1-15 March 2018 Cyber Attacks Timeline

And here we are with the first timeline of March 2018, covering the main cyber attacks occurred between March 1st and March 15th.

The number of attacks continues to grow: this fortnight saw the largest DDoS attack ever (hitting the staggering 1.7 Tbps) against an unnamed US ISP, and also saw the video games industry under the spot with two events targeting NIS America and Fortnite. Massive operations aimed to mine cryptocurrency are also another important trend of this beginning of 2018: Dofoil, Combojack, RedisWannaMine (are you familiar with this name?), an attack to yet another cryptocurrency trader (Binance), are just few examples of the events recorded in this period (but if you scroll the list you will find many more).



State sponsored actors were also very active: browse the timeline and you will find multiple operations carried on by the likes of Slingshot, APT15, APT32, MuddyWater, Dragonfly, Hidden Cobra, and the usual suspect APT 28 (AKA Fancy Bear).

Last but not least, events characterized by hacktivism confirm their decreasing trend with the exception of Italy where the local branch of the Anonymous leaked a trove of emails from the Italian Ministry of Education.

As usual, if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015, 2016, 2017 and now 2018 (regularly updated… Hopefully!). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget
Class
Attack
Class
Country
101/03/2018?NIS AmericaJapanese gaming developer Nippon Ichi Software reveals that its American arm, NIS America, has suffered a major data breach compromising the personal and financial data of online customers. The breach, due to malware implanted in the checkout page, took place sometime between 23 January and 26 February.MalwareR Arts entertainment and recreationCCUS
201/03/2018?FS-ISACThe Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, reveals that a successful phishing attack on one of its employees was used to launch additional phishing attacks against FS-ISAC members.Account HijackingS Other service activitiesCCUS
301/03/2018?Hope HicksHope Hicks tells the House Intelligence Committee that one of her email accounts was hacked, according to people who were present for her testimony in the panel's Russia probe.Account HijackingX IndividualCEUS
401/03/2018?ASI Constructors, Inc.ASI Constructors, Inc. reveals to have suffered a phishing attack targeting employees' 2017 W-2 forms. The attack occurred on January 31, 2018.Account HijackingC ManufacturingCCUS
501/03/2018?Greyhealth GroupGreyhealth Group reveals to have suffered a phishing attack compromising the personal information of 683 individuals.Account HijackingQ Human health and social work activitiesCCUS
601/03/2018?Scottsboro City Board of EducationThe Payroll Department of the Scottsboro City Board of Education falls victim of a phishing scam. The attackers requested W-2 information from all employees.Account HijackingP EducationCCUS
701/03/2018?Rockdale Independent School DistrictAn email phishing scheme causes several Rockdale ISD employees' taxes to be falsely filed and compromises confidential tax information for all employees.Account HijackingP EducationCCUS
801/03/2018?b-tor[.]ru UsersResearchers from Palo Alto Networks discover a Russian BitTorrent Site distributing a Monero Miner.MalwareX IndividualCCRU
901/03/2018?Colorado Department of Transportation (CDOT)For the second time in two weeks, the computers at the Colorado Department of Transportation Agency shut down 2,000 computers after a ransomware infection.MalwareO Public administration and defence, compulsory social securityCCUS
1001/03/2018?Primary Health CarePrimary Health Care notifies patients after discovering hack of employee email accounts.Account HijackingQ Human health and social work activitiesCCUS
1102/03/2018?Android Phone BuyersSecurity Firm Dr.Web publishes a list of 42 Android phones sold already infected with the Triada banking trojan.MalwareY Multiple IndustriesCC>1
1202/03/2018?160 Applebee’s RestaurantsRMH Franchise Holdings reveals that PoS systems at the Applebee’s network of restaurants were infected with a PoS malware. 160 restaurants are affected. The breach was discovered on February 13, and took place between November 23, 2017, and January 2, 2018.PoS MalwareI Accommodation and food service activitiesCCUS
1302/03/2018?Humanitarian Aid GroupsMcAfee uncovers Operation Honeybee, a malicious document campaign targeting Humanitarian Aid Groups, using North Korean political topics as bait.Targeted AttackY Multiple IndustriesCE>1
1402/03/2018?St. Peter's Surgery & Endoscopy CenterSt. Peter's Surgery & Endoscopy Center reveal that hackers potentially compromised medical records of about 135,000 patients earlier this year.MalwareQ Human health and social work activitiesCCUS
1504/03/2018Peter Andre and wife Emily MacDonaghThe intimate photos of singer Peter Andre and wife Emily MacDonagh have reportedly been stolen and published online as part of a new episode from the Fappening saga.Account HijackingX IndividualCCUK
1605/03/2017?Unidentified US Service ProviderFew days after GitHub suffered a massive 1.3 Tbps DDoS attack, Arbor Networks unveil the details of a new record DDoS attack that clocked at 1.7 Tbps. The attack was aimed at a yet-to-be-identified "US service provider."DDoSJ Information and communicationCCUS
1705/03/2017?Single IndividualsResearchers from Palo Alto Networks and Proofpoint discover a new malware, dubbed Combojack, that steals cryptocurrency and other electronic funds by surreptitiously modifying wallet or payment information whenever victims copy it to their devices' clipboards.MalwareX IndividualCC>1
1805/03/2017?Single IndividualsA new report from Kaspersky Lab reveals that one cryptomining gang tracked by researchers over the past six months minted $7 million with the help of 10,000 computers infected with mining malware.MalwareX IndividualCC>1
1905/03/2017?ABC Bus Companies, Inc.An employee falls victim of a phising email and delivers to the attacker the personal information of ABC employees.Account HijackingH Transportation and storageCCUS
2006/03/2017?Single IndividualsResearchers from Cisco Talos reveal a surge of campaigns distributing the Gozi ISFB financial malware.MalwareK Financial and insurance activitiesCC>1
2106/03/2017?Flexible Benefit Service CorporationFlexible Benefit Service Corporation notifies 5,123 of a phishing incident occurred on February 16.Account HijackingK Financial and insurance activitiesCCUS
2207/03/2018?BinanceA large scale phishing campaign causes a massive unauthorized cryptocurrency sell-off activity for the users of Binance, a Chinese cryptocurrency trader.Account HijackingV FintechCCCN
2307/03/2018?Individuals in Russia, Turkey and UkraineMicrosoft says to have discovered and stopped a large attack that attempted to use variants of the Dofoil, or Smoke Loader, trojan to spread a cryptocurrency miner. In total more than 400,000 instances were recorded: 73 percent, hitting Russians with Turkey,18 percent, and the Ukraine 4 percent being the other main targets. The attack was carried on via an update server that replaced a BitTorrent client called MediaGet with a near-identical but back-doored binary.MalwareX IndividualCC>1
2407/03/2018?Pinelands Regional School DistrictThe Pinelands Regional School District is hit by the Emotet malware.MalwareP EducationCCUS
2508/03/2018?Italian Ministry of EducationThe Italian branch of the Anonymous collective leaks from the Italian Ministry of Education, 26,000 emails of teachers belonging to all level of schools. They also leak 200 administrative staff addresses.UnknownO Public administration and defence, compulsory social securityHIT
2608/03/2018Hidden CobraSeveral Financial Turkish InstitutionsResearchers from McAfee reveal that the reputed state-sponsored North Korean hacking group Hidden Cobra has once again been fingered in a malware attack against financial organizations, this time apparently targeting Turkish institutions in a spear phishing campaign in early March, leveraging CVE-2018-4878.Targeted AttackK Financial and insurance activitiesCETR
2708/03/2018?Misconfigured Redis servers, and Windows servers vulnerable to the EternalBlue NSA exploit.Researchers from Imperva reveal a new unusually sophisticated cryptojacking attack attempting to install cryptominers on both database and application servers by targeting misconfigured Redis servers, as well as Windows servers that are susceptible to the EternalBlue NSA exploit. The Campaign is dubbed RedisWannaMine.MalwareY Multiple IndustriesCC>1
2808/03/2018?Dutch women's handball teamAccording to local reports in the Netherlands, hackers manage to breach the surveillance camera system in a dressing room of a sauna hosting the women handball team, and post the recordings on adult websites last December.UnknownX IndividualCCNL
2908/03/2018?Former Tennessee Gov. Phil Bredesen's Senate campaignFormer Tennessee Gov. Phil Bredesen's Senate campaign tells the FBI in a letter that it fears it was hacked.UnknownX IndividualCCUS
3009/03/2018Slingshot APTTargets in the Middle East and AfricaKaspersky Lab reveal the details of Slingshot, an extremely sophisticated cyber espionage campaign, leveraging malware to spy on international targets for six years. The APT group exploited zero-day vulnerabilities (CVE-2007-5633; CVE-2010-1592, CVE-2009-0824) in routers used by the Latvian network hardware provider Mikrotik.Targeted AttackY Multiple IndustriesCE>1
3109/03/2018Turkish GovernmentTurkish NationalsSecurity researchers from Citizen Lab publish a report where they reveal how deep packet inspection middleboxes are being used either to expose Turkish nationals to nation-state spyware or to redirect Egyptian Internet users to ads and browser cryptocurrency.MalwareX IndividualCETR
3209/03/2018?14 unnamed countriesESET researchers reveal to have discovered a new version of the infamous Hacking Team surveillance tool, dubbed RCS (Remote Control System), active in 14 countries.MalwareX IndividualCE>1
3309/03/2018?Multiple IndustriesResearchers at Kroll Cyber Security reveal the details of a new family of point-of-sale malware, dubbed PinkKite, very tiny in size, potentially devastating for POS endpoints.PoS MalwareY Multiple IndustriesCC>1
3409/03/2018APT15UK government contractorResearchers at NCC Group reveal to have discovered multiple backdoors on a UK government contractor’s computer designed to steal sensitive government and military data. The hack is tied to China-linked cyber espionage group APT15. According to researchers, the attackers were able to deploy three backdoors – identified as RoyalCli, RoyalDNS and BS2005. The networks were compromised from May 2016 until late 2017 and infected over 30 contractor controlled hosts.Targeted AttackO Public administration and defence, compulsory social securityCEUK
3509/03/2018APT28 AKA Fancy Bear AKA SofacyFar East TargetsResearchers at Kaspersky Lab reveal a new analysis on the infamous APT28 indicating that the group is shifting its interest to Far East TargetsTargeted AttackY Multiple IndustriesCE>1
3609/03/2018?Single IndividualsResearchers from Proofpoint reveal the details of a remote access tool dubbed FlawedAmmyy, developed using the leaked source code of Ammyy Admin, a legitimate remote desktop software.MalwareX IndividualCC>1
3709/03/2018?Unpatched Apache Solr ServersResearchers from the ISC SANS discover a campaign targeting Apache Solr servers that hadn't received patches for the CVE-2017-12629 vulnerability. The campaign is aimed to install miners.MalwareY Multiple IndustriesCC>1
3809/03/2018$2a$45Florida Virtual Learning School (FVLS)Florida Virtual Learning School notifies 368,000 current and former students, after an individual with the moniker $2a$45 uploads information of 35,000 students on a forum. Leon County Schools is among the affected organizations.UnknownP EducationCCUS
3909/03/2018[email protected]JJ MedsJJ Meds, a medical marijuana delivery service in Canada, goes offline after having received an extortion demand.UnknownG Wholesale and retail tradeCCCA
4010/03/2018?National Rifle Association (NRA)According to a report released by Netlab, three different National Rifle Association (NRA) websites experienced Distributed Denial of Service (DDoS) attacks.DDoSS Other service activitiesCCUS
4110/03/2018?Mississippi Valley State UniversityMississippi Valley State University’s campus was temporary without internet service this week after university officials said the school was hit by a SamSam ransomware attack.MalwareP EducationCCUS
4212/03/2018MuddyWater AKA TEMP.ZagrosTargets in Turkey, Pakistan and TajikistanResearchers from Palo Alto Networks and FireEye reveal that the Iran-Linked MuddyWater campaign (AKA TEMP.Zagros) appears to be still active against targets in Turkey, Pakistan and Tajikistan.Targeted AttackY Multiple IndustriesCE>1
4312/03/2018?ATI Physical TherapyATI Physical Therapy notifies patients of a security incident that appears to have targeted employees’ email accounts.Account HijackingQ Human health and social work activitiesCCUS
4412/03/2018?Okaloosa Water and SewerOkaloosa Water and Sewer warns its users of a security breach involving external vendors which process electronic credit/debit card payments for water and sewer bills.UnknownE Water supply, sewerage waste management, and remediation activitiesCCUS
4513/03/2018OceanLotus APT aka APT32 aka APT-C-00Targets in East Asian countries such as Vietnam, the Philippines, Laos and CambodiaResearchers from ESET reveal that the suspected Vietnamese APT group OceanLotus has added a new backdoor to its repertoire of malicious tools – one that includes capabilities for enabling file, registry and process manipulation, and also downloading more malicious files.Targeted AttackY Multiple IndustriesCE>1
4613/03/2018?UyghursResearchers from Palo Alto Networks reveal the details of a new Android malware family dubbed “HenBox”, targeting the Uyghurs, a minority Turkic ethnic group living in China.MalwareX IndividualCECN
4713/03/2018?Multiple TargetsResearchers from Imperva identify a new but unusually distributed Monero cryptominer scam campaign hidden in a picture of Scarlett Johansson.MalwareY Multiple IndustriesCC>1
4813/03/2018?Single IndividualsResearchers from AVAST reveal the details of a campaign where Criminals hosted their cryptominers in forked projects on GitHub.MalwareX IndividualCC>1
4913/03/2018?Port of LongviewThe Port of Longview is hit by a cyber attack that may have affected hundreds of past and current employees and dozens of vendors.UnknownH Transportation and storageCCUS
5013/03/2018?Gwent PoliceGwent Police is being investigated after failing to inform up to 450 people that hackers may have accessed their confidential reports to the force.UnknownO Public administration and defence, compulsory social securityCCUK
5114/03/2018?FortniteSeveral news reports surface of the suspected hacking of player accounts of popular video game Fortnite, with some gamers apparently faced with large credit card charges from fraudulent purchases.Account HijackingR Arts entertainment and recreationCCUS
5214/03/2018?Visitors of download.cnet.comESET researchers discover three trojanized applications (bitcoin stealing malware) hosted on download.cnet.com, the163th most visited site in the world according to Alexa rankings. The researchers estimate that as of March 13, the attacker managed to steal the equivalent of $80,000 USD. The malware had been hosted since May 2, 2016 and had been downloaded more than 4,500 times in total.MalwareX IndividualCC>1
5314/03/2018?Android UsersResearchers from Check Point reveal the details of RottenSys, a massive botnet composed of 5 million Android smartphones, active primarily in China.MalwareX IndividualCCCN
5414/03/2018?Multiple TargetsResearchers from Forcepoint publish a detailed analysis of the Qrypter Remote Access Tool. The analysis reveals that 243 organizations worldwide have been hit by the RAT.MalwareY Multiple IndustriesCC>1
5514/03/2018?Queensland Transport DepartmentABC News reveals that overseas hackers breached the Queensland Transport Department's security network last year, before attempting to steal information from staff members from other sections of government.UnknownO Public administration and defence, compulsory social securityCEAU
5615/03/2018DragonflyWest's energy utilities and other critical infrastructuresThe US Department of Homeland Security and the Federal Bureau of Investigation issued an alert warning of ongoing cyber-attacks against the West's energy utilities and other critical infrastructures by individuals acting on behalf of the Russian government. The report points the finger at the Dragonfly group.Targeted AttackD Electricity gas steam and air conditioning supplyCC>1
5715/03/2018APT28 AKA Fancy Bear AKA SofacyUnnamed European GovernmentResearchers from Palo Alto Networks reveal a new campaign carried on by the infamous APT28 (AKA Fancy Bear AKA Sofacy) targeting an unnamed European Government, exploiting an updated version of DealersChoice, a platform that exploits a Flash vulnerability to stealthily deliver a malicious payload of trojan malware.Targeted AttackO Public administration and defence, compulsory social securityCEN/A
5815/03/2018?Meghan MarkleThe Fappening saga continues with new photo leaks published online. The most recent victim is none other than Meghan Markle, the soon-to-be Mrs. Prince Harry. Some believe ISIS could be involved in the hack, even if no official claim is made.Account HijackingX IndividualCCUK
5915/03/2018?Single Individuals in South KoreaResearchers from Symantec reveal the details of a new version of the infamous FakeBank trojan distributed via malicious Android apps in South Korea.MalwareK Financial and insurance activitiesCCKR
6015/03/2018?Unnamed Petrochemical Company in Saudi ArabiaThe New York Times reveals that back in August, a petrochemical company with a plant in Saudi Arabia was hit by a cyberattack aimed to sabotage the firm’s operations and trigger an explosion.Targeted AttackD Electricity gas steam and air conditioning supplyCWSA
6115/03/2018?Single IndividualsSecurity researchers from Kaspersky reveal that the PoS Malware Prilex has now evolved into a comprehensive tool suite that lets cybercriminals steal chip and PIN card data and create their own functioning, fraudulent plastic cards.PoS MalwareX IndividualCC>1
6215/03/2018?Nampa School DistrictThe Nampa School District informed its employees of a potential security issue involving personally identifiable information of about 3,983 of its current and past employees.UnknownP EducationCCUS
6315/03/2018?SvitzerThe shipping company Svitzer suffers a significant data breach affecting almost half its Australian employees when three employees have had emails auto-forwarded in the past 11 months.Account HijackingH Transportation and storageCCAU

Leave a Reply

%d bloggers like this: