1-15 November 2017 Cyber Attacks Timeline

I know I am a little late, Christmas is getting close, this 2017 is quickly coming to an end and I must catch up with the timelines. So, let me start with the first timeline of November covering the main cyber attacks occurred in the first half of this month.

And if you scroll down the whole list, you will realise that this period is quite long, and includes some entries that have enriched the yearly list of mega breaches. I am referring to the likes of Hetzner, Verticalscope, and Forever 21, which were victims of cyber attacks in this period.

But even state sponsored attackers were quite active this period. The Fancy Bear (AKA APT28) never sleeps and has found new ways to target the journalists of Bellingcat, and to exploit the fear of the NYC terror attack to launch a new campaign.

Other alleged state sponsored actors active in this period include the KeyBoy gang, APT32 AKA OceanLotus, Sowbug, MuddyWater and also Hidden Cobra, a North Korean Group for which the US Government has issued an alert.

Last but not least, this period has also seen a raise in the events driven by hacktivism: the Anonymous claimed to have infiltrated the emails of several government employees, and have taken down 12 neo-nazi websites, Team System DZ have defaced 800 school websites across the US, whereas an unknown attacker has hijacked a north Korean radio to broadcast “The Final Countdown”.

As usual scroll down the whole list for all the events happened in this fortnight. And if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015 and 2016 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget ClassAttack ClassCountry
101/11/2017?HetznerA key database operated by large South African data centre operator and website hosting service provider Hetzner is compromised, and the company advises clients to change their passwords immediately. Compromised data includes customer and bank account details.SQLiIndustry: Web HostingCCZA
201/11/2017?Customers of TD, Des-Jardins, RBC, Scotia Bank, Banque NationalSecurity researchers at Deep Instinct discover a comeback of the sophisticated banking trojan CoreBot to target online banking customers via phishing emails. The modified variant of the malware is distributed via malicious spam emails with Microsoft Office documents attached.MalwareFinanceCCCA
301/11/2017?The Trump OrganizationSecurity researchers discover evidence that hackers were able to register at least 250 shadow domains under the umbrella of the Trump Organization. These subdomains are associated with Russian IP addresses and appear to have ties to possible malware campaigns. The subdomains have been active since 2013.Account HijackingIndustry: ConglomerateCCUS
401/11/2017?Russian Banks Malaysian and Armenian organizationsResearchers from Kasperky Lab discover a new targeted attack using a Trojan by the name of Silence against financial institutions. Russian Banks, Malaysian and Armenian organizations are infected.Targeted AttackFinanceCCRU MY AM
501/11/2017?University of Fraser Valley (UFV)An unknown attacker (or groups of attckers) breaches the network of University of Fraser Valley (UFV) and threaten to dump student information unless university top brass pay 30,000 CAD (23,000 USD)UnknownEducationCCCA
601/11/2017?Ethereum-mining farmsResearchers from Bitdefender spot a wave of attacks to open SSH connections of EthOS, the operating system of Ethereum-mining farms in the attempt to hijack the funds by replacing the user’s wallet with their one.Account HijackingEthereum-mining farmsCC>1
702/11/2017?VerticalscopeFor the second time since June 2016, hackers compromise Verticalscope.com, a Canadian company that manages hundreds of popular Web discussion forums totaling more than 45 million user accounts, and sell the stolen account in the black market.Web ShellOnline Ser vicesCCCA
802/11/2017?Single IndividualsResearchers from Cisco Talos reveal that the actors behind the Zeus Panda trojan are exploiting Search Engine Optimizazion (SEO) poisoning techniques to spread their malware.MalwareSingle IndividualsCC>1
902/11/2017KeyBoyUnnamed Western OrganizationsResearchers from PwC reveal that the Chinese threat actor dubbed KeyBoy is back in business with a new cyber espionage campaign against several western organizations.Targeted Attack>1CE>1
1002/11/2017APT28BellingcatResearchers from ThreatConnect unveil the latest campaign of APT28 (AKA Fancy Bear) targeting Bellingcat journalists via a targeted phising campaign aimed to steal their Gmail passwords.Targeted AttackOrg: JournalismCEUK
1102/11/2017AkincilaThe Times of Israel and Asia Times websitesThe Times of Israel and Asia Times websites are hijacked and defaced by suspected Turkish hackers, who post messages in favor of Palestine, on the 100th anniversary of the Balfour Declaration.DefacementNewsHIL
1203/11/2017?Android usersMore than one million people are tricked into downloading yet another malicious Android app in disguise of a WhatsApp update.MalwareSingle IndividualsCC>1
1303/11/2017?Customers of large Austrian banksResearchers from Proofpoint reveal the details of a new campaign using the Marcher trojan to target customers of large Austrian banks.MalwareFinanceCCAT
1403/11/2017?Netflix UsersResearchers from Mailguard reveal the details of a phishing campaign targeting Netflix users.Account HijackingSingle IndividualsCC>1
1504/11/2017?Crunchyroll.comCrunchyroll.com is the victim of a DNS hijack attack, so the visitors are redirected to a malicious website designed to infect them with malware.DNS HijackingIndustry: EntertainmentCCUS
1604/11/2017?NIC Asia BankNIC Asia Bank, based in Kathmandu, suffers a hack on its computer networks, which abused the SWIFT financial messaging system to help steal approximately $4.4m (£3.3m). After multiple investigations, most of the stolen funds have been recovered, with roughly $580,000 yet to be located by authorities.MalwareFinanceCCNP
1705/11/2017?PaigeA new file containing more x-rated photos of WWE Diva Paige is leaked online. Although it is unclear who is behind the leak this time it can be confirmed that leaked content belongs to Paige.UnknownSingle IndividualsCCUK
1805/11/2017?Maria KanellisAnother WWE Diva has her private photos leaked. This time the victim is Maria KanellisUnknownSingle IndividualsCCUS
1905/11/2017?Joseann 'JoJo' OffermanAnd Joseann 'JoJo' Offerman is the third WWE Diva who suffers nude photo leaked.UnknownSingle IndividualsCCUS
2006/11/2017?SiaAnd Australian singer SIA, having heard of her nude photos possibly being leaked, prevents the fappening, by posting herself personal naked photos.UnknownSingle IndividualsCCAU
2106/11/2017?ElectroneumUK cryptocurrency startup Electroneum is the victim of a DDoS attack immediately after having raised $40m (£30m).DDoSCryptocurrency ExchangeCCUK
2206/11/2017Team System DzSchoolDeskHackers from Team System Dz deface hundreds of websites across the US to post pro-ISIS messages, images of Saddam Hussein and a recruitment video. SchoolDesk, the Atlanta, Georgia-based web hosting company servicing these sites, confirmed the attackDefacementEducationHUS
2306/11/2017APT32 AKA OceanLotusMultiple Websites in Asian CountriesSecurity researchers from Volexity reveal that hackers from APT32 managed to compromise >100 websites in multiple Asian Countries, implanting malware and maintaining persistence.Malware>1CE>1
2406/11/2017?Single IndividualsMicrosoft warns user on the rise of two well known malware strains: Qakbot and Emotet.MalwareSingle IndividualsCC>1
2507/11/2017APT28Multiple TargetsResearchers at McAfee reveal that they've been tracking a new spear phishing campaign from the Russia-linked hacker team APT 28, exploiting the Microsoft DDE feature and leveraging the New York terror attack.Targeted Attack>1CE>1
2607/11/2017SowbugOrganizations in South America and Southeast AsiaResearchers from Symantec identify a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targetsTargeted Attack>1CE>1
2708/11/2017Team System DzPrince Albert Police homepageHackers from Team System Dz deface the Prince Albert Police homepage and leave the message "I love Islamic State".DefacementLaw EnforcementHCA
2808/11/2017Joseph WillnerBrokerage AccountsThe Department of Justice files an indictment against Joseph Willner, 42, of Ambler, Pennsylvania, accusing the day trader of hacking into brokerage accounts at various financial companies and placing unauthorized trades between September 2014 and May 2017. The attacker and his partners stole $700,000.Account HijackingSingle IndividualsCCUS
2908/11/2017?Single IndividualsResearchers at Avira Virus Lab detect a new strain of the Locky ransomware spreading through malicious attachments disguised as legitimate documents from productivity applications like Microsoft Word and Libre Office.MalwareSingle IndividualsCC>1
3008/11/2017?City of Spring Hill, TennesseeThe City of Spring Hill, Tennessee is hit by a ransomware attack. The attackers demand a $250,000 ransom.MalwareGovernmentCCUS
3108/11/2017?Android usersResearchers from security firm RiskIQ detect BankBot, a trojan available in the Google Play market in disguise of a cryptcurrency market application.MalwareSingle IndividualsCC>1
3208/11/2017?Single IndividualsAn unknown attacker upload a version of the Reaper botnet IP Scanner infected with a backdoor.MalwareSingle IndividualsCC>1
3309/11/2017?North Korean Radio station on 6400kHzA North Korean radio station is reportedly hijacked by an unknown hacker to play the 1980's hit song "The Final Countdown". The short-wave radio station, 6400kHz is known to be used by Pyongyang to transmit secret codes.UnknownRadio StationHKP
3409/11/2017?Android usersResearchers from Trend Micro discover two malicious apps in the Google Play Store, downloaded by more than 500,000 users. The apps are the first example of exploitation of the vulnerability CVE-2017-0752. The malware is dubbed ToastAmigo.MalwareSingle IndividualsCC>1
3509/11/2017?German UsersA new ransomware strain called Ordinypt is currently targeting victims in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data.MalwareSingle IndividualsCCDE
3610/11/2017?ParityA startup called Cappasity claims that the bug that triggered a $280m Ethereum wallet freeze was a deliberate hack.Vulnerability in Parity CodeSingle IndividualsCC>1
3710/11/2017?Entities perceived by the Chinese Government as dangerous.Researchers from Palo Alto Networks' Unit 42 discover a new malware family dubbed Reaver linked to SunOrcal malware and targeting entities perceived by the Chinese Government as dangerous.Targeted Attack>1CE>1
3810/11/2017?Mix MegapolA private radio station in Sweden, Mix Megapol, suffers a cyber attack when someone hacks its transmission to play a pro-ISIS song for 30 minutes.UnknownRadio StationHSE
3911/11/2017AnonymousItalian GovernmentThe Anonymous collective publishes some internal document stolen from the email accounts of some government employees.Account HijackingGovernmentHIT
4013/11/2017?McAfee ClickProtectSecurity firm McAfee blocks access to the website of its service McAfee ClickProtect after reposts suggested the site was used to distribute the Emotet malware.MalwareIndustry: SoftwareCCUS
4113/11/2017?Single IndividualsMalware researchers at IBM X-Force discover a new strain of banking malware dubbed IcedID has capabilities similar to other financial threats like Gozi, Zeus, and DridexMalwareSingle IndividualsCC>1
4214/11/2017Hidden CobraAerospace, telecommunications and financial industriesThe U.S. government issues a technical alert about Hidden Cobra, a wave of cyber attacks sponsored by the North Korean government that have targeted the aerospace, telecommunications and financial industries since 2016. Attackers are using a type of malware known as “FALLCHILL” to gain entry to computer systems and compromise network systems.Targeted AttackIndustry: >1CE>1
4314/11/2017?Forever 21Fashion retailer Forever 21 discloses a breach due to an unauthorized access to data from payment cards used at certain of its stores.PoS MalwareIndustry: FashionCCUS
4414/11/2017?Android usersResearchers from McAfee reveal that up to 17.4 million Android users have downloaded a Trojan dubbed Grabos found in 144 separate mobile applications.MalwareSIngle IndividualsCC>1
4514/11/2017Anonymous12 neo-Nazi sitesThe hacktivist collective Anonymous claims responsibility for taking down over a dozen neo-Nazi sites in retaliation for recent ongoing events in the US. These attacks are a part of the ongoing #OpDomesticTerrorism campaign.DefacementOrg: PoliticsH>1
4614/11/2017?JewsonBuilders merchant Jewson notifies 1,659 customers that their private information could have been exposed in a breach occurred late this summer. The breach happened after malicious code was implanted in the Jeson Direct website.MalwareIndustry: Building MaterialsCCUK
4714/11/2017MuddyWaterMiddle Eastern nationsResesarchers from Palo Alto Networks' Unit 42 reveal the details of MuddyWater, a campaign carried on by a politically-motivated actor targeting Middle Eastern nations.Targeted Attack>1CE>1
4815/11/2017Russian BotSingle IndividualsThe Times reveals that a network of 150,000 fake Twitter accounts posted more than 45,000 messages about Brexit in 48 hours during last year’s referendum in an apparently co-ordinated attempt to sow discord.Fake Twitter AccountsSIngle IndividualsCWUK
4915/11/2017?J. Sterling Morton school districtAn in-development home made ransomware named J. Sterling Ransomware is discovered. This ransomware strain targets the high school students of the J. Sterling Morton school district in Cicero, Illinois by pretending to be a student survey.MalwareEducationCCUS
5015/11/2017?Android usersResearchers from ESET discover a multi-stage Android malware, tracked as Android/TrojanDropper.Agent.BKY, available for download in the official Google Play store in eight malicious apps.MalwareSingle IndividualsCC>1
5115/11/2017?Small Medium BusinessesResearchers from Sophos reveal the details of a wave of attacks, targeting medium businesses and exploiting RDP to install ransomware.RDP Brute Force>1CC>1

Leave a Reply

%d bloggers like this: