16-28 February 2018 Cyber Attacks Timeline

It’s time to publish the second timeline of February, covering the main cyber attacks occurred between February 16 and February 28 (Part I at this link), a timeline that confirms the growing trend of this 2018.

The list is long and rich of interesting events, like the largest DDoS attack ever (at least so far) targeting GitHub. A record that, I can anticipate you, hasn’t lasted for long. Or even the spree of attacks exploiting the SWIFT messaging system, which is not over: the Russian Central Bank has revealed that unknown hackers have stolen $6 million worth in roubles from an unnamed bank, and a similar event has happened for India’s City Union Bank, where the bounty has been “only” $2 million.

And while the crypto gold rush continues (even Tesla servers have been abused to mine), new threat actors have emerged (like APT37, AKA ‘The Reaper’) and the old ones have been active as well: I am referring to the infamous APT28, AKA Fancy Bear, AKA Sofacy, etc. The list of this threat actor is long and includes the German government, foreign ministries In North America and Europe, and multiple targets in Middle East and Asia.

As usual, if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015, 2016, and 2017 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget ClassAttack ClassCountry
113/02/2018?US TaxpayersThe Internal Revenue Service warns taxpayers of a quickly growing scam involving erroneous tax refunds being deposited into their bank accounts.Account HijackingX IndividualCCUS
213/02/2018?City of AllentownThe city of Allentown is hit by the Emotet Trojan. The City believes that the cost of remediation is closeto$1 million.MalwareO Public administration and defence, compulsory social securityCCUS
313/02/2018?City of SavannahThe city of Savannah is in recovery mode after being hit by a malware attack when a city worker most likely opened a malicious email.MalwareO Public administration and defence, compulsory social securityCCUS
414/02/2018?poorly secured Linux serversAccording to researchers from GoSecure, attacks are launching SSH brute-force attacks on poorly secured Linux servers to deploy a backdoor dubbed Chaos backdoorBrute-ForceY Multiple IndustriesCC>1
516/02/2018?Unnamed Russian BankThe Russian Central Bank reveals that unknown hackers stole 339.5 million roubles ($6 million) from a Russian bank last year in an attack using the SWIFT international payments messaging system.UnknownK Financial and insurance activitiesCCRU
616/02/2018?Snapchat UsersDetails emerge on a phishing attack occurred on July 2017 able to score credentials for 50,000 Snapchat users.Account HijackingX IndividualCC>1
716/02/2018rmsrfRoomsurfRoomsurf notifies his users of a data breach in which the attacker has been able to obtain usernames, phone numbers, and email addresses.UnknownI Accommodation and food service activitiesCCUS
816/02/2018?Davidson CountyThe Davidson County computers are hit by an unspecified ransomware.MalwareO Public administration and defence, compulsory social securityCCUS
916/02/2018?Jemison Internal MedicineJemison Internal Medicine notifies 6,550 patients of a ransomware attack. However the investigation reveals that the systems had already been compromised.MalwareQ Human health and social work activitiesCCUS
1016/02/2018?Laufer Group InternationalLaufer Group International is the victim of a W-2 scam.Account HijackingN Administrative and support service activitiesCCUS
1116/02/2018?White and Bright Family DentalWhite and Bright Family Dental notifies patients of a hack occurred on January 30 2018.UnknownQ Human health and social work activitiesCCUS
1217/02/2018?Mac UsersResearchers from Digita Security warn users about the Coldroot remote access Trojan that is going undetected by AV engines since more than one year and targets MacOS computers.MalwareX IndividualCC>1
1318/02/2018?India’s City Union BankIndia’s City Union Bank reveals that cyber criminals have been able to hack its systems and transfer nearly $2 million through three unauthorized remittances to lenders overseas via the SWIFT financial platform.UnknownK Financial and insurance activitiesCCIN
1418/02/2018Flight Sim Labs (FSLabs)Microsoft Flight Simulator PlayersMod developer Flight Sim Labs (FSLabs) has been accused of embedding malware in its flight simulation add-ons to steal pirates' Chrome passwords.MalwareX IndividualCC>1
