16-30 April 2018 Cyber Attacks Timeline

It’s time to publish the second timeline of April (first timeline here), covering the main cyber attacks occurred between April 16th, and April 30th. As you will soon discover, the decreasing trend did not last for long unfortunately, and this second fortnight shows again a higher number of events (57 vs 42).



New timeline, new mega breach… And the unwelcome prize goes to Careem, Uber’s rival in the Middle East, hit by a cyber attack, back in January, that compromised the data of 14 million users. Even Ikea is on the spot this fortnight (even if indirectly), given that its affiliate company TaskRabbit was similarly breached.

The crypto frenzy continues and crooks have been actively exploiting the Drupalgeddon 2 vulnerability (CVE-2018-7600) to inject miners. Actually this was not the only campaign aimed to mine or steal cryptocurrency: the list includes also Rarog and PyRoMine for cryptojacking, and SquirtDanger plus FacexWorm for stealing. Also a famous Youtuber, Ian Balina, has lost nearly $2M worth in tokens while streaming.

The list also includes multiple cyber espionage campaigns: we have started the fortnight with the joint statement by the UK NCSC (National Cyber Security Centre), FBI (Federal Bureau of Investigation) and DHS (Department) against Grizzly Steppe, a crew of Russian state-sponsored actors), and we have seen operations carried on by the likes of APT-C-32, mAPT, APT10.

Last but not least, Italy was targeted by the hacktivists of ANonPlus, who defaced the website of Il GIornale, a primary Italian newspaper, and the CIty of Bologna.

The list is still long, so feel free to browse it all! And if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015, 2016, 2017 and now 2018 (regularly updated… Hopefully!). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget ClassAttack ClassCountry
104/04/2018?Single IndividualsResearchers from Palo Alto Networks reveal the details of Rarog, a previously unseen cryptomining trojan.MalwareX IndividualCC>1
212/04/2018?IIS 6.0 Vulnerable serversResearchers from F5 discover a massive campaign exploiting an old IIS 6.0 vulnerability (CVE-2017-7269) to mine Electroneum.Vulnerability (CVE-2017-7269)Y Multiple IndustriesCC>1
316/04/2018Russian state-sponsored actors (Grizzly Steppe)Government and private-sector organizations, critical infrastructure providers, and the internet service providers (ISPs)The UK NCSC (National Cyber Security Centre), FBI (Federal Bureau of Investigation) and DHS (Department of Homeland Security) issue a joint Technical Alert about malicious cyber activity carried out by the Russian Government. The attackers use compromised routers to conduct man-in-the-middle attacks.Man-in-the-Middle using compromised devicesO Public administration and defence, compulsory social securityCE>1
416/04/2018APT-C-32Middle Eastern IndividualsResearchers from Lookout reveal the details of an espionage campaign using two malware strains called Desert Scorpion and FrozenCell, to spy on targets in Palestine. The attackers are thought to be linked to Hamas.Targeted AttackO Public administration and defence, compulsory social securityCE>1
516/04/2018mobile APT (mAPT)Several targetsResearchers from Lookout reveal a new campaign using a modified version of the infamous ViperRAT hosted in Google Play.Targeted AttackY Multiple IndustriesCE>1
616/04/2018?TaskRabbitTaskRabbit, a web-based service owned by IKEA that connects freelance handymen with clients in various local US markets, emails customers admitting it suffered a security breach. The company takes down its app and website while investigating the incident and later admits that some personal information might have been compromised.UnknownN Administrative and support service activitiesCCUS
716/04/2018?Android UsersResearchers from Kaspersky Lab reveal the detail of Roaming Mantis, an operation where malware authors have hijacked DNS settings on vulnerable routers to redirect users to sites hosting Android malware on clone apps of Google Chrome and Facebook.DNS HijackingX IndividualCC>1
816/04/2018?Multiple TargetsAccording to multiple sources, hackers have started to actively exploit the Drupalgeddon 2 Drupal CMS vulnerability CVE-2018-7600 to inject cryptominers.Vulnerability (CVE-2018-7600)Y Multiple IndustriesCC>1
916/04/2018?African Embassy in DublinResearchers from Lastline reveal that an African ambassador in Dublin was compromised by cyber criminals with hackers gaining access to entire nation’s digital data.Targeted AttackO Public administration and defence, compulsory social securityCEN/A
1016/04/2018?Hong Kong Broadband NetworkHong Kong Broadband Network, the city’s second largest fixed-line residential broadband provider, discovers that an inactive customer database has been accessed without authorization. The personal data of some 380,000 customers, including details for more than 40,000 credit cards, are compromised.UnknownJ Information and communicationCCHK
1116/04/2018?Irvington School DistrictPartial social security numbers of more than 1,200 employees at Irvington schools are distributed via email to an unknown number of recipients by an unidentified attacker.UnknownP EducationCCUS
1217/04/2018?Chrome UsersResearchers from AdGuard uncover five malicious ad-blocker extensions on the Chrome Web Store that were installed by 20 million Chrome users before Google removed them.MalwareX IndividualCC>1
1317/04/2018?TheBottleResearchers from Palo Alto Networks reveal the details of SquirtDanger, a new strain of malware that allows hackers to take action screenshots, steal passwords, download files and even steal the contents of cryptocurrency wallets.MalwareX IndividualCC>1
1417/04/2018?Minecraft usersAccording to Avast’s Threat Labs, nearly 50,000 Minecraft users have been infected with a malware aiming at reformatting hard drives, wiping out backup data from the targeted system along with deleting other important files.MalwareX IndividualCC>1
1517/04/2018AnoaGhostinsights.london.nhs.ukAn NHS website is defacedDefacementO Public administration and defence, compulsory social securityCCUK
1618/04/2018Gold GalleonMultiple Maritime Shipping FirmsResearchers from Secureworks discover a previously unidentified "Gold Galleon" threat group, specialized in business email compromise (BEC) and business email spoofing (BES) fraud against maritime shipping firms in order to try and steal millions of dollars on an annual basis.Account HijackingH Transportation and storageCC>1
1718/04/2018?Single IndividualsSecurity researchers from Radware spot a new information stealer that collects Chrome login data from infected victims, along with session cookies, and appears to be looking for Facebook and Amazon details in particular. The malware is called Stresspaint and has infected so far more than 40,000 users.MalwareX IndividualCC>1
1818/04/2018?California's Center for Orthopaedic Specialists (COS)California's Center for Orthopaedic Specialists (COS) discloses to have been hit by a ransomware attack. The incident impacts the records of approximately 85,000 patients across three facilities in West Hills, Simi Valley and Westlake Village.MalwareQ Human health and social work activitiesCCUS
1918/04/2018?Ian BalinaIan Balina, a well-known sponsored YouTube blogger is hacked, while streaming, loosing roughly $2 million in tokens.Account HijackingX IndividualCCUS
2018/04/2018?Sangamo TherapeuticsSangamo Therapeutics announces a data security incident involving compromise of a senior executive’s company email account.Account HijackingQ Human health and social work activitiesCCUS
2118/04/2018?Minecraft and Counter-Strike: Global Offensive playersResearchers discover two strains of a fake ransomware targeting players of Minecraft and Counter-Strike: Global Offensive (CS:GO)MalwareX IndividualCC>1
2218/04/2018?QuestarAnnual tests in several states are delayed by what appears to be a suspected hack to Questar, a K12 assessment solutions provider.UnknownP EducationCCUS
2319/04/2018HighTech Brazil HackteamSupreme Court of IndiaThe website of Supreme Court of India is defaced.DefacementO Public administration and defence, compulsory social securityCCIN
2419/04/2018?Single IndividualsResearchers from Trend Micro discover a spam campaign delivering the Adwind RAT bundled with the XTRAT and DUNIHI Backdoors.MalwareX IndividualCC>1
2519/04/2018?Single IndividualsResearchers at MalwareHunterTeam discover a new strain of ransomware, targeting Brazilian users, called RansSIRIA, which encrypts victim’s files and then states it will donate the ransom to Syrian refugees. The malware target Brazilian victims.MalwareX IndividualCCBR
2620/04/2018?Multiple TargetsSecurity researchers from antivirus maker Qihoo 360 Core discover a new Internet Explorer 0-day exploited by a state-sponsored threat actor. The vulnerability is called "double kill".Targeted AttackY Multiple IndustriesCE>1
2720/04/2018?Multiple TargetsResearchers from Qihoo 360 Netlab and GreyNoise Intelligence discover a botnet made up of servers and smart devices exploiting the severe Drupal CMS vulnerability CVE-2018-7600 also known as Drupalgeddon 2. The botnet is dubbed Muhstik.MalwareY Multiple IndustriesCC>1
2821/04/2018?Equihash mining poolsSecurity researchers at 360 Core Security detect a new type of attack which targets some Equihash mining pools.Vulnerability on Equihash mining poolY Multiple IndustriesCC>1
2921/04/2018?City of HamiltonThe emails of about 1,100 Hamilton residents have been compromised following a data breach of two waste collection apps, according to the city of Hamilton.UnknownO Public administration and defence, compulsory social securityCCCA
3022/04/2018AnonPlusilgiornale.itHackers from AnonPlus deface ilgiornale.it, one of the main newspapers in Italy, with a fake news about Mr. Silvio Berlusconi in jail.DefacementJ Information and communicationHIT
3122/04/2018Prosox ShadeRed Bull WebsiteThe Red Bull website is defaced twice in few hours, probably exploiting the Drupalgeddon 2 vulnerability.DefacementI Accommodation and food service activitiesCCAT
3223/04/2018?Prince Edward Island (PEI) Government WebsiteA ransomware attack takes down the Prince Edward Island Government website.MalwareO Public administration and defence, compulsory social securityCCCA
3323/04/2018OrangewormHealthcare organizations in the United States, Europe and AsiaResearchers from Symantec reveal the details of Orangeworm, a threat group targeting healthcare organizations in the United States, Europe and Asia via a custom backdoor dubbed Kwampirs.Targeted AttackQ Human health and social work activitiesCE>1
3423/04/2018?CareemCareem, Uber’s main ride-hailing app rival in the Middle East, is hit by a cyber attack that compromises the data of 14 million users. The breach was discovered on January 14.UnknownH Transportation and storageCCAE
3523/04/2018APT10Japanese defense companiesAccording to FireEye, the Chinese group APT10 has targeted Japanese defense companies, possibly to get information on Tokyo’s policy toward resolving the North Korean nuclear impasse.Targeted AttackO Public administration and defence, compulsory social securityCEJP
3623/04/2018Hunter buttThai Airways WebsiteThe official website of Thai Airways is hacked by a Pakistani with the moniker “Hunter butt”. The hacker uploads a deface page on 23 subdomains.DefacementH Transportation and storageCCTH
3724/04/2018?MyEtherWallet.comA hacker (or group of hackers) hijacks the Amazon DNS servers of MyEtherWallet.com, a web-based Ether wallet service. Users accessing the site are redirected to a fake version of the website. Those who logged in had their wallet private keys stolen, which the attacker used to empty accounts. The total bounty is $152,000.DNS HijackingV FintechCCUS
3824/04/2018?Ukraine's Energy Ministry WebsiteUnknown hackers use ransomware to take the website of Ukraine's energy ministry offline and encrypt its files.MalwareO Public administration and defence, compulsory social securityCCUA
3924/04/2018?Single IndividualsResearchers from FortiGuard Labs uncover a new python-based Monero cryptocurrency mining malware, dubbed "PyRoMine" that uses the ETERNALROMANCE exploit to spread.MalwareX IndividualCC>1
4024/04/2018?Brazilian companiesResearchers from FireEye identify a widespread spam campaign, dubbed Metamorfo, targeting Brazilian companies with the goal of delivering banking Trojans.MalwareY Multiple IndustriesCCBR
4124/04/2018?Americas CardroomPoker tournaments are disrupted after a spite of DDoS attacks on Americas Cardroom.DDoSR Arts entertainment and recreationCCUS
4224/04/2018?Multiple industries including critical infrastructure, entertainment, finance, health care, and telecommunicationsResearchers from McAfee uncover a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. The campaign is dubbed Operation GhostSecret.Targeted AttackY Multiple IndustriesCE>1
4324/04/2018?WebLogic ServersAttackers start to exploit Oracle WebLogic servers for CVE-2018-2628.Vulnerability (CVE-2018-2628)Y Multiple IndustriesCC>1
4425/04/2018?HPE UsersThreat actors target internet accessible HPE Integrated Lights-Out 4 (HPE iLO 4) remote management interfaces with ransomware.MalwareY Multiple IndustriesCC>1
4526/04/2018?Single IndividualsResearchers from Vade Secure reveal the details of a massive phishing campaign targeting more than 550 million email users globally since the first quarter of 2018.Account HijackingX IndividualCC>1
4626/04/2018?Single IndividualsResearchers from Trend Micro discover a new variant of the infamous Necurs botnet using .url files (internet shortcuts) to bypass conventional detection methods.MalwareX IndividualCC>1
4726/04/2018The Invincible The MartianSeveral targets in IndiaResearchers from Cisco Talos unveil the details of GravityRAT, a tool being used in targeted attacks, allegedly coming from Pakistan, against India with sophisticated anti-evasion techniques.Targeted AttackO Public administration and defence, compulsory social securityCWIN
4826/04/2018Team Kerala Cyber WarriorsPakistanTeam Kerala Cyber Warriors, a hacking group based out of India, begin to install ransomware on web sites based out of Pakistan. The ransomware is called KCW Ransomware.MalwareY Multiple IndustriesCWPK
4926/04/2018?Sen. Richard Pan, D-SacramentoSen. Richard Pan, D-Sacramento, claims that thieves hacked his email account and stole $46,000 from his re-election campaign in a "sophisticated" scheme earlier this year.Account HijackingX IndividualCCUS
5027/04/2018?Three banks in Mexico (Grupo Financiero Banorte, Banco del Bajio SA, and Bancomext)Three banks in Mexico (Grupo Financiero Banorte, Banco del Bajio SA, and Bancomext) are targeted by a cyber attack aimed to penetrate Mexico’s electronic payment systems (SPEI).UnknownK Financial and insurance activitiesCCMX
5127/04/2018?Zippy's RestaurantsThe Hawaii-based Zippy's Restaurants reports that its point-of-sale system at 25 of its locations have been compromised exposing customer data from November 23, 2017, to March 29, 2018.PoS MalwareI Accommodation and food service activitiesCCUS
5227/04/2018?Highway Sign in ArizonaSomeone hacks a highway sign in Arizona and defaces it with 'Hail Hitler' text.UnknownH Transportation and storageCCUS
5327/04/2018?Leominster Schools DistrictLeominster Schools District pays $10,000 worth of Bitcoins ransom following a cyberattack on their system.MalwareP EducationCCUS
5427/04/2018AnonPlusCity of BolognaThe website of the City of Bologna is defaced by AnonPlusDefacementO Public administration and defence, compulsory social securityHIT
5527/04/2018?Scenic Bluffs Community Health CentersScenic Bluffs Community Health Centers notifies 2,889 patients of a potential breach of personal patient information after discovering March 1, 2018, that one staff email account had been hacked on Feb. 28, 2018, by an unauthorized party.Account HijackingQ Human health and social work activitiesCCUS
5627/04/2018?Billings ClinicBillings Clinic notifies 949 patients of a breach affecting its email security system causing an unknown individual to access patients' information back in February.Account HijackingQ Human health and social work activitiesCCUS
5730/04/2018?Single IndividualsResearchers from Trend Micro reveal the details of FacexWorm, a malicious Chrome extension, targeting cryptocurrency trading platforms via Facebook Messenger in order to steal account credentials for Google MyMonero and Coinhive.MalwareX IndividualCC>1

Leave a Reply

%d bloggers like this: