16-30 April 2017 Cyber Attacks Timeline

Here’s the second timeline of April (first part here) covering the main cyber attacks occurred between 16 and 30 April 2017.

Quite a busy fortnight this one: once again the infamous APT28 (AKA Fancy Bear) doesn’t really feel like getting some rest. This fortnight the list of its victims includes: the Danish Armed Forces, two German think tanks with ties to the Chancellor Angela Merkel’s party Christian Democratic Union (CDU), and also the newly elected French President Emmanuel Macron.

In the same time, while Google and Facebook have confirmed that they fell victim to an alleged $100m (£77m) scam between 2013 and 2015. a couple of mega breaches have joined the list: Fashion Fantasy Game and, for the second time, R2Games (more than one million accounts compromised this time); and yet another Bitcoin Exchange service, Yapizon, has suffered a massive theft (about 3,800 bitcoins corresponding to $5M).

Despite smaller in size, other two breaches are worthy to mention as they hit two high-profile targets like HipChat and Chipotle.

Last but not least, another interested trend is the increasingly common discovery of massive mobile malware infections: this fortnight two similar campaigns have been discovered: MilkyDoor and FalseGuide.

If you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015 and 2016 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts), and if useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget
Class
Attack
Class
Country
110/04/2017JanitorSierra TelThe Bricker Bot takes down the Zyxel HN-51 Modem belonging to Sierra Tel, a Californian ISP.MalwareIndustry: ISPCCUS
211/04/2017?eConcordiaConcordia’s online course systems, eConcordia and KnowledgeOne, are hacked, 9000 users are compromised.Account HijackingEducationCCUS
316/04/2017?McAfee Linkedin PageThe LinkedIn page for McAfee is hijacked by a single person or an unknown number of individuals allegedly affiliated with the OurMine collective.Account HijackingIndustry: Computer SoftwareCCUS
416/04/2017?Westminster CollegeWestminster College in Missouri reveals the details of a breach discovered on March 26 after a phishing scam duped a staffer into sending off W-2 statements.Account HijackingEducationCCUS
518/04/2017?Northrop GrummanNorthrop Grumman admits one of its internal portals was broken into, exposing employees' sensitive tax records to W-2 Scams.Account HijackingIndustry: Aerospace and DefenseCCUS
618/04/2017?Retina-X FlexiSpyMotherboard obtains the data of 130,000 customers of the two mobile surveillance software firms Retina-X and FlexiSpyUnknownIndustry: SoftwareCCUS
720/04/2017?Android usersResearchers from Trend Micro discover MilkyDoor, an alleged successor of the infamous malware DressCode.MalwareSingle IndividualsCC>1
820/04/2017?Fashion Fantasy GameA 2016 data breach leaves Fashion Fantasy Game, an online game and social network for fashion lovers, with millions of user account credentials being leaked on the web.UnknownSocial NetworkCCUS
921/04/2017APT10 and Tonto teamSouth KoreaFireEye claims Chinese hackers are trying to break into South Korea's military to halt the deployment of an anti-ballistic weapons system in the country.Targeted AttackMilitaryCWKP
1021/04/2017?Atlantic Digestive SpecialistsAtlantic Digestive Specialists notify patients of ransomware incidentMalwareHealthcareCCUS
1121/04/2017?Cleveland Metropolitan School DistrictCleveland Metropolitan School District discloses phishing-related incidentAccount HijackingEducationCCUS
1221/04/2017?Iowa Veterans HomeIowa Veterans Home warns nearly 3,000 of data breach after phishing incidentAccount HijackingGovernmentCCUS
1322/04/2017?Alison BrieFappening 2.0 continues: this time Alison Brie is targeted and has some nude images leaked online.UnknownSingle IndividualCCUS
1422/04/2017?YapizonYapizon, a South Korean Bitcoin exchange suffers a massive data breach when hackers steal 3,800 Bitcoin (US$5 million) which is 37% of user funds.UnknownBitcoin ExchangeCCKR
1523/04/2017Zhengquan ZhangKCG HoldingsThe FBI arrests Zhengquan Zhang, a 31-year-old IT engineer, accused of installing malware on his employer's servers to steal proprietary source.MalwareIndustry: Financial ServicesCCUS
1623/04/2017Ayyildiz TimNorth Mundham Primary in ChichesterPolice are investigating after “malicious” messages are left on a school website by Turkish nationalists in an apparent hacking attempt.DefacementEducationCCUK
1724/04/2017APT28 AKA Fancy BearDanish Armed ForcesDenmark’s security service, Politiets Efterretningstjeneste’s (PET) Centre for Cyber Security says in its report that Danish armed forces personnel have their emails hacked over the last two years. The hack has been attributed to ‘Fancy Bear'.Targeted AttackMilitaryCEDK
1824/04/2017?7 Southeast Asian NationsAn anti-cybercrime operation by Interpol and investigators from seven southeast Asian nations reveal nearly 9,000 malware-laden servers and hundreds of compromised websites in the ASEAN region.Malware>1CC>1
1924/04/2017?HipChatHipChat is hacked over the weekend due to a vulnerability in a third-party library. The incident affects a server in the HipChat Cloud web tier, and for a small number of instances (less than 0.05 percent), there's evidence messages and content in rooms may have been accessed.Vulnerability in a third-party libraryIndustry: SoftwareCCUS
2024/04/2017?City of NewarkA ransomware attack hits some municipal computers in New Jersey's most populous city, Newark.MalwareGovernmentCCUS
2124/04/2017?Greenway HealthGreenway Health is the victim of a ransomware attackMalwareHealthcareCCUS
2225/04/2017?ChipotleChipotle, the global fast-food chain specialising in Mexican dishes, urges its US customers to check for suspicious activity on their bank statements after "unauthorised" activity on its payment processing systems has led to fears the company has been hacked.PoS MalwareIndustry: RestaurantCCUS
2325/04/2017APT28 AKA Fancy BearTwo German think tanks with ties to Christian Democratic Union (CDU) and Social Democratic Party (SPD).Trend Micro reveals that Kremlin-linked Fancy Bear hackers targeted two German think tanks with ties to Angela Merkel's ruling coalition parties Christian Democratic Union (CDU) and Social Democratic Party (SPD).Targeted AttackOrg: Political PartyCEDE
2425/04/2017APT28 AKA Fancy BearEmmanuel MacronThe same reports reveals that French presidential candidate Emmanuel Macron was targeted by APT28.Targeted AttackSingle IndividualCEFR
2525/04/2017?R2GamesOnline gaming company Reality Squared Games (R2Games) is hacked for the second time in two years and more than one million accounts are compromised. Leaked data includes usernames, passwords, email addresses, IP addresses, and other optional record fields, such as instant messenger IDs, birthday, and Facebook related details (ID, name, access token).UnknownIndustry: Video GamesCCCN
2625/04/2017?Multiple Japanese BusinessesCybereason discovers ShadowWali, a backdoor used for targeted attacks, against Japanese businesses since at least 2015.Targeted Attack>1CEJP
2725/04/2017?Blowout CardsBlowout Cards issues a security alert to customers, warning that their payment card details may have been compromised after an attacker hacked its website and customers began reporting related card fraud.MalwareIndustry: E-CommerceCCUS
2825/04/2017WauchulaGhost250 ISIS Twitter AccountsWauchulaGhost defaces 250 ISIS Twitter accounts with adult content.DefacementOrg: TerrorismHN/A
2926/04/2017?Android usersCheck Point updates the damage report for the FalseGuide malware with five additional apps found containing the malware, estimating that 2 million Android users have unknowingly downloaded the malware.MalwareSingle IndividualsCC>1
3026/04/2017OilRig120 Israeli TargetsThe Israeli Government reveals to have thwarted a major cyberattack against 120 targets. Israeli sources believe the attack has been launched by the Iran-linked OilRig APT group (aka Helix Kitten, NewsBeef ).Targeted AttackGovernmentCCIL
3126/04/2017?Ciphrcustomer data from encrypted phone company Ciphr is dumped online.UnknownIndustry: Mobile HW and SWCCUS
3226/04/2017?Virginia Sex Offender and Crimes Against Children Registry (SOR)A malware infection affecting servers belonging to the Virginia State Police (VSP) shuts down the department's email system, along with its ability to update the Virginia Sex Offender and Crimes Against Children Registry (SOR).MalwareLaw EnforcementCCUS
3326/04/2017?Pekin Community High SchoolA ransomware attack takes down Pekin Community High School.MalwareEducationCCUS
3427/04/2017?>1Reuters reveals that unknown attackers have been exploiting CVE-2017-0199 against target in Ukraine and Australia.Targeted Attack>1CEUA AU
3527/04/2017?OSX UsersCheck Point reveals the details of OSX/Dok, a new malware affecting all versions of OSX, signed with a valid developer certificate (authenticated by Apple), the first major scale malware to target OSX users via a coordinated email phishing campaign.MalwareSingle IndividualsCC>1
3627/04/2017?NoTroveRiskIQ reveals that a group known as NoTrove is driving massive amounts of traffic to survey pages, scams sites, and shady software download portals, so much so that one of the domains they used in their campaigns peaked at #517 in Amazon's Alexa traffic ranking.MalvertisingSingle IndividualsCC>1
3728/04/2017The Dark OverlordNetflixTheDarkOverlord leaks upcoming episode of Orange is the New Black after Netflix doesn’t pay extortion demand. The hack happened via a "production vendor".UnknownIndustry: EntertainmentCCUS
3828/04/2017Evaldas RimasauskasGoogle and FacebookGoogle and Facebook confirm that they fell victim to an alleged $100m (£77m) scam between 2013 and 2015.Account HijackingIndustry: Internet ServicesCCUS
3928/04/2017?20 UK BanksSecurity researchers from IBM Security warn that a strain of banking Trojan, dubbed TrickBot, is escalating attacks against UK banks and financial institutions. The operators of the malware have launched five campaigns only on April.MalwareFinanceCCUK
4028/04/2017?Diamond Institute for Infertility and MenopauseDiamond Institute for Infertility and Menopause notifies patients of an incident involving their electronic health records server, maintained by an unnamed third party. The incident happened in FebruaryUnknownHealthcareCCUS
4128/04/2017Tsar TeamGrozio ChirurgijaCybercriminals steal personal records and photos of patients from the data system of a Lithuanian plastic surgery clinic and put them up for sale.OpenCMS VulnerabilityHealthcareCCLT
4229/04/2017?Hill Country Memorial HospitalHill Country Memorial Hospital notifies patients after employee email accessed without authorizationAccount HijackingHealthcareCCUS
4329/04/2017?Greenwood County School District 50About 3,300 are affected by a security breach after the school discovers that an unauthorized user logged in to four Greenwood County School District 50 employees’ emails as well as current and former employees’ payroll accounts in January and February.Account HijackingEducationCCUS
4430/04/2017?Some IBM flash drivesIBM detects that some USB flash drives containing the initialization tool shipped with several IBM Storwize systems contain a file that has been infected with malicious code and ask users to destroy them.MalwareIndustry: HardwareCCUS
4530/04/2017?Unity 3D ForumOurMine hackers deface the official domain of Unity 3D Forums leaving a deface page along with a note.DefacementOnline ForumCCUS

Leave a Reply

%d bloggers like this: