What the breaches actually teach us

An ALPHV/BlackCat affiliate used stolen credentials to access a Citrix portal that lacked MFA. They moved laterally for 9 days, exfiltrating 6 TB of data including PHI, SSNs, and medical records for 192.7 million individuals. Ransomware was deployed after the data was already gone. UHG paid $22M in ransom. The affiliate kept the data anyway and re-extorted via RansomHub.

Scattered Spider called the IT help desk, impersonated an employee using LinkedIn research, and got Okta Super Admin + Azure Global Admin in a 10-minute phone call. They set up a rogue identity provider for persistent access, dumped domain credentials, then exfiltrated ~6 TB via Mega.nz and Dropbox before deploying BlackCat ransomware to 100+ ESXi hypervisors.

UNC5537 systematically compromised ~165 Snowflake customer instances using credentials harvested by infostealer malware — some dating back to 2020. No MFA, no credential rotation, no network allow lists. Ticketmaster (560M records), AT&T (109M call logs), Santander, LendingTree, and more. No encryption was deployed in any case.

Cl0p exploited CVE-2023-34362 (SQL injection → RCE) in Progress Software's MOVEit Transfer at mass scale. Evidence shows they tested the exploit for 2 years before deploying it. They used MOVEit's own file transfer functionality to exfiltrate data in ~95% of cases. No lateral movement, no ransomware. Pure smash-and-grab exfiltration at industrial scale.

Same Scattered Spider group that hit MGM, but a week earlier. Social engineering of an outsourced IT vendor — no identity verification procedures. 20-day dwell time. Complete Caesars Rewards loyalty database exfiltrated (65M members, SSNs, driver's licenses). No ransomware deployed. Caesars negotiated from $30M to $15M and paid.

Russian SVR (APT29) password-sprayed a legacy test tenant account that lacked MFA. Used residential proxies to appear legitimate. Pivoted via a legacy OAuth app with excessive permissions to create a Global Admin in the production tenant. Granted themselves full_access_as_app to all mailboxes. Read senior leadership, cybersecurity, and legal team email for 7 weeks. Also accessed source code repositories.

An Okta employee synced work credentials to a personal Google account via Chrome Sync. Attacker compromised the personal account, accessed Okta's support system, downloaded HAR files containing active session tokens, and hijacked sessions of 5 customers including 1Password, BeyondTrust, and Cloudflare. A 14-day investigation gap occurred because file-level access logs used different record IDs than case-level logs.

Chinese MSS-affiliated group compromised 9+ major US telecom providers and orgs in 80+ countries. Accessed CALEA lawful intercept/wiretap systems. Used edge device exploits (Cisco, Ivanti, Palo Alto, Fortinet) and custom in-memory malware. Deployed Linux containers on Cisco routers to process data locally. Call metadata for 1M+ users concentrated in Washington D.C.