1519/02/2018?Blac ChynaAmerican model and entrepreneur Blac Chyna falls victim of The Fappening, having intimate content posted online.Account HijackingX IndividualCCUS
1620/02/2018?TeslaResearchers at security firm RedLock say hackers accessed one of Tesla's Amazon cloud accounts and used it to run currency-mining software. The breach started with a Kubernetes console left exposed.Account HijackingC ManufacturingCCUS
1720/02/2018APT37 AKA ReaperMultiple TargetsSecurity Firm FireEye reveals the details of a lesser-known North Korean cyberespionage group targeting Korean Peninsula, Japan, Vietnam and the Middle East in 2017.Targeted AttackY Multiple IndustriesCE>1
1820/02/2018?The Colorado Department of Transportation (CDOT)CDOT is hit with a ransomware attack, attributed to SamSam, which forces the organization to shut down 2,000 computers.MalwareO Public administration and defence, compulsory social securityCCUS
1920/02/2018?Los Angeles TimesTroy Mursch, a security researcher at Bad Packets Report, finds cryptojacking code hidden (based on Coinhive) on the Los Angeles Times’ interactive Homicide Report webpage.Malicious Script InjectionJ Information and communicationCCUS
2020/02/2018?HardwareZone (HWZ) Forum websiteThe HardwareZone (HWZ) Forum website is hacked and approximately 685,000 user profiles are affected. A senior moderator’s account has been compromised by an unidentified hacker, and used to access the user profiles since September 2017.Account HijackingJ Information and communicationCCSG
2120/02/2018APT28 AKA Fancy BearMultiple Targets in Middle East and AsiaResearchers from Kaspersky Lab publish a new report highlighting a shift in the activities of the infamous APT28 from Nato and Ukraine to Middle East and Central Asia.Targeted AttackY Multiple IndustriesCE>1
2221/02/2018?Facebook UsersResearchers at Avast report a sophisticated campaign in which attackers use Facebook and Facebook messenger to trick users into installing a highly sophisticated Android spyware. The operation is dubbed Tempting Cedar.MalwareX IndividualCC>1
2321/02/2018?SWIFTIT security researchers at Comodo Labs discover a new phishing scam targeting SWIFT financial messaging service. The scam does not only aim at stealing banking credentials but also infects victims computers with the Adwind RAT.Account HijackingK Financial and insurance activitiesCC>1
2421/02/2018Attackers of likely Nigerian originMultiple Fortune 500 companiesResearchers from IBM X-Force uncover an active Business Email Compromise campaign targeting multiple Fortune 500 companies.Account HijackingY Multiple IndustriesCC>1
2521/02/2018?IoT and networking equipmentSecurity researchers from Fortinet spot a new variant of the Mirai malware (dubbed Mirai OMG) that focuses on infecting IoT and networking equipment with the main purpose of turning these devices into a network of proxy servers used to relay malicious traffic.MalwareY Multiple IndustriesCC>1
2621/02/2018?University of Virginia Health System (uvahealth.com)The University of Virginia Health System notifies almost 2,000 patients that their health records may have been exposed when an unauthorized third party implanted malware on a staffer's computer active between May 2015 and December 2016.MalwareQ Human health and social work activitiesCCUS
2721/02/2018?ASCDASCD is the victim of a W-2 scam.Account HijackingQ Human health and social work activitiesCCUS
2822/02/2018?The Los Angeles PhilharmonicThe Los Angeles Philharmonic falls victim to a cyberattack that results in the theft of W-2 information for everyone that worked there in 2017. The security beach happened as the result of a "spear phishing" attack.Account HijackingR Arts entertainment and recreationCCUS
2922/02/2018LulzSecITAMatteo Salvini BlogThe Italian elections are approaching, so Hacktivists from the collective LulzSecITA hack the blog of Matteo Salvini, the leader of right-wind Italian party "La Lega" and dump 70,000 emails.UnknownS Other service activitiesHIT
3022/02/2018?University of AlaskaDozens of current and former employees and students of the University of Alaska are unable to access their Alaska.edu accounts. According to the investigation, user passwords have been changed by a third party.Account HijackingP EducationCCUS
3122/02/2018?MobistealthA hacker breaks into two consumer spyware companies, Mobistealth and Spy Master Pro and dumps a large cache of data.UnknownJ Information and communicationCCUS
3222/02/2018?Spy Master ProA hacker breaks into two consumer spyware companies, Mobistealth and Spy Master Pro and dumps a large cache of data.UnknownJ Information and communicationCCUS
3322/02/2018?Curtis LumberCurtis Lumber is the victim of a spear phishing attackAccount HijackingG Wholesale and retail tradeCCUS
3422/02/2018?Punjab National Bank (PNB)10,000 Credit Cards details from Punjab National Bank are leaked in the dark web.UnknownK Financial and insurance activitiesCCIN
3523/02/2018?About one dozen Connecticut government agenciesAbout one dozen Connecticut government agencies are hit with what one published report says is a WannaCry attack that knocks about 160 computers offline.MalwareO Public administration and defence, compulsory social securityCCUS
3623/02/2018OilRig APTAn insurance agency and a financial institution in the Middle EastResearchers from Palo Alto Networks reveal that the Iran-linked OilRig APT group is now using a new Trojan called OopsIE in recent attacks against an insurance agency and a financial institution in the Middle East.Targeted AttackK Financial and insurance activitiesCEN/A
3723/02/2018?Chinese WebsitesResearchers from Malwarebytes unveil the details of a drive-by attack targeting Chinese websites, and dropping an updated version of the Avzhan DDoS bot.MalwareY Multiple IndustriesCCCN
3823/02/2018?Children’s Aid Society of Oxford County Family and Children’s Services of Lanark, Leeds and GrenvilleTwo Ontario children’s aid societies are hit by Ransomware.MalwareQ Human health and social work activitiesCCCA
3924/02/2018AnonymousMatteo Salvini Facebook PageAnd after the personal blog, hacktivists from Anonymous also deface Matteo Salvini's blog page.DefacementS Other service activitiesHIT
4024/02/2018?Teesside UniversityStudents at Teesside University are warned about a possible email security breach and urged to reset their university password.UnknownP EducationCCUS
4124/02/2018?Wallace Community College SelmaPersonal and financial information of current and former employees of Wallace Community College Selma is leaked through a phishing scam.Account HijackingP EducationCCUS
4224/02/2018?Single IndividualsAccording to security researchers from Qihoo 360 Netlab, an advertising network is hiding in-browser cryptocurrency miners (cryptojacking scripts) in the ads it serves since December 2017.Malicious Script InjectionX IndividualCC>1
4325/02/2017?Jorgie PorterEnglish actress and model Jorgie Porter is the latest victim of The Fappening hackers, who manage to steal her intimate pictures and videos and post them online.Account HijackingX IndividualCCUK
4425/02/2017AnonymousSome Ohio State WebsitesIn name of #opUSA, hacktivists from the Anonymous collective take down some Ohio State websites.DDoSO Public administration and defence, compulsory social securityHUS
4525/02/2017?Inland Revenue DepartmentThousands of Inland Revenue files are locked up after New Zealand’s tax department becomes the target of a Cryptolocker attack in November.MalwareO Public administration and defence, compulsory social securityCCNZ
4626/02/2017Deep PandaSome UK think tanksCrowdstrike reveals that some UK think tanks specializing in international security were hacked by China-based group 'Deep Panda' beginning in April 2017.Targeted AttackM Professional scientific and technical activitiesCEUK
4726/02/2017?Four British SchoolsHackers break into CCTV systems of at least four British schools and stream footage of pupils live on the internet.UnknownP EducationCCUK
4826/02/2017?Porsche JapanThe Japanese arm of Porsche says more than 28,000 email addresses have been leaked via a hack.UnknownC ManufacturingCCJP
4926/02/2017?Vulnerable Oracle WebLogic ServersSecurity researchers from Trend Micro uncover a new campaign, which involves hackers exploiting an Oracle server vulnerability (an Oracle WebLogic WLS-WSAT flaw CVE-2017-10271) to deliver two cryptominers: a 64-bit variant and a 32-bit variant of the XMRig Monero miner.MalwareY Multiple IndustriesCC>1
5026/02/2017Hackers with connections to IranUnnamed Australian UniversitiesAustralian universities have been targeted by hackers with connections to Iran in recent months, and "a number of investigations" are in progress, according to cybersecurity firm Crowdstrike.Targeted AttackP EducationCEAU
5126/02/2017?Travel CorporationTravel Corporation falls victim of a W-2 Scam.Account HijackingR Arts entertainment and recreationCCUS
5226/02/2017?U.S. Residents in 20 statesAccording to federal court documents, russian hackers operating in Colorado and 15 other states used data-mining viruses to steal thousands of credit card numbers from U.S. residents in 20 states and sold them on the darknet for more than $3.6 million.MalwareX IndividualCCUS
5327/02/2018?Android UsersSecurity Firm Wandera reveals the details of RedDrop, a sophisticated strain of mobile malware targeting Android devices can extract sensitive data and audio recordings, run up premium SMS charges and then tries to extort money from victims.MalwareX IndividualCC>1
5427/02/2018?Single IndividualsResearcher from cybersecurity firm Morphisec reveal the details of a new campaign carried on via spam messages delivering a malicious Word document. The document attempts to exploit an Adobe Flash Player bug (CVE-2018-4878) to let the attackers take control of the infected machines.MalwareX IndividualCC>1
5527/02/2018?Wordpress, Joomla and CodeIgniter websitesSecurity researchers from SiteLock warn WordPress and Joomla admins of a sneaky new malware strain masquerading as legitimate ionCube files. The malware, dubbed ionCube Malware creates backdoors on vulnerable websites. The malware has been found on over 800 sites.MalwareY Multiple IndustriesCC>1
5627/02/2018?Tim HortonsA computer virus is suspected of crashing cash registers at over 1,000 Tim Hortons coffee and donuts fast food restaurants.MalwareI Accommodation and food service activitiesCCCA
5727/02/2018?FastHealthFastHealth reveals that in mid-August 2017, an unauthorized party gained access to their web server and obtained patient data.UnknownQ Human health and social work activitiesCCUS
5828/02/2018?Financial Services Information Sharing and Analysis Center (FS-ISAC)The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, reveals that a successful phishing attack on one of its employees was used to launch additional phishing attacks against FS-ISAC members.Account HijackingU Activities of extraterritorial organizations and bodiesCCUS
5928/02/2018APT28 AKA Fancy BearVarious German government agenciesAccording to a report issued by the German news agency dpa, malicious actors from APT28 AKA Fancy Bear infiltrated several German government agencies for more than a year.Targeted AttackO Public administration and defence, compulsory social securityCEDE
6028/02/2018APT28 AKA Fancy BearUndisclosed North American and European foreign ministry agencyAnd nearly in contemporary, researchers from Palo Alto Networks reveal that the same attackers from APT28 targeted a North American and European foreign ministry agency.Targeted AttackO Public administration and defence, compulsory social securityCEN/A
6128/02/2018?GitHubGitHub suvives the largest DDoS attack recorded (so far), reching a stunning 1.35 terabits/sec. leveraging memcached servers.DDoSJ Information and communicationCCUS
6228/02/2018?Undiclosed Brazilian public sector management school.Researchers from Cisco Talos identify two different versions of a RAT, dubbed CannibalRAT, written entirely in Python, impacting users of a Brazilian public sector management school.Targeted AttackP EducationCCBR
6328/02/2018ChaferEntities across the Middle EastResearchers from Symantec reveal the detalils of an Iranian hacking outfit, dubbed Chafer, previously focused on domestic surveillance, expanding its scope and cyber arsenal to target entities across the Middle East.Targeted AttackY Multiple IndustriesCC>1
6428/02/2018?Single IndividualsResearchers from Malwarebytes reveal the details of a malvertising campaign using decoy websites pushing cryptocurrencies and to redirect users to the RIG exploit kit.MalvertisingX IndividualCC>1
6528/02/2018?rTorrent Client usersResearchers from F5 detect an attack actively exploiting the rTorrent client through a previously undisclosed misconfiguration vulnerability on XML-RPC for deploying a Monero (XMR) crypto-miner operation.MalwareX IndividualCC>1
6628/02/2018?Single IndividualsA bulk breach dump is discovered totaling over 3.4 billion credentials.UnknownX IndividualCC>1

Leave a Reply

%d bloggers like this: