16-31 October 2017 Cyber Attacks Timeline

It’s time to publish the second timeline of October, covering the main cyber attacks occurred in the second half of the month (plus a couple that fell out of my radar during the first one). Of course, as always, you can find the first timeline here.

Ukraine continues to be a training field for Cyberwar: the same gang behind NotPetya (or Netya) is believed to be also behind Bad Rabbit, a new ransomware campaign that hit the country (and other ones primarily situated in East Europe) with a modus operandi close to the previous destructive campaign.

Another important event of this fortnight is a breach that dates back to 2013, but whose real extent was never revealed until now. I am talking about Microsoft: some formers employees admitted that the attackers (allegedly belonging to the Wild Neutron gang) that hit the company back then, were able to access an internal database used for tracking bugs.

Let’s move to Malaysia for yet another massive breach where roughly 46.2 million mobile phone numbers belonging to some telcos and mobile virtual network operators have been leaked online.

Another important event is the attack to Appleby, a law firm in Bermuda, that had a list of super rich customers leaked. The political consequences of this attack will last for long.

If we focus on Cyber Espionage, the infamous APT28 (AKA Fancy Bear) is back with two campaigns, one exploiting CVE-2017-11292 and, ironically, a second one exploiting a malicious document in disguise of a flyer relating to the Cyber Conflict U.S. Conference organized by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE).

And while North Korea is allegedly behind the attack against Daewoo Shipbuilding & Marine Engineering, detected in April last year, other noticeable cyber espionage campaigns include BlackOasis, Hacker’s Door (a blast from the past), and Leviathan.

Last but not least the turmoil in Catalonia woke up the Anonymous from their shadow…

As usual scroll down the whole list for all the events happened in this fortnight. And if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015 and 2016 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget
Class
Attack
Class
Country
103/10/2017?Multiple TargetsSANS Internet Storm Center (ISC) handler Xavier Mertens spots a new attack, exploiting CVE-2017-8759 to install a Remote Administration Tool.Malware>1CC>1
204/10/2017The Dark OverlordAustin Manual Therapy AssociatesThe Dark Overlord claims to have hacked Austin Manual Therapy Associates and leaks a sample data.UnknownHealthcareCCUS
310/10/2017?Rivermend HealthRivermend Health notifies 1,300 patients who had information in an employee’s email account that was compromised earlier in July.Account HijackingHealthcareCCUS
416/10/2017?BithumbLocal news publications and leading media outlets in South Korea reported that Bithumb, the world’s largest cryptocurrency exchange by trading volume, suffered a security breach that affected 30,000 users on the trading platform.UnknownCryptocurrency ExchangeCCKR
516/10/2017BlackOasisMultiple TargetsKaspersky Lab reveal the details of BlackOasis, a malicious actor leveraging CVE-2017-11292.Targeted Attack>1CE>1
616/10/2017LeviathanTargets in Defense and GovernmentProofpoint researchers reveals the details of Leviathan, an espionage actor active since 2014, targeting organizations and high-value targets in defense and government.Targeted AttackIndustry: Defense Contractor GovernmentCE>1
716/10/2017?Catholic United FinancialAn unknown attacker accesses nearly 130K accounts at Catholic United Financial. The attack happened on September 6th.UnknownOrg: Non-ProfitCCUS
817/10/2017Wild NeutronMicrosoftAccording to five former employees, Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago.Targeted AttackIndustry: SoftwareCEUS
917/10/2017Hacker's DoorMultiple TargetsResearchers from security outfit Cylance discover a Remote Access Tool, resurfacing a decade later its original discovery.Targeted Attack>1CE>1
1017/10/2017?Chase Brexton Health CareChase Brexton Health Care notifies 16,562 patients after four employees fell for a phishing attack. The phishing emails were sent on August 2 and 3, and by August 4, the attackers had re-routed employees’ paychecks.Account HijackingHealthcareCCUS
1117/10/2017?Single IndividualsMinerva Labs reveal the details of WaterMiner, a new evasive cryptocurrency mining campaign distributed via modified video games on Russian forum.MalwareSingle IndividualsCC>1
1217/10/2017?Chase Brexton Health CareChase Brexton Health Care notifies 16,562 patients after four employees fell for a phishing attack, earlier in August, re-routing employees’ paychecks.Account HijackingHealthcareCCUS
1318/10/2017?Android UsersResearchers from Symantec discover some malicious Minecraft-based Android apps in the Google Play store infected with Sockbot (and downloaded as many as 2.6 million time).MalwareSingle IndividualsCC>1
1418/10/2017APT28Several Government EntitiesResearchers from ProofPoint reveal the details of a new campaign carried on by the infamous APT28 AKA Fancy Bear, exploiting a recently patched Adobe Flash vulnerability, CVE-2017-11292.Targeted AttackGovernmentCE>1
1518/10/2017?Griffin Funeral HomeA sick hack: hackers take over the email account of Griffin Funeral Home, and send email scams to the company's customers, asking for money.Account HijackingFuneral HomeCCUS
1618/10/2017?Wordpress UsersWordfence warns of a significant spike in SSH private key scanning activity.SSH ScanningSingle IndividualsCC>1
1719/10/2017?Malaysian telcos and mobile virtual network operatorsRoughly 46.2 million mobile phone numbers from Malaysian telcos and mobile virtual network operators (MVNO) have been leaked online.UnknownIndustry: Mobile TelcoCCMY
1819/10/2017?Domino's PizzaDomino's Australia investigates a potential breach of its computer systems after a number of customers received personalised spam emails from the pizza company. The company claims the breach happened to a "secondary supplier".UnknownIndustry: RestaurantsCCAU
1919/10/2017?Users of Elmedia PlayerThe servers of Eltima are compromised to distribute the Proton OSX Remote Access Tool via a fake update of the Elmedia Player.tiny_mce JavaScript library vulnerabilitySingle IndividualsCC>1
2019/10/2017?Unsecure IoT devicesResearchers from Check Point and Qihoo 360 Netlab reveal the details of a new IoT botnet dubbed Reaper or iot_reaper, targeting million of organizations worldwide (even if some subsequent estimates tend to reduce the size of the botnet).Multiple VulnerabilitiesIoT DevicesCC>1
2120/10/2017DragonFly 2.0US Energy and other critical infrastructure sectorsThe US Department of Home Security and the Federal Bureau of Investigation issue the warning TA17-293A, for advanced persistent threat activity targeting energy and other critical infrastructure sectors.Targeted AttackIndustry: EnergyCEUS
2220/10/2017?FirstHealthThe network of FirstHealth is hit by WannaCry and forced to suspend the operations.MalwareHealthcareCCUS
2321/10/2017AnonymousSeveral Spanish government websitesIn name of #OpCatalunya the Anonymous take down several Spanish government websites including Spain's Ministry of Public Works and Transport, and the Institutional Court.DDoSGovernmentHES
2421/10/2017?Czech Statistical Office (CSU)Two websites run by the Czech Statistical Office (CSU) are taken offline after a DDoS attack tries to disrupt reporting of the country’s parliamentary elections.DDoSGovernmentCCCZ
2522/10/2017APT28Attendees of the NATO's Cyber Conflict U.S. conference.Cisco Talos discovers a new malicious campaign from the well known actor Group APT28 AKA Fancy Bear carried on via a deceptive flyer relating to the Cyber Conflict U.S. Conference organized by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE).Targeted AttackSingle IndividualsCE>1
2623/10/2017?Poloniex UsersUsers of the popular cryptocurrency exchange Poloniex are the target of two credential-stealing apps, discovered on Google Play disguised as legitimate Poloniex mobile apps.MalwareSingle IndividualsCC>1
2723/10/2017?Coinhive.comThe DNS records for coinhive.com are manipulated to redirect requests for the coinhive.min.js to a third party server hosting a modified version of the JavaScript file with a hardcoded site key and letting the attacker "steal" hashes from users.DNS HijackingOrg: Software LibraryCCN/A
2823/10/2017The Dark OverlordLondon Bridge Plastic Surgery (LBPS)The Dark Overlord hackers break into London Bridge Plastic Surgery, a high profile, London-based plastic surgeon, and steal photos, including in-progress genitalia and breast enhancement.UnknownHealthcareCCUK
2923/10/2017?Single IndividualsSANS Internet Storm Center (ISC) handler Brad Duncan spots a new phising campaign, originated by the Necurs botnet, using Microsoft Dynamic Data Exchange (DDE), to distribute the Locky ransomware.MalwareSingle IndividualsCC>1
3024/10/2017?UkraineUkraine is targeted by a new destructive ransomware dubbed Bad Rabbit, allegedly distributed via a fake Flash Player update delivered via a drive-by-download. The sites redirecting to BadRabbit are a variety of sites that are based in Russia, Bulgaria, and Turkey.Malware>1CWUA
3124/10/2017?ApplebyAppleby, a Bermuda law firm, admits to have been hacked, prompting fears of a Panama Papers-style exposé into the tax affairs of the super rich.UnknownLaw FirmHPA
3224/10/2017?Dell TechnologiesKrebsOnSecurity reveals that a web site set up by PC maker Dell Inc. to help customers recover from malicious software (DellBackupandRecoveryCloudStorage.com) may have been hijacked for a few weeks this summer.DNS HijackingIndustry: Hardware and SoftwareCCUS
3324/10/2017Mat AKA @0xScriptsBasetools.wsA hacker dubbed Mat AKA @0xScripts breaches Basetools.ws, an underground forum and demands a $50K ransom to avoid sharing stolen data with law enforcement.UnknownUnderground ForumCCN/A
3425/10/2017?Amazon Web Services of Aviva and GemaltoAccording to the security group RedLock, a group of hackers managed to breach Amazon Web Services belonging to two companies on the Amazon Cloud: Aviva and Gemalto. The breach was due to poor password policy and aimed to use the resources to mine cryptocurrency.Account HijackingIndustry: Financial Services Industry: ElectronicsCCUK NL
3525/10/2017Cru3ltyTarte CosmeticsTarte Cosmetics exposes nearly two million customers' personal data to the public via two unsecured MongoDB databases. Unfortunately the gang Cru3lty get hold of the data, demanding 0.2 Bitcoins for recovering the database once the data has been deleted or encrypted.Account HijackingIndustry: CosmeticsCCUS
3625/10/2017?Android UsersResearchers from Syf Labs discover LokiBot, an Android malware, able to steal over $1.5m in Bitcoins from the victims.MalwareSingle IndividualsCC>1
3725/10/2017?Iran UsersThe Iran Computer Emergency Response Team Coordination Center (Iran CERTCC) issues a security alert about a ransomware distribution campaign currently active in the country, distributing the Tyrant ransomware.MalwareSingle IndividualsCCIR
3825/10/2017?Single IndividualsZscaler researchers warn users of a new malvertising campaign redirecting users to the Terror Exploit Kit.MalvertisingSingle IndividualsCC>1
3926/10/2017?Users of Myethereumwallet.comA new Ethereum phishing campaign is discovered, targeting users of the online Ethereum wallet website Myethereumwallet.com. Hackers make away with over $15,000 in just two hours.Account HijackingSingle IndividualsCC>1
4026/10/2017?Customers of Japanese BanksResearchers from IBM X-Force reveal the details of Ursnif (AKA Gozi), a campaign against customers of Japanese Banks.MalwareFinanceCCJP
4126/10/2017n3tr1x str0ngblog.jquery.comTwo hackers going by the online handle of “n3tr1x” and “str0ng” deface the official blog (blog.jquery.com) of jQuery.DefacementOrg: Software LibraryCCUS
4227/10/2017?T-Mobile UsersT-Mobile warns customers targeted by hackers trying to take control of their SIM cards, exploiting a vulnerability on its website.Account HijackingSingle IndividualsCCUS
4327/10/2017?Android UsersResearchers from Symantec uncover a new wave of new Ramnit-infected apps in the Google Play store: 92 distinct apps with a total of 250,000 downloads between them.MalwareSingle IndividualsCC>1
4427/10/2017?Midland CountyThe Midland County District Attorney warns residents after their third-party payment system is hacked.UnknownGovernmentCCUS
4527/10/2017?Catholic CharitiesThe personal information of about 4,600 past and present clients and several employees of Catholic Charities may have been exposed after a computer server in the Glens Falls office was hacked as early as 2015.UnknownOrg: CharityCCUS
4630/10/2017?Android UsersResearchers from Trend Micro discover two new malware strains – dubbed JsMiner and CpuMiner – in at least three apps on Google's Play Store.MalwareSingle IndividualsCC>1
4730/10/2017?Facebook UsersResearchers from security firm F-Secure uncover a phishing campaign spreading via Facebook Messenger and targeting users across Europe including Germany, Sweden and Finland.Account HijackingSingle IndividualsCC>1
4830/10/2017Gaza CybergangSeveral entities in MENAResearchers from Kaspersky Lab reveal a new spike of activity by the infamous Gaza Cybergang exploiting CVE 2017-0199 and targeting government entities and oil and gas targetsin MENA.Targeted AttackGovernment Industry: Oil and GasH>1
4930/10/2017The Dark OverlordLine 204Line 204, a Hollywood film and television production and rental company, reveals that hackers from The Dark Overlord collective have stolen its client database. The breach probably happened in September 2017.UnknownIndustry: EntertainmentCCUS
5031/10/2017?Single IndividualsKaspersky Lab reveal the details of CryptoShuffler, a malware aimed to hijack bitcoin wallets.MalwareSingle IndividualsCC>1
5131/10/2017North KoreaDaewoo Shipbuilding & Marine Engineering Co LtdNorth Korea is suspected to have stolen South Korean warship blueprints after hacking into Daewoo Shipbuilding & Marine Engineering Co Ltd’s database in April last year.Targeted AttackIndustry: ShipbuildingCEKR
5231/10/2017?Japanese CompaniesResearchers from Cyberseason reveal the details of a long-lasting campaign against Japanese companies using the ransomware/wiper ONI.MalwareIndustry: >1CCJP

Leave a Reply

%d bloggers like this: