16-31 January 2018 Cyber Attacks Timeline

It’s time for the second timeline of January 2018, covering the main cyber attacks occurred between January 16 and January 31 (first timeline here), a timeline that, as you will immediately notice, is unsurprisingly long.

The new gold rush (the crypto currency frenzy) confirms to be one of the main drivers for this interesting beginning of 2018. This fortnight we have experienced the largest theft of digital coins (so far). The unfortunate protagonist of this event is Coincheck, a Japanese exchange that suffered a staggering $524 million worth loss as the consequence of a cyber attack.

Scams (not necessarily during Initial Coin Offerings) have been another appealing event for digital crooks during this fortnight, and we had three examples: the user of IOTA (an open-source distributed ledger for IoT applications, $4M worth losses), the participants to the ICO of the Bee Token Crypto Currency ($1M worth losses) and finally the ones to the ICO of Experty (“only” $150,000 worth losses). The constantly growing occurrence of similar events has suggested me to add the “fintech” category into the classification taxonomy.

And BTW, the list of attacks involved miners is really too long to enumerate, so I really suggest you to read the whole timeline.

Regarding Cyber Espionage, some interesting events include the discovery of Dark Caracal, a massive long lasting campaign carried on by actors purportedly tied to the Lebanese government, and the discovery of SkyGoFree, a surveillance malware with Italian roots, reminiscent of the Hacking Team creations.

Cyber Criminals were particularly active in the US with an unprecedented Jackpotting campaign against local ATMs, but I would also mention a novel malware targeting electronic pump stations in Russia, with the intention to force users to pay more for fuel.

Instead the winds of cyber war were particularly strong in the Netherlands, where the main local banks and a couple of governmental entities were hit by an intense wave of DDoS attacks, a possible retaliation after reports emerged according to which the Dutch intelligence agency AIVD allegedly spied on Russia-linked hacker group Cozy Bear, also known as APT29, as early as 2014).

But this fortnight the list is really too long, so I repeat my advice to browse it all.

In any case, If you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015, 2016 , and 2017 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget ClassAttack ClassCountry
112/01/2018?Monticello Central Strict DistrictMonticello Central School District warns of a sophisticated e-mail phishing attack occurred on November 1st, 2017. Potentially 2,598 individuals are affected.Account HijackingP EducationCCUS
216/01/2018Group 123Multiple targets mainly in South KoreaResearchers from Cisco Talos reveal the details of the malicious activities of Group 123, a malicious actor linked to North Korea, author of at least six malicious campaigns focused on South Korean targets.Targeted AttackY Multiple IndustriesCEKR
316/01/2018?Several Italian IndividualsResearchers from Kaspersky Lab reveal the details of Skygofree, an Android malware, reminiscent of the Hacking Team surveillance malware, targeting some Italian individuals.MalwareX IndividualCEIT
416/01/2018Ayyıldız TimEric Bolling (@ericbollingTR) and Greta Van Susteren (@greta) Twitter accountsFormer Fox News hosts Eric Bolling and Greta Van Susteren appear to have their Twitter accounts hijacked by a group of suspected Turkish hackers dubbed Ayyıldız Tim.Account HijackingX IndividualCCUS
516/01/2018?Several cryptocurrency exchanges such as Coinlink.According to the security firm Recorded Future, the notorious North Korean hacking outfit Lazarus Group is behind cyberattacks that targeted South Korean cryptocurrency exchanges and users towards the end of 2017, security researchers have found. However Coinlink denies the claims.Account HijackingV FintechCC>1
616/01/2018?Singing River Health SystemUnknown attackers try to break into the Singing River Health System’s network.UnknownQ Human health and social work activitiesCCUS
717/01/2018?Bank Customers in the UK, France and AustraliaSecurity researchers at Forcepoint reveal a new improved version of the financial malware Dridex, targeting victims in the UK, France and Australia and using compromised FTP websites in phishing campaigns.MalwareK Financial and insurance activitiesCC>1
817/01/2018?Several telecommunications, insurance and financial service firms.Researchers from security firm FireEye reveal a new spam campaign delivering the Zyklon HTTP malware, and exploiting three relatively new Microsoft Office vulnerabilities. The attackers are targeting telecommunications, insurance and financial service firms. The malware comes with a variety of features, like password stealing, keylogging, DDoS and crypto mining.MalwareY Multiple IndustriesCC>1
917/01/2018?Claymore mining rigsA new variant of the Satori botnet springs back to life, targeting Claymore mining rigs, and replacing the device owner's mining credentials with the attacker's own.MalwareV FintechCC>1
1017/01/2018?Single IndividualsNecurs, the world's largest spam botnet, is back on track, sending millions of spam emails that push an obscure cryptocurrency named Swisscoin, used for Multi-Level-Marketing (MLM) Ponzi scheme.MalwareX IndividualCC>1
1118/01/2018Dark CaracalVictims inside governments, militaries, utility companies, financial institutions, manufacturing companies and defense contractors in 21 different countriesSecurity researchers from digital rights organization Electronic Frontier Foundation and security firm Lookout reveal a long lasting campaign allegedly carried on by attackers tied to the Lebanese government, able to steal hundreds of gigabytes from thousands of victims all over the world. The group is dubbed Dark Caracal.Targeted AttackY Multiple IndustriesCE>1
1218/01/2018?Android UsersGoogle removes 53 apps from the official Play Store because they were spreading a new breed of Android malware named GhostTeam, active since April 2017, that could steal Facebook credentials and push ads to infected phones.MalwareY Multiple IndustriesCC>1
1318/01/2018?AllscriptsA ransomware attack takes down some of the applications used by Allscripts.MalwareJ Information and communicationCCUS
1418/01/2018?Questar AssessmentA data breach at the company that develops New York State’s third-through-eighth grade reading and math tests allows an unauthorized user to access information about 52 students. Also students in another state are affected, but the company does not provide further details.UnknownJ Information and communicationCCUS
1519/01/2018?IOTAMalicious websites used to generate password details for the fintech network IOTA (online seed generators) are reportedly to blame for the theft of nearly $4m (£2.9m) from users' digital wallets.Account HijackingV FintechCC>1
1619/01/2018?Electronic Gas StationsRussian authorities identify a distributed malware campaign targeting electronic gas stations using software programs at the pumps. Dozens of gas stations have been attacked with customers paying more for fuel (around 3 to 7% increment per gallon).MalwareD Electricity gas steam and air conditioning supplyCCRU
1719/01/2018?Westminster Ingleside King Farm Presbyterian Retirement CommunitiesWestminster Ingleside King Farm Presbyterian Retirement Communities notifies 5,228 Residents of a malware attack occurred on November 21, 2017MalwareP EducationCCUS
1819/01/2018?Charlotte Housing Authority341 employees of the Charlotte Housing Authority have their W-2 forms compromised after scammers sent CHA staffers an e-mail pretending to be from CEO.Account HijackingO Public administration and defence, compulsory social securityCCUS
1921/01/2018?Android UsersSecurity researchers at Russian cybersecurity company Dr.Web discover a dangerous Android malware hidden in several gaming apps on Play store stealing personal data from users by conducting phishing attacks. The malware is dubbed Android.RemoteCode.127.origin and has been downloaded more than 4,000,000 times.MalwareX IndividualCC>1
2022/01/2018?Fire and Fury ReadersResearchers spot a copy of Michael Wolff’s book Fire and Fury infected with malware.MalwareX IndividualCCUS
2122/01/2018Ayyıldız TimDavid Clarke Jr. Twitter AccountThe Turkish Cyber Army hacking group strikes again and hijacks the Twitter account of vocal Donald Trump supporter and ex-Milwaukee County Sheriff David Clarke Jr.Account HijackingX IndividualCCUS
2222/01/2018?Charissa ThompsonFox Sports host Charissa Thompson is the latest celebrity whose nude photos are stolen by hackers and then published online as part of The Fappening scandal.Account HijackingX IndividualCCUS
2322/01/2018?Apache ServersResearchers from Trend Micro report a significant increase in the use of Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) vulnerabilities to implant Monero miners.Apache Struts VulnerabilitiesY Multiple IndustriesCC>1
2423/01/2018?Bell CanadaPolice are investigating a new data breach at Bell Canada (the second in eight months), which says hackers have illegally obtained customer information, primarily subscriber names and e-mail addresses of up to 100,000 users.UnknownJ Information and communicationCCCA
2523/01/2018?MetrolinxOntario transit agency Metrolinx says it was the target of a cyberattack that originated in North Korea, but no personal information was compromised.UnknownH Transportation and storageCECA
2623/01/2018?220,000 Malaysian organ donors.Another data breach in Malaysia. A technology forum publishes details of a trove of data which includes the personal information of more than 220,000 organ donors.UnknownQ Human health and social work activitiesCCMY
2723/01/2018Nexus ZetaIoT Devices WorldwideAccording to a new report by Newsky Security, the author of the infamous Satori IoT botnet has created two new variants of the predecessor Mirai, called Masuta and PureMasuta.MalwareX IndividualCC>1
2823/01/2018?Turkish Defense ContractorsAccording to RiskIQ, an unknown actor purporting to be from the tax collection arm of the Turkish government is carrying out spear-phishing campaigns against Turkish defense contractors, using a RAT called Remcos.Targeted AttackO Public administration and defence, compulsory social securityCETR
2923/01/2018?Twitter UsersResearchers from Malwarebytes reveal a fresh malware campaign spreading via a spamming Twitter accounts.MalwareX IndividualCC>1
3023/01/2018?National Stores, Inc.National Stores, Inc. announces that it has been the victim of a malware attack, enabling unauthorized parties to access payment card information. It appears that payment cards used by customers at some National Stores locations between July 16 and December 11, 2017 may be involved.MalwareG Wholesale and retail tradeCCUS
3123/01/2018?Unnamed company in GreenbayUnknown hackers use a known vulnerability to get into a company’s computer system, stealing personal information from human resources files, and then using that to steal what police call “significant amounts” of money from several people.Undisclosed vulnerabilityZ UnknownCCUS
3224/01/2018?Single IndividualsResearchers from Sucuri reveal a new campaign targeting more than 2,000 compromised websites and aimed to both mine Monero and stealing the users credentials.Malicious Script InjectionX IndividualCC>1
3324/01/2018?Harris CountyHarrys County lose almost $900K in a phishing scam. The attack dates back to September 2017.Account HijackingO Public administration and defence, compulsory social securityCCUS
3424/01/2018?Victims based primarily in Thailand, Vietnam and EgyptResearchers from Palo Alto Networks discover A newly discover a malicious URL redirection campaign that infects users with the XMRig Monero cryptocurrency miner. The campaign has already victimized users between 15 and 30 million times.MalvertisingX IndividualCC>1
3524/01/2018?IoT Devices WorldwideBitdefender researchers uncover an emerging IoT botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot is dubbed Hide 'N Seek (HNS)MalwareX IndividualCC>1
3624/01/2018?5 universities, 23 private companies and several government organizations.Security researchers from Comodo spot a new strain of sophisticated malware, dubbed Lebal, targeting a number of high-profile entities, including five universities, 23 private companies and several government organizations.Targeted AttackY Multiple IndustriesCC>1
3725/01/2018?Single IndividualsResearchers from Crowdstrike discover a new strain of malware that uses the National Security Agency's EternalBlue exploit to hijack computers and secretly mine cryptocurrency. The malware is dubbed WannaMine.MalwareX IndividualCC>1
3825/01/2018?Single IndividualsA new ransomware called MoneroPay is discovered that tries to take advantage of the cryptocurrency craze by spreading itself as a wallet for a fake coin called SpriteCoin.MalwareX IndividualCC>1
3925/01/2018OilRig8 Middle Eastern government organizations, as well as one financial and one educational institution.Researchers from Palo Alto Networks reveal a new operation of the Iran-linked cyber-espionage group tracked as OilRig, carried on using a backdoor dubbed RGDoor to target Internet Information Services (IIS) Web servers.Targeted AttackY Multiple IndustriesCE>1
4026/01/2018?Financial Organizations in Latin AmericaNCR sends an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States. Sources say the malware behind the attack is Ploutus.D.MalwareK Financial and insurance activitiesCCUS
4126/01/2018?YouTube UsersYouTube is caught displaying ads that covertly use visitors' CPUs and electricity to generate digital currency on behalf of anonymous attackers.Malicious Script InjectionX IndividualCC>1
4226/01/2018?CoincheckJapanese cryptocurrency exchange Coincheck confirms that some $524 million worth of digital coins (a cryptocurrency called NEM) has been stolen—likely making it the largest single hack on an exchange.UnknownV FintechCCJP
4326/01/2018?Users in the Middle EastSecurity researchers from Palo Alto Networks detect a fresh wave of attacks targeting users in the Middle East. Attackers use Arabic language documents related to current political events to download and run malicious malware. The campaign is called 'TopHat' and makes use of a malware dubbed 'Scote'.Targeted AttackX IndividualCE>1
4426/01/2018?Chrome UsersTrend Micro publishes a list of malicious Chrome extensions making use of a recently discovered technique called "Session Replay" attack.Malicious ExtensionX IndividualCC>1
4526/01/2018?phpBBAn unknown attacker compromises download links for the phpBB forum software, according to a statement released today by the phpBB development team.UnknownJ Information and communicationCCN/A
4627/01/2018?ABN AmbroABN Ambro is the victim of a sustained DDoS attack. The wave of cyberattacks comes just days after local media reported that Dutch intelligence agency AIVD spied on Russia-linked hacker group Cozy Bear, also known as APT29, as early as 2014.DDoSK Financial and insurance activitiesCWNL
4727/01/2018?INGDuring the same weekend, also ING is targeted.DDoSK Financial and insurance activitiesCWNL
4828/01/2018?ExpertyA hacker tricks Experty ICO participants into sending Ethereum funds to the wrong wallet address. He is able to do this by sending emails with a fake pre-ICO sale announcement to Experty users who signed up for notifications. The bounty amounts to $150,000 worth of Ethereum.Account HijackingV FintechCCCH
4928/01/2018?Ontario Progressive Conservative PartyThe Ontario Progressive Conservative Party’s internal database is locked up by a ransomware attack in early November. The incident is first being acknowledged now.MalwareQ Human health and social work activitiesCCCA
5029/01/2018?RabobankRabobank is the third of the big Dutch banks to be targeted by a DDoS attack.DDoSK Financial and insurance activitiesCWNL
5129/01/2018?Dutch tax authorityThe Dutch Tax Authority is also taken down by a DDoS attack.DDoSO Public administration and defence, compulsory social securityCWNL
5229/01/2018?DigIDThe Dutch official online signature system DigID is also reportedly hit by the same wave of DDoS attacks.DDoSO Public administration and defence, compulsory social securityCWNL
5329/01/2018Suspected malicious actor tied to PakistanAndroid Users in IndiaSecurity researchers from Trend Micro unveil the details o a cyber espionage campaign targeting Android users in India, using the PoriewSpy and Droid.jack malware.MalwareX IndividualCEIN
5429/01/2018?Ransomware victimsThe operators of at least one Tor proxy service are caught replacing Bitcoin addresses on ransomware payment sites, diverting funds meant to pay for ransomware decrypters to the site's operators. In this way the victims are damaged twice.Tor Traffic HijackingX IndividualCC>1
5529/01/2018?Chester County School DistrictChester County School District posts on its Facebook page that ransomware hit the district’s servers over the weekend.MalwareP EducationCCUS
5630/01/2018?Ukrainian IndividualsResearchers from Palo Alto Networks uncovered a two-year-old cyber espionage campaign that's been infecting Ukrainians with either a newly discovered remote access tool called Vermin or the more established Quasar RAT.Targeted AttackX IndividualCEUA
5730/01/2018?ABN AmbroABN Ambro is targeted by a new DDoS attack. Now the fingers are pointed to Russia.DDoSK Financial and insurance activitiesCCRU
5830/01/2018?INGAnd during the same wave of DDoS attacks, also ING is targeted (once again).DDoSK Financial and insurance activitiesCCRU
5930/01/2018?Single IndividualsSecurity researchers from Malwarebytes uncover a new strain of ransomware called GandCrab that is being distributed through two separate exploit kits: the RIG EK and GrandSoft EK.MalwareX IndividualCC>1
6030/01/2018?Spartanburg Public LibraryThe Spartanburg Public Library system is shut down after it is hit with a ransomware attack.MalwareP EducationCCRU
6131/01/2018?More than 526,000 infected Windows hostsResearchers from Proofpoint reveal the details of the Smominru botnet. A Monero miner, active since May 2017, exploiting the Eternal Blue (CVE-2017-0144) and EsteemAudit (CVE-2017-0176) vulnerabilities to spread.MalwareX IndividualCC>1
6231/01/2018?Users participating to the ICO of the Bee Token Crypto CurrencyUsers who were aiming to buy Bee Tokens during a Token Generation Event (i.e., an initial coin offering) are tricked into sending the money to scammers instead. The attackers steal nearly $1M worth of cryptocurrency.Account HijackingV FintechCCUS
6331/01/2018?GoGetCar-sharing company GoGet discloses a major data breach seven months after it was first detected in June 2017 as the alleged hacker is arrested by Australian police this week. In an email sent to customers, the firm says its IT team identified "unauthorised activity" on its system on 27 June last year and immediately launched a full internal investigation.UnknownH Transportation and storageCCAU
6431/01/2018?Firefox UsersA Firefox extension called Image Previewer is discovered, injecting a Monero in-browser miner into Firefox. While we have seen numerous Chrome.Malicious ExtensionX IndividualCC>1
6531/01/2018North KoreaSouth KoreaSouth Korea’s Internet & Security Agency (KISA) warns of a Flash zero-day vulnerability (CVE-2018-4878) reportedly exploited in attacks by North Korea’s hackers.Targeted AttackX IndividualCEKR

Leave a Reply

%d bloggers like this: