The top 5 security events in 2024 and what they mean
The year is almost over. What has happened, what does it mean – and what do we make of it? Jürgen Schmidt from heise security presents his top 5 for 2024.
The Crowdstrike debacle: Faulty security software paralyzes critical IT systems worldwide – like here at Denver airport.
(Image: CLS Digital Arts/Shutterstock.com)
As the year draws to a close, we take a look back at the security events that shaped 2024 and gained significance beyond the current context.
1. the xz backdoor
There was this small library with compression functions that was used by countless projects, but whose sole maintainer was suffering from acute burnout. He gladly accepted the help of the supposed helper "Jia Tan". He used his position as co-maintainer to inject a sophisticated backdoor into the source code that targeted the SSH service. However, it was discovered just in time; the Internet narrowly avoided a super-GAU.
Why is this important?
Nine months later, we still don't know who was behind this sophisticated campaign – and what they were up to. After all, attackers who are so careful don't lay all their eggs in one nest. I am convinced that there is more to it than that. This incident also highlights the often neglected social component of IT. And finally: billion-dollar corporations and entire countries are apparently relying more and more on unpaid volunteers to sacrifice their free time and be measured against standards that the beneficiaries themselves do not meet.
2 Microsoft in the pillory
Back in 2023, suspected Chinese attackers stole a key from Microsoft that enabled access to all Microsoft cloud accounts. A key that was not supposed to exist. A key that actually belonged in an HSM; a key that was not supposed to work. A whole series of avoidable failures, none of which should have happened. This was the conclusion reached by the Cyber Safety Review Board (CSRB) appointed by the Department of Homeland Security and CISA in an investigation report in spring 2024. Its Review of the Summer 2023 Microsoft Exchange Online Intrusion (PDF) set the standard for the investigation of security failures.
Why is this important?
The CRSB did not just pillory Microsoft for individual failures. It systematically dismantled the cloud giant's full-bodied security promises using every trick in the book. It compared the security precautions taken by Microsoft with those of its main cloud competitors such as Google, AWS and Oracle and came to the conclusion that each of them is significantly better positioned.
This incident was not a "shit happens" – it was a systemic failure and the inevitable consequence of systematically broken, rationalized IT security. And the DHS recognized this as a threat to national security. With its Secure Future Initiative, Microsoft has once again bought itself probation; it will be due for the next disaster.
3 The Crowdstrike debacle
Software that is actually there to protect systems from attacks caused an unprecedented IT outage. A faulty update to the Falcon software from security firm Crowdstrike caused millions of systems to crash and even prevented a clean reboot. Thousands of flights were canceled, particularly in the USA; banks, media and telecommunications companies and hospitals were also affected. The effects were also felt in Germany. The damage was estimated at over 10 billion US dollars.
During the analysis, it emerged that Crowdstrike had slipped up in many places. For example, they had apparently tested the faulty update inadequately before rolling it out and had not tried it out on a single real system beforehand. The update process was not carried out in stages, as is generally the case, but in one fell swoop on all systems. There was also criticism of the way in which the security software is anchored in the system.
Why is this important?
Not a worm, not ransomware and not a sophisticated supply chain attack by a state attacker group, but security software of all things caused the biggest IT outage of the year – perhaps even in history. Unlike Microsoft, Crowdstrike previously enjoyed a good reputation as one of the top security companies. But here, too, the subsequent analysis revealed catastrophic conditions at Crowdstrike, which shamefully neglected the due diligence required for such a critical position.
4. 0days in (security) appliances
Security companies such as Ivanti, Fortinet and Palo Alto provided attackers with a never-ending stream of vulnerabilities to compromise their victims' networks this year. Many of these were 0-day or N-day vulnerabilities in firewalls or VPN gateways and could be exploited before a patch was available or shortly after its release. The analyses of the vulnerabilities and the way in which they could be exploited paint a dire picture of security on these security devices. For example, attackers have discovered that they can register a new device with the FortiManager without any authentication, at Palo Alto it was possible to bypass authentication with a simple HTTP header X-Pan-Authcheck: Off and the security in Ivantis Connect Secure could be tricked with a ../..
Why is this important?
Appliances are black boxes. Their users essentially have to blindly rely on the manufacturer to exercise the care required for the exposed position of a firewall or VPN endpoint and to follow the basic principles of IT security. However, the gaps show that they are instead selling junk whose internal security would no longer have been state of the art ten years ago. Ten years ago, it might have been possible to get away with "nobody will notice", but with the industrialization of cybercrime and its systematic search for new business opportunities, we can no longer afford to do so.
5 The US telco fiasco (Salt Typhoon)
For over a year now, Chinese attackers have presumably had access to the conversations and text messages of almost all US citizens; they have used this to eavesdrop on incoming US President Donald Trump and his Vice President JD Vance, among others. And it is still going on: Salt Typhoon has burrowed so deeply into the IT infrastructure of US telecommunications providers that even months after its discovery, it is not clear how to get it out again. To protect themselves from this, even the FBI is now advising US citizens to encrypt their calls and messages (even if they would like to have "responsible encryption" – i.e. one to which they are given a key). One rightly wonders why this has not long been standard practice.
Why is this important?
This process is a declaration of bankruptcy for an entire industry. The US telcos apparently refrained from securing their IT in the way that should be a matter of course for operators of critical infrastructure – and telecommunications –. And the US authorities turned a blind eye because, for example, the lack of standard encryption of all transported content itself allows them convenient access. A rigorous stocktaking and subsequent major clean-up is now required.
Videos by heise
And what does that mean now?
When analyzing the significance, I'll start with what doesn't appear in this top 5 list. Ransomware, for example. Not because it no longer exists, but because it has become "business as usual". Even major outages or spectacular ransom demands are hardly newsworthy anymore and disappear from the headlines after a few days. Or AI. Although the topic was omnipresent in discussions about security, the reactions to the findings presented never went beyond mild astonishment. Apparently, there is still a lack of solid substance that really makes a difference; let's see how this develops in 2025.
Moreover, the list does not include any incidents in which the attackers' outstanding skills made the seemingly impossible possible. Something like Stuxnet or the blackouts caused by Russian hackers on behalf of the state. The top 5 events did not involve cracking encryption or spectacular breakthroughs in circumventing efficient defenses. The xz backdoor came closest. But firstly, there was no big bang and secondly, the problem of underfunded and overburdened open source developers has actually been on the agenda for years.
Instead, four of the five top security incidents document fatal sloppiness on the part of companies that sell us security. This impressively documents the fact that those who earn their money with IT security – and I'm including the telcos in this – too often do not even implement the level of IT security that is generally considered to be the minimum. I'm not talking here about encryption that would withstand attacks by quantum computers, but about the most elementary basics of IT security.
Microsoft, Crowdstrike, Ivanti, Palo Alto, Fortinet and the US telcos – 2024 was the year of the exposed security mess.
And now?
No review without a constructive look ahead: this review shows that we don't need rocket science to take a significant step forward in IT security. A solid basis that implements what is generally regarded as sensible basic security would already be a huge step forward.
The problem here is that the security slip-ups that have come to light weren't just oversights that happened because people didn't know any better. These were abuses that companies deliberately accepted or even brought about because they could earn more money without security. But fortunately that is changing. The USA has set the Cyber Safety Review Board to work on its telcos and is even discussing more regulatory requirements in this context. The Cyber Resilience Act (CRA) introduces binding EU-wide cyber security requirements for products with digital components. At the same time, the EU has already launched a new product liability law that finally makes manufacturers and providers of IT products liable.
This gives us the tools to tackle these challenges. But not until next year. For now, I wish you a relaxing and restful holiday season. We will certainly read, hear and see each other again in 2025 ...
Perhaps at heise security PRO? After all, it offers free access to heise security webinars and the annual tour. And this text was originally written for the exclusive newsletter on important security topics that all PRO members receive every week. You can find out more here:
(ju)
