1-15 April 2018 Cyber Attacks Timeline

It’s time to publish the first timeline of April covering the main cyber attacks occurred between April 1st and April 15th 2018.



We were getting used to a decreasing trend in terms of mega breaches, but unfortunately the first fortnight of April has brought us two unexpected blows. I am obviously referring to the 5 million credit cards compromised by the infamous Carbanak gang at Saks and Lord & Taylor stores, and at the breach affecting [24]7.ai with consequences for Delta Airlines, Sears, Kmart and Best Buy.

The list continues with four U.S pipeline companies that saw their EDI system down as the result of a cyberattack to Latitude Technology, a third-party provider.

The crypto-anarchy continues: 1,000 Magento sites have been hacked and infected with multi-purpose malicious scripts able to steal payment details, redirect visitors to malicious sites and, obviously, mine cryptocurrency illegitimately. I also think we can finally start to talk about minevertising, the unwelcome union between mining and malvertising, since this fortnight has also seen the discovery of a campaign aimed to inject the widely-used Coinhive code into an ad supplied by the AOL advertising network, in order to mine crypto currency. Also, someone has exploited a bug in the Verge cryptocurrency blockchain to mine as if there was no tomorrow.

Last but not least, let’s close the summary with the vigilante hacker who has attacked the networks in a number of countries including Iran and Russia, leaving the image of a U.S. flag on the login pages of network gears vulnerable to CVE-2018-0171, and affecting 200,000 router and switches across the globe.

