16-30 September 2017 Cyber Attacks Timeline

It’s time to publish the second timeline of September 2017 (first timeline here), covering the main cyber-attacks occurred between September 16th and September 30th (exceptionally including a few incidents that occurred before but I did not include in the previous one).

There have been several remarkable events, probably the most important of which is probably the compromise of the well-known utility CCleaner: what appeared initially as an isolate incident, in reality turned out to be an orchestrated operation targeting hi-tech giants of the likes of Cisco, Samsung and Microsoft. Meanwhile, the list of high-profile victims has been enriched with new entries like the U.S. Securities and Exchange Commission, Deloitte, and Sonic.

And while the operations of a new actor, APT33, have been unmasked, the Electronic Frontier Foundation has revealed the details of “Phish for the Future”, a campaign targeting digital civil liberties activists at Free Press and Fight For the Future.

As usual scroll down the whole list for all the events happened in this fortnight. And if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015 and 2016 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget
Class
Attack
Class
Country
112/09/2017?LitebitHackers gain access to Litebit’s backend and obtain email addresses, hashed passwords, and IBAN information, among other things. No money is stolen in the process, though.UnknownCryptocurrency ExchangeCCNL
212/09/2017?Single IndividualsSecurity researchers at Sophos discover a new RAT called Kedi that uses Gmail to steal data from the targeted computer. The malware is disguised as a Citrix utility.MalwareSingle IndividualsCC>1
313/09/2017?UAE GovernmentA trove of leaking emails belonging to the UAE government reveals an alleged plot to "conquer" Qatar.UnknownGovernmentCCUAE
413/09/2017The Dark OverlordSMART Physical TherapySMART (“Sports Medicine and Rehabilitation Therapy”) Physical Therapy is the n-th victim of The Dark Overlord.UnknownHealthcareCCUS
516/09/2017?The Pirate Bay UsersA cryptocurrency miner appear on The Pirate Bay website, using the computer resources of visitors to mine Monero coins and hence spiking its visitors' CPU.Cryptocurrency MinerSingle IndividualsCC>1
618/09/2017?Multiple CompaniesCisco Talos publishes a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. The analysis reveals that the attack was conceived to target multiple companies including Cisco itself.MalwareIndustries: >1CE>1
718/09/2017The Dark OverlordColumbia Falls and Flathead County School DistrictsThe Dark Overlord sends a threatening ransom note to the Columbia Falls (Montana) school district forcing officials to shutter its schools to ensure the safety of the students.UnknownEducationCCUS
818/09/2017?Multiple TargetsResearchers from Kaspersky reveal the details of a new attack technique leveraging an undocumented Word feature to gather information on users.Targeted Attack>1CC>1
919/09/2017?Single IndividualsResearchers from Barracuda Advanced Technology Group spot a new Locky campaign launching around 20 million fresh attacks in just a day.MalwareSingle IndividualsCC>1
1019/09/2017?Android UsersResearchers from SfyLabs reveal the details of Red Alert 2.0, an Android malware targeting over 60 bank and social media apps on Google Play.MalwareSingle IndividualsCC>1
1119/09/2017?The Irish National Teachers Organisation (INTO)The Irish National Teachers Organisation warns users of its online learning portal that their personal data may have been compromised following the hacking of the website. Around 30,000 users details were potentially compromised by the hack.UnknownOrg: EducationCCIE
1219/09/2017?Google Chrome UsersSafeBrowse, a Chrome browser extension, with over 140,000 users, is found containing a JavaScript Crypto Miner based on Coinhive.MalwareSingle IndividualsCC>1
1320/09/2017APT 33Aviation Firms in the US and Saudi ArabiaFireEye reveals the details of APT33, a group operational since 2013 and focused on the aerospace industry, successfully hacking firms with aviation in the U.S. and Saudi Arabia in the last year. Other targets include Petrochemical firms in South Korea and Saudi Arabia.Targeted AttackIndustry: AviationCCUS UAE
1420/09/2017?U.S. Securities and Exchange CommissionThe U.S Securities and Exchange Commission reveals that its computer system had been hacked last year, giving the attackers private information that could have been exploited for trading. The breach was discovered in August.UnknownGovernmentCCUS
1521/09/2017?Single IndividualsResearchers at MalwareHunterTeam spot a ransomware, called nRansomware, demanding naked photographies instead of Bitcoins.MalwareSingle IndividualsCC>1
1624/09/2017?Arkansas Oral & Facial Surgery CenterArkansas Oral & Facial Surgery Center disclose a ransomware incident that may or may not have resulted in access to protected health information of as many as 128,000 patients.MalwareEducationCCUS
1725/09/2017?DeloitteThe Guardian reveals that Deloitte, one of the world’s “big four” accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients.Targeted AttackIndiustry: Professional ServicesCCUK
1825/09/2017?Android UsersResearchers from Trend Micro reveal the details of ZNIU, the first Android malware to exploit the Dirty Cow (CVE-2016-5195) vulnerability. ZNIU has been detected in more than 40 countries, in about 1,200 and has affected so far more than 5,000 users.MalwareSingle IndividualsCC>1
1925/09/2017?showtime.com showtimeanytime.comTwo Showtime domains are found serving Coinhive, a JavaScript library that mines Monero using the CPU resources of users visiting Showtime's websites. It is not clear if the event is the consegue of a hack or an experiment.MalwareSingle IndividualsCCUS
2026/09/2017?Sonic Drive-InSonic Drive-In, a fast-food chain with nearly 3,600 locations across 45 U.S. states, acknowledges a breach affecting an unknown number of store payment systems.PoS MalwareIndustry: RestaurantCCUS
2126/09/2017?National Football League (NFL)Researchers from MacKeeper discover a misconfigured Elasticsearch database containing the details of 1,133 NFL players. Unfortunately the researchers also show evidence that criminals have been able to access the data.Misconfigured databaseOrg: SportCCUS
2226/09/2017The Dark OverlordAuburn Eye Care AssociatesTheDarkOverlord reveal another hack involving patient data. This time the victim is Auburn Eye Care Associates, despite the original hack dates back in June.UnknownHealthcareCCUS
2327/09/2017Aslan Neferler TimDanish Ministries of Immigration and Foreign AffairsThe Ministry of Immigration and the Ministry of Foreign Affairs of Denmark, are hit by a DDoS attack thought to have come from a Turkish hacker group dubbed Aslan Neferler Tim.DDoSGovernmentHDK
2428/09/2017?Whole Foods MarketWhole Foods Market says payment card information has been stolen from taprooms, restaurants and other venues located within some of its stores.PoS MalwareIndustry: RetailCCUS
2528/09/2017?Unpatched IIS 6.0 serversESET reveals that a malware author (or authors) has made around $63,000 during the past five months by hacking unpatched IIS 6.0 servers and mining Monero using CVE-2017-7269.VulnerabilitySingle IndividualsCC>1
2628/09/2017?Free Press Fight For the FutureThe Electronic Frontier Foundation (EFF) reveals the details of “Phish For The Future,” an advanced persistent spearphishing campaign targeting digital civil liberties activists at Free Press and Fight For the Future discovered between July 7th and August 8th of 2017.Targeted AttackOrg: Non-ProfitCEN/A
2728/09/2017?Single IndividualsResearchers from Malwarebytes spot a campaign abusing native ad and content provider Taboola to serve malvertising,MalvertisingSingle IndividualsCC>1
2828/09/2017?San Ysidro School DistrictMalware infect of the San Ysidro School District, deleting emails and forcing the district to temporarily shut down part of its systems.MalwareEducationCCUS
2928/09/2017?Toms River Police DepartmentThe township of Toms River plans to notify about 3,700 people that their personal information may have been compromised by a data breach inside the police department over the summer.UnknownLaw EnforcementCCUS
3029/09/2017?Saudi Arabia’s General Entertainment Authority (GEA)Saudi Arabia’s General Entertainment Authority (GEA), says that its website had been the target of cyber attacks from outside the kingdom.DDoSGovernmentCCAE
3129/09/2017?IRINN (Indian Registry for Internet Names and Numbers)Researchers from Seqrite’s Cyber Intelligence Labs discover 6000 login credentials up for sale on DarkNet, belonging to Indian ISPs, government departments and private businesses. The researchers identify the origin of the breach from the IRINN.UnknownInternet ServicesCCIN
3229/09/2017?Wordpress UsersA cyber-criminal hides the code for a PHP backdoor inside the source code of a WordPress plugin masquerading as a security tool named "X-WP-SPAM-SHIELD-PRO" The attacker tried to leverage the reputation of a legitimate and highly popular WordPress plugin called "WP-SpamShield Anti-Spam".PHP BackdoorSingle IndividualsCC>1
3330/09/2017?Gianfranco Dell'AlbaThe director of the General Confederation of Italian Industry group in Brussels falls victim of an email scam and transfers 500,000 EUR (590,000 USD) to an unknown bank account.Account HijackingSingle IndividualsCCIT
3430/09/2017?national-lottery.co.ukCamelot reveals that a DDOS attack took down the website of the National Lottery,DDoSIndustry: LotteryCCUK
3530/09/2017?R6DBR6DB, a fan-powered online gaming service that provides statistics for players of Ubisoft's tactical FPS Rainbow Six Siege, is hit by hackers, who wipe its databases and hold the data for ransom.Malicious BotOnline Gaming ServiceCCUS

Leave a Reply

%d bloggers like this: