit. This means the flaw was actively used before a patch was available.

Details of the Exploitation

Fortinet has not released specific numbers regarding the scope of the compromise. However, investigations by security researchers have revealed intrusions impacting a significant number of devices – estimated to be in the “tens”.

The exploited flaw resides within the FortiGate firewall product line. This has allowed attackers to bypass security measures and potentially access sensitive data or disrupt network operations.

The ongoing nature of this exploitation underscores the critical importance of proactive security measures and timely patching of vulnerabilities. Organizations utilizing Fortinet firewalls are urged to review security advisories and implement recommended mitigations.

• The vulnerability has been exploited since December 2024.
• The exploitation is considered a zero-day attack.
• Impacted devices are estimated to be in the “tens”.

Further analysis and updates will be provided as more information becomes available from Fortinet and the security research community.

SonicWall Reports Active Exploitation of Customer Systems by Hackers

January 2025 has seen continued malicious activity, with hackers actively targeting vulnerabilities in enterprise-level security solutions. SonicWall has recently announced that unauthorized actors are leveraging a recently identified flaw within one of its products to gain unauthorized access to customer networks.

This vulnerability impacts SonicWall’s SMA1000 remote access appliance. Microsoft’s threat intelligence team initially discovered the issue and has confirmed its active exploitation.

Details of the Vulnerability

SonicWall has stated that the vulnerability is currently being exploited in real-world attacks. The company has not yet disclosed the precise number of affected customers.

Furthermore, SonicWall has indicated that determining the full extent of compromised systems remains a technical challenge. However, with over 2,300 devices publicly accessible online, the potential for widespread compromise is significant. This situation could evolve into another large-scale hacking incident in 2025.

• Affected Product: SonicWall SMA1000 remote access appliance.
• Discovery: Identified by Microsoft threat researchers.
• Exploitation Status: Confirmed as actively exploited.
• Potential Impact: Over 2,300 exposed devices.

The ongoing exploitation underscores the critical importance of promptly applying security updates and maintaining robust network security practices. Organizations utilizing the SMA1000 appliance are urged to review SonicWall’s security advisories and implement recommended mitigation strategies.