Unfortunately the list is still long, so feel free to browse it all! And if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015, 2016, 2017 and now 2018 (regularly updated… Hopefully!). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget
Class
Attack
Class
Country
101/04/2018?Guardian Pharmacy of JacksonvilleGuardian Pharmacy of Jacksonville notifies 11,521 patients of email compromise of protected health information.Account HijackingQ Human health and social work activitiesCCUS
201/04/2018JokerStash AKA Fin7 AKA CarbanakHudson's Bay CompanyRetailer Hudson's Bay Company discloses that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America. Millions of cards may have been compromised (5 millions are already offered for sale).UnknownG Wholesale and retail tradeCCCA
302/04/2018?Four U.S. pipeline companies (Oneok Inc, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, Eastern Shore Natural Gas)At least four U.S. pipeline companies have seen their electronic systems for communicating with customers shut down, with three confirming it resulted from a cyberattack to Latitude Technology, a third-party provider. It is not clear is the outage is the result of a ransomware or DDoS attack.UnknownD Electricity gas steam and air conditioning supplyCCUS
402/04/2018?1,000 Magento SitesSecurity researchers from FlashPoint say they've identified at last 1,000 Magento sites that have been hacked by cybercriminals and infected with malicious scripts that steal payment card details, perform cryptojacking, or redirect the visitors to malware distribution sites.Brute-ForceY Multiple IndustriesCC>1
502/04/2018?Android UsersResearchers from Trustlook reveal the details of a new strain of Android malware specifically aimed at stealing private conversations on IM applications like Facebook Messenger, Skype, Telegram, Twitter, Viber, and others.MalwareX IndividualCC>1
602/04/2018?Government of Sint MaartenThe entire government of Sint Maarten, an independent country within the Kingdom of the Netherlands, is taken down for a week by a cyber attack.UnknownO Public administration and defence, compulsory social securityCCSX
703/04/2018?Vadim Lavrusik Twitter and Flipboard accountsLess than an hour after tweeting about being safe during the active shooting at YouTube's headquarters, the Twitter and Flipboard accounts of Vadim Lavrusik, a product manager at Youtube, are hit by hackers.Account HijackingX IndividualCCUS
803/04/2018Dark-Coder or Th3Falcon.More than a dozen major Israeli websitesIn name of OpIsrael, more than a dozen major Israeli websites, belonging to hospitals, local authorities, the Israeli Opera, Israel Teachers Union and the IDF Widows and Orphans Organization are defaced apparently in response to clashes between the IDF and Gazan protesters the previous weekend.DefacementY Multiple IndustriesHIL
903/04/2018Lazarus AKA Hidden CobraOnline Casino in Central AmericaResearchers from ESET reveal that the infamous Lazarus Group, a malicious actor linked to North Korea, has used a new toolset, including the destructive KillDisk, to target the network of an online Casino in Central America.Targeted AttackR Arts entertainment and recreationCEN/A
1004/04/2018APT32 AKA OceanLotusMultiple TargetsResearchers from Trend Micro reveal the details of a new backdoor affecting MacOS linked to the OceanLotus threat group. The backdoor is called OSX_OCEANLOTUS.D.Targeted AttackY Multiple IndustriesCE>1
1104/04/2018?Single IndividualsResearchers from Trend Micro discover a campaign aimed to inject the widely-used Coinhive code into an ad supplied by the AOL advertising network, in order to mine crypto currency.Malicious Code InjectionX IndividualCC>1
1204/04/2018?Verge CryptocurrencyAn unknown attacker has exploited a bug in the Verge cryptocurrency network code to mine Verge coins at a very rapid paceUnknownV FintechCCN/A
1304/04/2018?Facebook UsersFacebook reveals that "malicious actors" took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide.Vulnerability in the Facebook search toolX IndividualCCUS
1404/04/2018?Japan Ministry EmployeesThe Japanese government’s cybersecurity center reveals that the email addresses and passwords of thousands of ministry employees have been leaked and are being sold on the Internet.UnknownO Public administration and defence, compulsory social securityCCJP
1504/04/2018?Oakton High SchoolA police investigation reveals that hackers attempted to change grades at Oakton High School, using an attack carried on via a malicious email.Account HijackingP EducationCCUS
1605/04/2018?[24]7.ai[24]7.ai, a firm providing online customer support services based on artificial intelligence and machine learning, is breached. As consequence other companies using its services suffer a theft of customer payment information. The breach occurred between September 26, 2017 and October 12, 2017. The list of the victims include Sears, Kmart, and Delta Airlines. Even Best Buy is involved.UnknownJ Information and communicationCCUS
1705/04/2018?Several Financial FirmsResearchers from Recorded Future reveal the details of the IoTroop botnet, a botnet made up of hijacked internet-connected televisions and web cameras used to target financial firms with DDoS attacks.DDoSK Financial and insurance activitiesCC>1
1805/04/2018?Multiple Financial TargetsResearchers from Netskope discover a new ATM jackpotting malware dubbed ATMJackpot. The malware seems to have originated from Hong Kong and to be still in development.MalwareK Financial and insurance activitiesCC>1
1905/04/2018?Multiple TargetsResearchers from Fortinet discover a new variant of the Agent Tesla spyware, spreading via weaponized Microsoft Word Documents.MalwareY Multiple IndustriesCC>1
2006/04/2018Suspected Chinese HackersIndia's Ministry of DefenceThe website of India's Ministry of Defence is defaced by suspected Chinese attackers.DefacementO Public administration and defence, compulsory social securityCCIN
2108/04/2018?Drake BellDrake Bell appears to be the most recent victim of hackers as part of another episode of the Fappening saga.Account HijackingX IndividualCCUS
2208/04/2018?Natalie CassidyEastEnders star Natalie Cassidy is the latest celebrity to have her intimate pictures leaked online in yet another evolution of the Fappening 2018 scandal.Account HijackingX IndividualCCUK
