16-31 August 2017 Cyber Attacks Timeline

August’s gone (and the Summer with it unfortunately)… You are ready to start your usual activities after, hopefully, having recharged the batteries. So why don’t you spend a few minutes to scroll down the second timeline of August (first part here), covering the main cyber attacks occurred between August 16th and 31st.

Actually, I do not remember such a troubled fortnight since a while, it simply looks like crooks never take any personal time off, and this ended up in a timeline with 60 events.

Unfortunately, the list of mega breaches is growing as well: the victims of this fortnight include: the NHS (an affiliated to the anonymous collective claims to have stolen 1.2 million records), the second-hand electronics retailer CeX (2 million customers affected), and also Instagram where an API vulnerability allowed the attackers to allegedly steal 6 million records.

And while a misconfigured spambot has leaked a trove of 700 million email addresses, the MacEwan University has lost $11.8 million after a classical Business Email Compromise.

This fortnight has also been characterized by the leak of more private photos of other celebrities (the Fappening 2017) including: Tiger Woods, Katharine McPhee, Lindsey Vonn, Miley Cyrus, Kristen Stewart, Stella Maxwell and Dakota Johnson: and by the OurMine collective, that was also particularly active. The list of the social media accounts hijacked by them include HBO, and two iconic football teams like Barcelona and Real Madrid (rivals also when hacking is concerned).

The list of operations carried on by state-sponsored actors is pretty long (first spoiler: it includes two old acquaintances like Turla and APT28), and also the malware infections do not seem to recede (second spoiler: LG had to shut down some parts of its network after a WannaCry infection).

As usual scroll down the whole list for all the events happened in this fortnight. And if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015 and 2016 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts), and if useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget
Class
Attack
Class
Country
116/08/2017OurMineSeveral HBO Twitter AccountsSeveral HBO Twitter accounts are taken over by the notorious OurMine hacking group, posting #HBOHacked messages and warnings about security. Affected accounts include the main HBO Twitter account, as well as those for TV shows including Game of Thrones and Girls.Account HijackingIndustry: BroadcastCCUS
216/08/2017?OSHA (Occupational Safety and Health Administration)OSHA suspends user access to the Injury Tracking Application (ITA) after the Department of Homeland Security notifies the Department of Labor of a potential compromise of user information.UnknownGovernmentCCUS
317/08/2017TurlaG20 ParticipantsProofPoint reveals that Turla appears to be actively targeting G20 participants and those interested in its activities including policymakers, member nations and journalists. The analysis is based on the discovery of a new JavaScript dropper for a backdoor called KopiLuwak that Turla has been known to use.Targeted AttackGovernmentCE>1
417/08/2017Anonymous22 GOP SenatorsHacktivist collective Anonymous reportedly leaks the private contact details of 22 GOP senators, in the wake of the Charlottesville violence and US President Donald Trump's controversial response to the event, asking for Trump's impeachment.UnknownGovernmentHUS
517/08/2017?Android UsersResearchers from Kaspersky Lab discover a new version of the malicious Android banking Trojan Faketoken, targeting users of popular apps for booking taxis and paying traffic tickets.MalwareSingle IndividualsCC>1
618/08/2017AnonymousNHS (via SwiftQueue)A member of the Anonymous hacking collective claims to have stolen data belonging to 1.2 million patients of the United Kingdom's National Health Service (NHS). The breach affected SwiftQueue, a software provider of dashboard and metrics solutions to healthcare clinics, according to which only 32,000 records were stolen.UnknownHealthcareHUK
718/08/2017?Single IndividualsA second wave of the Locky ransomware variant called IKARUSdilapidated is identified. The source of the ransomware is a botnet of zombie computers able to send 62,000 emails in three days.MalwareSingle IndividualsCC>1
818/08/2017?Single IndividualsTwo new Locky variants are discovered called Diablo6 and Lukitus. This new wave is boosted by the Necurs botnet.MalwareSingle IndividualsCC>1
919/08/2017?BittrexA fake website pretends to be the official site for Bittrex exchange, but in reality, it is a phishing domain not only stealing login credentials of unsuspecting users but also the money saved in the exchange.Account HijackingCryptocurrency ExchangeCCUS
1019/08/2017?Pacific Alliance Medical CenterPacific Alliance Medical Center notifies 266,123 patients of a ransomware incident occurred on June 14MalwareHealthcareCCUS
1120/08/2017?Official Twitter and Facebook PlayStation accountsThe official Twitter and Facebook PlayStation accounts are taken over by the hacking group OurMine. The attackers also claim to have managed to access a PSN database.Account HijackingIndustry: Video GamesCCJP
1221/08/2017?LGGlobal consumer electronics manufacturer LG confirms it had to shut down some parts of its network after systems fell victim to WannaCry ransomware. More security news. Ransomware is found on an LG self-service kiosk in South Korea.MalwareIndustry: Consumer ElectronicsCCKR
1321/08/2017?Sinopec’s Shengli OilfieldSinopec’s Shengli Oilfield says it will cut its Internet connection for some of its offices after a ransomware attacked 21 of its Internet terminals.MalwareIndustry: Oil and GasCCCN
1421/08/2017?Enigma Blockchain ProjectAnother attack exploiting an Initial Coin Offering. As much as $500,000 in ether is stolen from supporters of the Enigma blockchain project following a security compromise. Attackers are able to take control of the project’s website domain, one of the administrator accounts on its Slack channel and its mailing lists. Once in control, the attackers distribute solicitations for an initial coin offering "presale."Account HijackingCryptocurrency ExchangeCCUS
1521/08/2017?Single IndividualsTrend Micro reveals the details of CoinMiner, a new malware family (cryptocurrency miner) using the EternalBlue exploit to infect victims and the WMI toolkit as a method to run commands on infected systems.MalwareSingle IndividualsCC>1
1621/08/2017?Android UsersThe Lookout Security Intelligence team discovers an advertising SDK called Igexin that has the capability of spying on victims through benign apps by downloading malicious plugins. Over 500 apps available on Google Play used the Igexin ad SDK, which were downloaded over 100 million times.MalwareSingle IndividualsCC>1
1721/08/2017?22 Malaysian websitesA group of hackers called ExtremeCrew believed to be linked to Indonesia claim responsibility for defacing at least 33 Malaysian websites after an embarrassing blunder saw the Indonesian flag printed upside down on the official guidebook for the Southeast Asian Games.Defacement>1CWMY
1821/08/2017?Several Stars including Tiger Woods, Katharine McPhee, Lindsey Vonn, Miley Cyrus, Kristen Stewart, Stella Maxwell and Dakota JohnsonFappening 2017: private nude photos of various naked stars emerge, including Tiger Woods, Katharine McPhee, Lindsey Vonn, Miley Cyrus, Kristen Stewart, Stella Maxwell and Dakota Johnson.UnknownSingle IndividualsCC>1
1921/08/2017?Android UsersAndroid users are warned to avoid two applications discovered on the Google Play Store, after they were found to be laced with the notorius BankBot Trojan.MalwareSingle IndividualsCC>1
2022/08/2017APT28 AKA Fancy BearsSeveral Football playersAPT 28 AKA Fancy Bears release documents alleging 'drug use' in football.UnknownSingle IndividualsCC>1
2122/08/2017?Single IndividualsEasyJet warns Facebook users over an online scam offering free flights.Account HijackingSingle IndividualsCC>1
2222/08/2017?Single IndividualsResearchers from FireEye discover a new global malvertising campaign using the Neptune Exploit Kit (AKA Terror) to drop the Monero coin miner.MalvertisingSingle IndividualsCC>1
2322/08/2017?Crystal Finance MillenniumHackers breach the servers of Crystal Finance Millennium (CFM), another Ukraine company that makes accounting software for local businesses, sparking fear of a new global cyberattack.MalwareIndustry: SoftwareCCUA
2422/08/2017?Worldwide gamersSecurity researchers from ESET discover a new malware, dubbed Joao, targeting gamers around the world.MalwareSingle IndividualsCC>1
2523/08/2017OurMineFC Barcelona Twitter and Facebook AccountsThe OurMine collective takes over the official Twitter and Facebook accounts of Barcelona and falsely announce the signing of Angel Di Maria from Paris Saint-Germain.Account HijackingFootball TeamCCES
2623/08/2017?Counter-Strike: Global Offensive (CS:GO) playersSentinel One reveals the details of a campaign targeting Counter-Strike: Global Offensive (CS:GO) players. A malicious version of a cheating tool called vHook installs a Monero miner detected under the name of OSX.Pwnet.A.MalwareSingle IndividualsCC>1
2723/08/2017?HIDS4UUK firm HIDS4U, warns customers to be wary of phishing emails after it came to light that a database of customers was found on a hacked website.Account HijackingIndustry: Car Conversion KitsCCUK
2823/08/2017?Multiple IndustriesFlashpoint reveals the details of a business email compromise campaign emanating out of Western Africa, and targeting companies in a wide swathe of industries.Account HijackingIndustry: >1CC>1
2924/08/2017North Korea?Unnamed Bitcoin Exchange in South KoreaThe CWIC Cyber Warfare Research Center in South Korea reveals that a domestic exchange for bitcoin has been the target of an attempted hacking. Suspects are directed to North Korea.UnknownCryptocurrency ExchangeCWKR
3024/08/2017?Single IndividualsNetskope Threat Research Labs detects several samples related to a coin miner malware named Zminer, whose kill chain begins with the delivery of a drive-by executable that downloads payloads from Amazon S3 to the victim’s machine.MalwareSingle IndividualsCC>1
3124/08/2017?Healthcare, education, manufacturing and tech sectors in the US and UKA new ransomware dubbed Defray is discovered by ProofPoint, going after the healthcare, education, manufacturing and tech sectors in the US and UK.Malware>1CCUS UK
3224/08/2017?Facebook UsersKaspersky Lab reveals the details of a new multi platform malware/adware spreading via Facebook Messenger.MalwareSingle IndividualsCC>1
3324/08/2017?DreamHostDreamHost is hit by a powerful and sustained DDoS attack after briefly hosting a new edition of the neo-Nazi website Daily Stormer.DDoSIndustry: Web HostingHUS
3424/08/2017?33,000 Entries of Telnet credentialsA list of 33,000 entries of Telnet credentials is discovered, sitting online on Pastebin since June 11.Unknown>1CC>1
3525/08/2017?NHS LanarkshireNHS services in Lanarkshire (Scotland) are hit by a new ransomware campaign. The culprit is identified as a new variant of Bitpaymer ransomware.MalwareHealthcareCCUK
3625/08/2017Chinese State-Sponsored Actors (Deputy Dog? AKA APt17)Multiple TargetsProofPoint reveals the details of Operation Rat Cook, a targeted email campaign attempting a spear phishing attack using a Game of Thrones lure. The malicious attachment attempts to install a “9002” remote access Trojan (RAT) historically used by state-sponsored actors.Targeted Attack>1CE>1
3725/08/2017?LoopiaSwedish web hosting provider Loopia reveals to have been hacked with the attackers able to access part of the customer database.UnknownIndustry: Web HostingCCSE
3828/08/2017?ZazzleZazzle sends an email to customers revealing that that hackers in June used brute-force techniques to cycle through account usernames and passwords that were stolen from a breach of another unnamed site.Brute-forceIndustry: E-CommerceCCUS
3928/08/2017?Indian and Pakistani EntitiesSymantec reveals to have identified a sustained cyber spying campaign, likely state-sponsored, against Indian and Pakistani entities involved in regional security issues. The espionage campaign dates back to October 2016.Targeted AttackGovernmentCEIN PK
4028/08/2017?US CitizensThe Internal Revenue Service (IRS) warns US citizens of a new phishing scheme that poses as official IRS communications in the hopes that victims access a link, download a file, and hopefully get infected with ransomware.MalwareSingle IndividualsCCUS
4128/08/2017?Selena Gomez Instagram accountThe Instagram hack begins… Selena Gomez’s Instagram account is hacked and posts several nude photos of Justin BieberAccount HijackingSingle IndividualsCCUS
4228/08/2017?South Korean Android usersSecurity researchers from McAfee reveal the details of a new Android banking Trojan dubbed MoqHao, targeting South Korean users via SMS phishing messages.MalwareSingle IndividualsCCKR
4328/08/2017OurMineReal Madrid Twitter AccountReal Madrid’s official Twitter account is hacked with a post announcing the signing of rival Lionel Messi appearing on their feed.Account HijackingFootball TeamCCES
4428/08/2017?Medical Oncology Hematology ConsultantsMedical Oncology Hematology Consultants, reports a ransomware attack that affected 19,203 patients.MalwareHealthcareCCUS
4529/08/2017?CeXSecond-hand electronics dealership CeX notifies 2 million customers that their personal information may have been compromised by hackers.UnknownIndustry: RetailCCUK
4629/08/2017?Swiss IndividualsThe Reporting and Analysis Centre for Information Assurance (MELANI) says that around 21,000 passwords and personal details used to access online services have been stolen and could be used illegally.UnknownSingle IndividualsCCCH
4729/08/2017?Coinbase usersResearchers from Forcepoint discover a new variant of Trickbot variant able to monitor Coinbase exchange sites.MalwareSingle IndividualsCC>1
4830/08/2017?Single IndividualsMore than 700 million email addresses, as well as a number of passwords, leak publicly thanks to a misconfigured spambot, in one of the largest data breaches ever.UnknownSingle IndividualsCC>1
4930/08/2017TurlaEmbassies and Consulates in EuropeResearchers from ESET uncover Gazer, a new malware tool used by the infamous threat actor Turla to spy on embassies and consulates in Europe.Targeted AttackGovernmentCE>1
5030/08/2017?Central German state of Saxony-AnhaltInternet and telephone networks at the regional parliament in the central German state of Saxony-Anhalt are offline after a ransomware attack.MalwareGovernmentCCDE
5130/08/2017?CMS UsersSucuri detects a massive online scanning campaign that's searching for websites that use the Adminer database management script.Adminer vulnerability>1CC>1
5230/08/2017?Single IndividualsSecurity researcher MalwareBreakdown releases the analysis of a new attack performed when a user visits a compromised site and is asked to install the Roboto Condensed. The fake font pack is used to install malware.MalwareSingle IndividualsCC>1
5330/08/2017?dms[.]nwcg[.]govAnkit Anubhav of NewSky Security discovers a U.S. government website hosting a malicious JavaScript downloader, leading victims to installations of Cerber ransomware.MalwareGovernmentCCUS
5430/08/2017?Kaleida HealthKaleida Health notifies (once again) 2,800 patients of a new phishing attack.Account HijackingHealthcareCCUS
5531/08/2017?MacEwan UniversityMacEwan University staffers are tricked into transferring $11.8 million into scammers’ bank accounts. The majority of the money, $11.4 million, has been traced to bank accounts in Montreal and Hong Kong.Account HijackingEducationCCCA
5631/08/2017?InstagramInstagram reveals that one or more hackers have been stealing celebrities' e-mail addresses, phone numbers, and other personal information by exploiting a bug. A database, Doxagram, is published online immediately after with the attacker claiming to have stolen 6 million records. FewInstagram API VulnerabilitySocial NetworkCCUS
5731/08/2017China?Vietnam?Security company FireEye reveals to Reuters that cyber spies working for or on behalf of China’s government have broadened attacks against official and corporate targets in Vietnam at a time of raised tension over the South China Sea,Targeted AttackGovernmentCWVN
5831/08/2017?WikiLeaksWikiLeaks’ website appears to have been hacked by the OurMine collective.DNS HijackingOrg: Non-ProfitCCINT
5931/08/2017?Free Online File ConverterAn anonymous researcher reveals that the server hosting dozens of free-to-use online file conversion websites, including combinepdf.com, imagetopdf.com, jpg2pdf.com, pdftoimage.com, pdfcompressor.com, and wordtojpeg.com, has been hacked several times in the past yearImageMagick VulnerabilityOnline ServicesCCFR
6031/08/2017?Single IndividualsResearchers at Malwarebytes uncover a campaign which is harnessing RIG on hacked websites in order to distribute the Princess/PrincessLocker ransomware.MalwareSingle IndividualsCC>1

Leave a Reply

%d bloggers like this: