Enterprise cybersecurity tools, such as routers, firewalls and VPNs, exist to protect corporate networks from intruders and malicious hackers, something that is particularly important in today’s age of widespread remote and hybrid working.
But while pitched as tools that help organizations stay safe from outside threats, many of these products have time and again found to contain software bugs that allow malicious hackers to compromise the very networks these products were designed to protect.
These bugs have been blamed for an explosion in mass-hacking campaigns in recent years, whereby malicious hackers abuse these often easy-to-exploit security flaws to break into the networks of thousands of organizations and steal sensitive company data.
We’ve put together a brief history of mass-hacks, and will update this article when more inevitably come to light.
One of the first mass-hacks of this decade saw a notorious ransomware crew exploit a vulnerability in Fortra’s GoAnywhere managed file transfer software, a product used by companies to share large files and sensitive datasets over the internet. The prolific Clop ransomware gang exploited the bug to compromise more than 130 organizations and steal the personal data of millions of individuals. The vulnerability was exploited as a zero-day, which means Fortra had no time to fix it before it came under attack. Clop later published data stolen from victim organizations who did not pay the hackers a ransom. Hitachi Energy, security giant Rubrik, and Florida-based health tech organization NationBenefits — which saw the data of more than three million members stolen in the attack — reported intrusions resulting from the buggy software.
May 2023: MOVEit flaws allowed theft of 60 million people’s data
The mass-hack of MOVEit remains one of the largest mass-breaches of all time, with hackers abusing a flaw in another widely used file transfer software, developed by Progress Software, to steal data from several thousand organizations. The attacks were again claimed by the Clop ransomware group, which exploited the MOVEit vulnerability to steal data on more than 60 million individuals, according to cybersecurity company Emsisoft. U.S. government services contracting giant Maximus was the largest victim of the MOVEit breach after confirming that hackers accessed the protected health information of as many as 11 million individuals.
October 2023: Cisco zero-day exposed thousands of routers to takeovers
The mass-hacks continued into the second half of 2023, with hackers exploiting an unpatched zero-day vulnerability in Cisco’s networking software throughout October to compromise tens of thousands of devices that rely on the software, such as enterprise switches, wireless controllers, access points, and industrial routers. The bug granted attackers “full control of the compromised device.” While Cisco didn’t confirm how many customers had been affected by the flaw, Censys, a search engine for internet-connected devices and assets, says it had observed almost 42,000 compromised devices exposed to the internet.
November 2023: Ransomware gang exploits Citrix bug
Citrix NetScaler, which large enterprises and governments use for application delivery and VPN connectivity, became the latest mass-hack target just one month later in November 2023. The bug, known as “CitrixBleed,” allowed the Russia-linked ransomware gang LockBit to extract sensitive information from affected NetScaler systems at big-name firms. Aerospace giant Boeing, law firm Allen & Overy, and the Industrial and Commercial Bank of China were claimed as victims.
January 2024: China hackers exploited Ivanti VPN bugs to breach companies
Ivanti became a name synonymous with mass-hacks after Chinese state-backed hackers began mass-exploiting two critical zero-day vulnerabilities in Ivanti’s corporate Connect Secure VPN appliance. While Ivanti said at the time that only a limited number of customers had been affected, cybersecurity company Volexity found that more than 1,700 Ivanti appliances worldwide were exploited, affecting organizations in the aerospace, banking, defense, and telecoms industries. U.S. government agencies with affected Ivanti systems in operation were ordered to immediately take the systems out of service. Exploitation of these vulnerabilities has since been linked to the China-backed espionage group known as Salt Typhoon, which more recently was found to have hacked into the networks of at least nine U.S. telecommunications companies.
In February 2024, hackers took aim at two “easy-to-exploit” vulnerabilities in ConnectWise ScreenConnect, a popular remote access tool that allows IT and support technicians to remotely provide technical assistance directly on customer systems. Cybersecurity giant Mandiant said at the time its researchers had observed “identified mass exploitation” of the two flaws, which were being abused by various threat actors to deploy password stealers, backdoors, and in some cases, ransomware.
Hackers hit Ivanti customers (again) with fresh bugs
Ivanti made headlines again — also in February 2024 — when attackers exploited another vulnerability in its widely used enterprise VPN appliance to mass-hack its customers. The Shadowserver Foundation, a nonprofit organization that scans and monitors the internet for exploitation, told TechCrunch at the time it had observed more than 630 unique IP addresses attempting to exploit the server-side flaw, which allows attackers to gain access to devices and systems ostensibly protected by the vulnerable Ivanti appliances.
November 2024: Palo Alto firewall bugs put thousands of firms at risk
Later in 2024, hackers compromised potentially thousands of organizations by exploiting two zero-day vulnerabilities in software made by cybersecurity giant Palo Alto Networks and used by customers around the world. The vulnerabilities in PAN-OS, the operating system that runs on all of Palo Alto’s next-generation firewalls, allowed attackers to compromise and exfiltrate sensitive data from corporate networks. According to researchers at security firm watchTowr Labs who reverse-engineered Palo Alto’s patches, the flaws resulted from basic mistakes in the development process.
December 2024: Clop compromises Cleo customers
In December 2024, the Clop ransomware gang targeted yet another popular file transfer technology to launch a fresh wave of mass hacks. This time, the gang exploited flaws in tools made by Cleo Software, an Illinois-based maker of enterprise software, to target dozens of the company’s customers. By early January 2025, Clop listed almost 60 Cleo companies that it had allegedly compromised, including U.S. supply chain software giant Blue Yonder and German manufacturing giant Covestro. By the end of January, Clop added another 50 alleged Cleo mass-hack victims to its dark web leak site.
January 2025: New year, new Ivanti bugs under attack
The new year began with Ivanti falling victim to hackers — yet again. The U.S. software giant alerted customers in early-January 2025 that hackers were exploiting a new zero-day vulnerability in its enterprise VPN appliance to breach the networks of its corporate customers. Ivanti said that a “limited number” of customers were affected, but declined to say how many. The Shadowerver Foundation says its data shows hundreds of backdoored customer systems.
Fortinet firewall bugs exploited since December
Just days after Ivanti’s latest bug was disclosed, Fortinet confirmed that hackers had separately been exploiting a vulnerability in its firewalls to break into the networks of its corporate and enterprise customers. The flaw, which affects the cybersecurity company’s FortiGate firewalls, had been “mass exploited” as a zero-day bug since at least December 2024, according to security research firms. Fortinet declined to say how many customers were affected, but security research firms investigating the attacks observed intrusions affecting “tens” of affected devices.
SonicWall say hackers are remotely hacking customers
January 2025 remained a busy month for hackers exploiting bugs in enterprise security software. SonicWall said in late-January that as-yet-unidentified hackers are exploiting a newly discovered vulnerability in one of its enterprise products to break into its customer networks. The vulnerability, which affects SonicWall’s SMA1000 remote access appliance, was discovered by Microsoft’s threat researchers and is “confirmed as being actively exploited in the wild,” according to SonicWall. The company hasn’t said how many of its customers have been affected or if the company has the technical ability to confirm, but with more than 2,300 devices exposed to the internet, this bug has the potential to be the latest mass-hack of 2025.
#history #masshacks