Malware Breach Report

Prepared by: Muhammad Shoaib Khan

Organization: ITSOLERA PVT LTD / SOC Internship Program

Date: 2025-09-16

Executive Summary
This report summarizes ten major malware breaches and ransomware incidents known up to
June 2024, describing the nature of each attack, the companies affected, observed impacts, and
the aftermath. Because live web access was not available while preparing this document,
references are described in general terms and should be updated with current sources before
submission.

Table of Contents
1. SolarWinds (2020)

2. Colonial Pipeline (2021)

3. Kaseya / REvil (2021)

4. Microsoft Exchange / Hafnium (2021)

5. MOVEit / Cl0p (2023)

6. MGM Resorts (2023)

7. Okta (2022) - Third-party incident impacting many customers

8. T-Mobile (2021 / 2023 incidents)

9. Equifax (2017)

10. Change Healthcare (BlackCat) (2024)

Conclusion and Recommendations

References (placeholders — update with live sources)

SolarWinds — Dec 2020

Attack type: Supply chain (trojanized software/remote access)

Summary: Attackers inserted malicious code into SolarWinds' Orion network monitoring
software updates, creating a backdoor (SUNBURST) that allowed broad access to customer
environments.
Impact: Compromise of many government and enterprise customers, data exfiltration,
significant national-security and supply-chain implications, long remediation efforts.

Aftermath / Response: Widespread incident response, heightened supply-chain security

emphasis, audits, and accelerated adoption of software integrity checks and zero-trust practices.

Colonial Pipeline — May 2021

Attack type: Ransomware (DarkSide)

Summary: Ransomware attack against a major U.S. fuel pipeline operator, leading to operational
disruption and temporary shutdown of fuel deliveries.

Impact: Operational shutdown of pipeline operations for days, fuel shortages in some regions,
economic and public concern.

Aftermath / Response: Company paid ransom reportedly; increased regulatory scrutiny,

emphasis on critical infrastructure security and backups, and ICS-focused defenses.

Kaseya (REvil) — July 2021

Attack type: Ransomware via software supply chain (managed service provider / VSA exploit)

Summary: Attackers exploited Kaseya's VSA software to deploy ransomware to many

downstream MSP customers and their clients in a large-scale supply-chain compromise.

Impact: Hundreds of businesses affected across many countries; significant operational

disruption for managed clients.

Aftermath / Response: Highlighted MSP risk, pushed companies to review third-party and
vendor risk, and accelerated patching & change-control requirements.

Microsoft Exchange (Hafnium) — Mar 2021

Attack type: Server-side remote code execution (zero-day exploits)

Summary: A group known as Hafnium exploited zero-day vulnerabilities in Exchange Server

(ProxyLogon, ProxyShell) to gain persistent access and exfiltrate emails and data.

Impact: Mass compromises of on-premises Exchange servers, large-scale data theft, and follow-
up incident responses.

Aftermath / Response: Urgent patches and mitigations were released; organisations scrambled
to apply patches and scan for indicators of compromise.

MOVEit / Cl0p — 2023

Attack type: Exploitation of file transfer software (zero-day / SQLi-like vulnerability) leading to
data theft
Summary: The Cl0p ransomware group exploited a vulnerability in MOVEit Transfer (a managed
file transfer product) to exfiltrate customer data from many organisations globally.

Impact: Thousands of organizations and millions of records exposed, regulatory investigations,

and large remediation costs.

Aftermath / Response: Patch deployment by Progress Software, notification obligations, and

numerous legal and remediation costs for affected organizations.

MGM Resorts — 2023

Attack type: Ransomware / data leak

Summary: Ransomware attack disrupted casino operations and exposed some

customer/employee data.

Impact: Operational disruption for hotel and casino services, data exposure concerns,
investigation and cleanup costs.

Aftermath / Response: Incident highlighted hospitality sector vulnerabilities and encouraged

stronger segmentation and backup practices.

Okta-related incident — 2022

Attack type: Third-party compromise affecting identity providers

Summary: An incident involving a third-party vendor and leaked access tokens impacted Okta
customers, raising concerns about identity provider risks and token handling.

Impact: Potential exposure of identity sessions and elevated risk for downstream services
relying on Okta for authentication.

Aftermath / Response: Increased scrutiny of identity provider supply-chain, enhanced

monitoring, and token rotation best practices.

T-Mobile — 2021 (and additional incidents reported later)

Attack type: Data breach exposing customer personal data

Summary: Attackers accessed customer account information and personal data via
vulnerabilities or stolen credentials, leading to massive data leak events.

Impact: Millions of customer records exposed, regulatory fines and customer remediation
efforts.

Aftermath / Response: Improved fraud detection, customer notification, and ongoing pressure
to strengthen data protection.

Equifax — 2017
Attack type: Data breach via web application vulnerability (Apache Struts)
Summary: Attackers exploited an unpatched Apache Struts vulnerability to access Equifax
systems and exfiltrate highly sensitive consumer credit data.

Impact: Personal data of ~147 million people exposed, long-term identity theft risks, large
settlements and reputational damage.

Aftermath / Response: Major regulatory fines, lawsuits, and reforms to corporate security
accountability and patch management.

Change Healthcare (BlackCat) — Feb 2024

Attack type: Ransomware (BlackCat/ALPHV)

Summary: Ransomware attack impacted Change Healthcare's operations and disrupted

downstream healthcare billing and claims processing for many providers across the U.S.

Impact: Operational outages in healthcare claims processing, delays in payments, significant

recovery and remediation effort.

Aftermath / Response: Demonstrated critical risks in healthcare IT supply chains and the
systemic effects of service provider outages.

Common Patterns Observed

Across these incidents we observe several common patterns:
- Supply-chain vulnerabilities (trojanized updates, MSP or vendor compromise).
- Ransomware as a service and commoditization of extortion tactics.
- Delays or failures in patching critical systems.
- Heavy reliance on third-party services which amplifies downstream impact.
- Insufficient segmentation and inadequate backup/restore readiness.

Recommendations
- Adopt zero-trust principles and enforce least-privilege access.

- Harden supply-chain security: verify software authenticity, use reproducible builds and strong
code-signing.

- Improve patch management and vulnerability scanning cadence.

- Segment critical systems and create immutable, offline backups.

- Implement strong identity protections: multi-factor authentication, token rotation, and short-
lived credentials.

- Use EDR, network detection (NDR), and SIEM correlation to detect lateral movement quickly.

- Run regular tabletop incident response exercises and maintain tested playbooks.
Conclusion
The landscape of malware and ransomware incidents continues to evolve rapidly. Defensive
priorities should include supply-chain hardening, rapid patching, stronger identity controls, and
resilient recovery strategies. Organisations should plan for systemic impacts when key providers
are affected.

References and Notes

This report was prepared without live web access. The incidents included are well-documented
historical breaches known up to June 2024. Before final submission, update the References
section with direct links to primary sources (security advisories, vendor reports, reputable media
such as KrebsOnSecurity, BleepingComputer, Reuters, and official company statements). If you
want, I can update this file later with live citations once web access is available.