2309/04/2018JHTCisco switches around the worldThe Iranian IT Ministry reveals that Hackers have attacked networks in a number of countries including data centers in Iran where they left the image of a U.S. flag on screens along with a warning: “Don’t mess with our elections”. The attack, exploiting CVE-2018-0171, affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in Iran.IOS VulnerabilityY Multiple IndustriesH>1
2409/04/2018?Armed Forces Recreation Center Edelweiss Lodge and ResortThe Armed Forces Recreation Center Edelweiss Lodge and Resort investigates a data breach that left some guests open to identity theft. At least 18 guests — primarily soldiers and retirees — who stayed at the resort between November 2017 and February 2018 reported that their credit cards were misused after their stays.PoS MalwareI Accommodation and food service activitiesCCDE
2509/04/2018?Sodexo FilmologySodexo food services and facilities management company notifies a number of customers that it was the victim of a targeted attack on its cinema vouchers platform Sodexo Filmology.Targeted AttackR Arts entertainment and recreationCCUK
2609/04/2018?Telco companies in Brazil, Columbia and other Latin American countriesResearchers from Flashpoint observe a spike of activity in Telegram messaging channels being used to exchange HTTP injectors. HTTP injectors can be used to obtain free mobile internet access.HTTP InjectorsJ Information and communicationCC>1
2710/04/2018?Vulnerable CMS Systems.Security researchers at Malwarebytes report to have uncovered evidence of a sophisticated campaign of thousands of compromised websites running vulnerable CMS' and abused to distribute malware to visiting users via fake updates. The campaign is called FakeUpdates and is used to distribute the ZeusVM variant Chtonic banking malware or a NetSupport Remote Access ToolMalicious Code Injection into vulnerable CMS'X IndividualCC>1
2810/04/2018Kuroi’SH and ProsoxVevo Youtube AccountTwo hackers manage to deface several popular YouTube music videos, changing titles and thumbnail images. The list of the victims include the most-viewed YouTube video of all time, “Despacito”. The two claim to have done it for Palestine.DefacementR Arts entertainment and recreationHUS
2910/04/2018?Single IndividualsResearchers from Barracuda reveal the details of a recent spate of attacks using phishing, social engineering, exploits, and obfuscation to spread a Quant Loader trojan capable of distributing ransomware and password stealers. The attack uses a “.url” file extension claiming to be billing documents but actually lead to remote script files using a variation of CVE-2016-3353MalwareX IndividualCC>1
3010/04/2018?Victoria Independent School DistrictVictoria independent School District notifies employees that some email accounts were inappropriately accessed between July and October 2017. Some of the emails in those accounts contained employees’ personal information.Account HijackingP EducationCCUS
3111/04/2018?Great Western RailwayGreat Western Railway reset more than a million customer accounts after discovering hackers had successfully breached a small percentage of them. According to the operator, about 1,000 of its passengers' details have been exposed.Credential StuffingX IndividualCCUK
3212/04/2018UKIslamic StateThe director of the intelligence agency GCHQ, Jeremy Fleming reveals that the UK has conducted a "major offensive cyber-campaign" against the Islamic State group.DDoSS Other service activitiesCWN/A
3312/04/2018?Governments and high-level officials in the Middle East and North Africa (MENA)Kaspersky Labs details a large-scale nation-state backed malware campaign called Operation Parliament that is targeting governments and high-level officials in the Middle East and North Africa (MENA) regions and more specifically Palestine.Targeted AttackO Public administration and defence, compulsory social securityCEPS
3412/04/2018?Single IndividualsResearchers from Menlo Security reveal the details of a new multi-stage campaign using malicious attachments to infect the endpoint with content hosted on a remote host (and exploiting CVE-2017-8570 to drop the executable in the endpoint), The campaign is used to deliver the Formbook malware.MalwareX IndividualCC>1
3512/04/2018?SucuriThe California based website security provider Sucuri suffers a series of massive DDoS attacks causing service outage in West Europe, South America and parts of Eastern United States.DDoSM Professional scientific and technical activitiesCCUS
3613/04/2018?Diagnostic Radiology & ImagingDiagnostic Radiology & Imaging notifies 800 patients of phishing incident occurred in November 2017.Account HijackingQ Human health and social work activitiesCCUS
3713/04/2018?Vulnerable Drupal CMS SystemsAfter the publication of PoC code, attackers start to exploit the Drupalgeddon2 vulnerability (CVE-2018-7600).Vulnerability (CVE-2018-7600)Y Multiple IndustriesCC>1
3813/04/2018?Vulnerable routersSecurity researchers at Akamai discover a proxy botnet composed of more than 65,000 routers exposed to the Internet via the Universal Plug and Play (UPnP) protocol.UPnP VulnerabilityY Multiple IndustriesCC>1
3913/04/2018?InogenInogen, a California-based medical device manufacturer, reports that 30,000 former and current customers may have had their personal information exposed when a company employee's email account was compromised sometime between Jan. 2, 2018, and Mar. 14, 2018.Account HijackingC ManufacturingCCUS
4013/04/2018?Mise En Place Restaurant ServicesMise En Place Restaurant Services announces that it was subject to a ransomware attack, which may have potentially exposed some information of clients and individuals.MalwareI Accommodation and food service activitiesCCUS
4114/04/2018?Texas Health ResourcesTexas Health Resources reveals that an unauthorized party may have gained access to patient information back in October 2017 by compromising some of the organization's email accounts. The breach was discovered in January 4,000 and might impact 4,000 users.Account HijackingQ Human health and social work activitiesCCUS
4215/04/2018?UnityPoint HealthUnityPoint Health notifies patients of a phishing attack occurred between November 1, 2017 and February 7, 2018Account HijackingQ Human health and social work activitiesCCUS

Leave a Reply

%d bloggers like this: