1-15 January 2018 Cyber Attacks Timeline

Let’s open this infosec 2018 with the first cyber attacks timeline covering the main events occurred between January 1st and January 15th, which brings in a novelty with regards to the taxonomy of the target classes. As a matter of fact, in order to facilitate the classification, as suggested by some readers, I have decided to adopt the International Standard Industrial Classification, with a small modification to take into account the cases when the targets are multiple, or single individuals.

That being said, let’s have a quick look at the main events (as usual scroll down the list for additional details).

So the beginning of the year confirms that cryptocurrencies are the new gold for criminals: this fortnight has recorded an attack to a crypto wallet (BlackWallet), and the discovery of four botnets/operations aimed to mine cryptocurrencies from the victim’s machines.

The 2018 unwelcome list of the mega breaches is opened by Health South-East RHF, the healthcare organization that manages hospitals in Norway’s southeast region, victim of an attack affecting over 2.9 million individuals.

Despite all the countermeasures, Android malware confirms its momentum (a fake Uber app, some fake security apps, and the first example of a malware written in Kotlin are only few examples).

Last but not least, the Olympic Games have not started yet, and a campaign targeting them (Operation PowerShell Olympics) has already been uncovered. In the meantime. Meanwhile APT28 (AKA Fancy Bear, AKA PawnStorm) continues to be quite active, similarly to Turla, on the spot again with a new campaign targeting embassies and consulates in East Europe with a fake Flash update.

If you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015, 2016 , and 2017 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget ClassAttack ClassCountry
101/01/2018?Faye Brookes2018 begins with a new round of Fappening leaks. This time the victim is Faye Brookes, whose explicit video is leaked on several video sharing websites.UnknownX IndividualCCUK
201/01/2018?Rockingham County SchoolsRockingham County Schools servers are compromised by the Emotet malware after an employee opens a phishing email.MalwareP EducationCCUS
302/01/2018AndarielUnnamed South Korean CompanyBloomberg reveals that a hacking unit called Andariel seized a server at a South Korean company in the summer of 2017 and used it to mine about 70 Monero coins, worth about $25,000 as of Dec. 29.UnknownZ UnknownCCKR
402/01/2018@0x55Taylorthefly.comA hacker using the twitter handle @0x55Taylor posts some screenshots of a breach affecting all users who registered at thefly.com a leading digital publisher of real-time financial news between 2006 and 2015. The leak contains the data of 100,000 individuals, and the credit card details of 27,000 among them.SQLi?J Information and communicationCCUS
503/01/2018?Uber UsersSymantec researchers discover a new malware strain, dubbed Android.Fakeapp, that sneakily spoofs Uber’s Android app and harvests users’ passwords, allowing attackers to take over users’ accounts.MalwareX IndividualCC>1
603/01/2018?Android UsersResearchers from Trend Micro discover 36 apps on Google Play in disguise of security tools, but in reality able to secretly harvesting user data, tracking user location, and aggressively pushing advertisements.MalwareX IndividualCC>1
703/01/2018?City of FarmingtonThe city of Farmington is hit by a variant of the SamSam ransomware.MalwareQ Human health and social work activitiesCCUS
803/01/2018?Linux ServersResearchers at F5 discover a new Linux crypto-miner botnet dubbed PyCryptoMiner spreading over SSH. The Monero miner botnet is based on Python and leverages Pastebin as command and control server when the original C&C isn’t available.MalwareX IndividualCC>1
903/01/2018?Bank customers globallyResearchers from security company Quick Heal reveal the detail of Android.banker.A9480, an Android banking trojan targeting more than 232 banking apps of financial institutions globally.MalwareX IndividualCC>1
1003/01/2018?Big Line HolidayBig Line Holiday, a Hong Kong travel agency, reveals that hackers might have broken into its database a day before and gained possession of some of its customers’ personal information.MalwareR Arts entertainment and recreationCCHK
1104/01/2018?Ukrainian usersResearchers from Cisco Talos reveal that unknown attackers have compromised the official website of Ukrainian accounting software developer Crystal Finance Millennium to distribute a new variant of the malicious Zeus banking trojan. The compromised website hosts the payload retrieved by a dropper distributed via a spam campaign.MalwareX IndividualCCUA
1204/01/2018?City of Belle FourcheThe city of Belle Fourche is hit by a ransomware attack.MalwareO Public administration and defence; compulsory social securityCCUS
1304/01/2018?GoldjoyGoldjoy, another travel agency in Hong Kong, reveals that unauthorised parties accessed its customer database containing personal information such as names and ID card numbers, passport details and phone numbers, asking for a ransom.MalwareR Arts entertainment and recreationCCHK
1405/01/2018?Android UsersSecurity researchers from Check Point uncover LightsOut, a new mobile adware program hidden in 22 fake applications on the Google Play Store. According to the researchers, the apps were downloaded between 1.5 million and 7.5 million times.MalwareX IndividualCC>1
1505/01/2018?RedditReddit confirms that one of its email providers, Mailgun, has been breached, resulting in the hacks of user profiles and their linked cryptocurrency accounts.Account HijackingJ Information and communicationCCUS
1605/01/2018?BeautyblenderBeautyblender notifies 3,673 individuals that their information might have been compromised after the discovery of a malware on its online shop.MalwareG Wholesale and retail trade; repair of motor vehicles and motorcyclesCCUS
1705/01/2018?Oklahoma State University Center for Health Sciences (OSUCHS)Oklahoma State University Center for Health Sciences notifies an undisclosed number of affected patients of an unauthorized third party occurred on November 2017.UnknownQ Human health and social work activitiesCCUS
1805/01/2018@0x55TaylorCreditsevaAfter defacing it, @0x55Taylor manages to gain access to creditseva main website server and a copy of the s3 bucket credentials.UnknownK Financial and insurance activitiesCCIN
1905/01/2018The Dark OverlordColumbia Falls School District Number 6The Columbia Falls School District Number 6 in Montana, sends out letters to notify the breach occurred after the attack carried on by The Dark Overlord begun on September 1st, 2017.UnknownP EducationCCUS
2006/01/2018?Olympic Games in South KoreaResearchers from McAfee uncover a campaign, dubbed Operation PowerShell Olympics, targeting organizations involved with next month's Games in South Korea, with the aim of controlling infected machines.Targeted AttackR Arts entertainment and recreationCEKR
2106/01/2018?BlackBerry Mobile SiteThe Blackberry Mobile site is hacked exploiting a vulnerability of Magento. The attackers install a Monero miner using the Coinhive library.Magento VulnerabilityJ Information and communicationCCCA
2206/01/2018?Florida's Agency for Health Care Administration (FAHCA)A phishing attack on an employee at Florida's Agency for Health Care Administration (discovered in November 20, 2017) results in the exposure of sensitive information on 30,000 Medicaid patients.Account HijackingQ Human health and social work activitiesCCUS
2307/01/2018?CVE 2017-10271 Vulnerable MachinesA report published by the SANS Technology Institute reveals that attackers are exploiting a critical Oracle WebLogic flaw (CVE 2017-10271) to inject Monero cryptocurrency miners on victim’s machines.MalwareX IndividualCC>1
2408/01/2018?Health South-East RHFHealth South-East RHF, a healthcare organization that manages hospitals in Norway's southeast region, announces a security breach. A hacker or hacker group might have stolen healthcare data for more than half of Norway's population. (over 2.9 million individuals)UnknownQ Human health and social work activitiesCCNO
2508/01/2018?Single IndividualsAlien Vault reveals to have found malware that appears to install code for mining Monero cryptocurrency, sending any mined coins to a server at a North Korean university.MalwareX IndividualCC>1
2608/01/2018?Onco360Onco360 notifies a phishing incident involving an employee’s email account and affecting potentially 53,000 users.Account HijackingQ Human health and social work activitiesCCUS
2708/01/2018?Caremed Specialty PharmacyCaremed Specially Pharmacy is victim of the same event affecting Onco360Account HijackingQ Human health and social work activitiesCCUS
2809/01/2018TurlaEmbassies and consulates in East EuropeResearchers from ESET unveil the details of a new operation carried on by the Turla cyber espionage group, targeting embassies and consulates in East Europe using a fake Adobe Flash updater.Targeted AttackO Public administration and defence; compulsory social securityCE>1
2909/01/2018?Android UsersResearchers at Trend Micro find in the Google Play Store the first Android malware designed to steal information, carry out click ad fraud, and sign users up to premium SMS services without their permission, written using the Kotlin programming language.MalwareX IndividualCC>1
3009/01/2018?Single IndividualsMalwarebytes reveal the details of a RIG exploit campaign distributing malware coin miners delivered via drive-by download attacks from malvertising, exploiting the RIG Exploit Kit.MalvertisingX IndividualCC>1
3110/01/2018Pawn Storm AKA Fancy Bear AKA APT28International Olympic CommitteeAPT28 AKA Pawn Storm AKA Fancy Bear publish a set of apparently stolen emails purportedly belong to officials from the International Olympic Committee, the United States Olympic Committee, and third-party groups associated with the organizations.UnknownU Activities of extraterritorial organizations and bodiesCCN/A
3210/01/2018?Android UsersResearchers from Symantec discover a fake Telegram (Teligram) app on the Google Play Store that claims to be a new, updated version of the popular encrypted messenger app, but whose real purpose is to distribute malware.MalwareX IndividualCC>1
3310/01/2018?Russian Bank CustomersResearchers at Trend Micro discover a new mobile malware that primarily targets Russian banking customers, taking over victims' SMS capabilities, allowing cybercriminals to intercept text messages that contain bank security codes, The malware is dubbed FakeBank.MalwareX IndividualCCCC
3410/01/2018?Netflix UsersNetflix users are warned to avoid clicking on any suspicious email links after a phishing scam is uncovered by security firm Mailguard, which security experts say is designed to steal credit card details.Account HijackingX IndividualCC>1
3511/01/2018?Unpatched Windows and Linux serversResearchers from Check Point and Certego reveals the details of a new campaign distributing a malware dubbed RubyMiner, turning outdated web servers into Monero miners.MalwareY Multiple IndustriesCC>1
3611/01/2018?German UsersGerman authorities warn about phishing emails trying to take advantage of the Spectre and Meltdown vulnerabilities, promising fake patches and distributing the Smoke Loader malware.MalwareX IndividualCCDE
3711/01/2018?Apple Mac usersPatrick Wardle, a security researcher, discovers OSX MaMi, a new, undetectable strain of malware affecting Apple Macs that can hijack a device's DNS settings and steal victims' personal data.MalwareX IndividualCC>1
3811/01/2018?North Korean defectorsResearchers at McAfee unveil the details of operation Sun Team, a campaign targeting North Korean defectors, along with those who help them, which aims to infect their devices with trojan malware for the purposes of spying on them.MalwareX IndividualCEKP
3911/01/2018?Adams Health NetworkAdams Health Network, which runs Adams Memorial Hospital, confirms that a ransomware attack targeted some of its computer servers.MalwareQ Human health and social work activitiesCCUS
4012/01/2018Pawn Storm AKA Fancy Bear AKA APT28US SenateResearchers from Trend Micro reveal that the state sponsored hackers behind APT28 (AKA Pawn Storm AKA Fancy Bear) targeted the US Senate in mid-2017).Targeted AttackO Public administration and defence; compulsory social securityCEUS
4112/01/2018?Hancock Regional HospitalThe Hancock Regional Hospital, in the state of Indiana, confirms to be running on pen and paper following a SAMSAM ransomware attack, which hit the day prior. The hospital eventually pays up hackers $55,000 to restore control.MalwareQ Human health and social work activitiesCCUS
4212/01/2018?Android UsersResearchers from Check Point reveals the details of 'AdultSwine', a malware displays pornographic advertising on Android applications, found in 60 gaming apps on Google Play and downloaded between three and seven million times.MalwareX IndividualCC>1
4313/01/2018?New Zealand FootballNew Zealand Football says it is investigating a potential hack of its official website after a fake news article popped up "announcing" the resignation of its CEO Andy Martin.DefacementR Arts entertainment and recreationCCNZ
4413/01/2018?BlackWalletAn unidentified thief reportedly steals more than $400,000 in Stellar lumens after hacking the digital wallet provider BlackWallet.DNS HijackingK Financial and insurance activitiesCCDE
4514/01/2018?Devices powered by ARC CPUsResearchers from infosec group Malware Must Die discover a new variant of the Mirai botnet capable of infecting devices powered by ARC CPUs. The botnet is dubbed "Okiru", which means "wake up" in Japanese.MalwareX IndividualCC>1
4614/01/2018Ayyıldız TimSyed Akbaruddin's Twitter Account @AkbaruddinIndiaThe verified Twitter account of Syed Akbaruddin. India's top diplomat to the United Nations, is briefly taken over by suspected Turkish hackers.Account HijackingX IndividualHIN
4714/01/2018Ayyıldız TimBorge Brende's Twitter Account @borgebrendeThe same hackers also manage to hijack the verified account of Borge Brende, the president of the World Economic Forum and former minister of foreign affairs for Norway.Account HijackingX IndividualHNO
4815/01/2018?OnePlusChinese smartphone manufacturer OnePlus launches an investigation after a number of customers who used its website to purchase products complain of attempted fraud. Few days after (January 19) the company confirms to have been hacked via a malicious script injected into its website, potentially compromising the payment card details of up to 40,000 customers.Malicious ScriptC ManufacturingCCCN
4915/01/2018?Chrome UsersSecurity researchers from ICEBRG find four malicious Chrome extensions available in the Chrome store, laced with suspicious code, and infecting more than 500,000 users across the globe, including workstations within major organizations.Malicious Browser ExtensionX IndividualCC>1
5015/01/2018?Financial Organizations in Latin AmericaResearchers from Trend Micro spot a new variant of the KillDisk disk-wiping malware targeting companies in the financial sector in Latin America.MalwareK Financial and insurance activitiesCC>1

Leave a Reply

%d bloggers like this: