16-31 May 2018 Cyber Attacks Timeline

Here it comes! The second timeline of May is ready (first timeline here), covering the main cyber attacks occurred between May 16 and May 31 2018 (well… Actually there are also some events happened before and you will find them as well).

Unfortunately the number of cyber attacks keeps on growing (this month’s list reports 59 events vs 55 in the previous one), and the number of mega breaches with it.



I really do not know where to start from, maybe from Japan, the Land of the Rising Sun, where a hacker suspected to be operating out of China has put on sale the data of around 200 million Japanese users on an underground cybercrime forum, or maybe from Ticketfly, which had the personal information of a staggering 27 million users compromised.

Another interesting trend is that cryptocurrencies are more and more attractive to crooks: not only the single users (there were some interesting operations this months), but also the cryptocurrencies themselves, which were heavily under attack: Bitcoin Gold (the equivalent of $18 million gone with the wind), Verge (“only” $1.65 million gone), or Taylor (again “only” $1.35 million evaporated) are just three examples of what happened in this fortnight.

And things are not much better as far as Cyber Espionage is concerned: despite the new political climate between the US and North Korea, the latter (along with Russia) continues to be very active in the Cyber Space.

Even this month, the list is quite long, so feel free to browse it all! And if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015, 2016, 2017 and now 2018 (regularly updated… Hopefully!). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). If useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget ClassAttack ClassCountry
110/05/2018?NuanceSpeech recognition software firm Nuance announces the breach of thousands of patient records after a former employee breached its servers and accessed the personal information of 45,000 individuals from several contracted clients between November 20 and December 9 of 2017.Account HijackingM Professional scientific and technical activitiesCCUS
211/05/2018?Multiple UsersResearchers from Qihoo 360 discover a miner campaign hidden behind a potentially unwanted program dubbed One System Care.MalwareY Multiple IndustriesCC>1
311/05/2018Satori BotnetExposed Ethereum Mining RigsThe operators of the Satori botnet are mass-scanning the Internet for exposed Ethereum mining rigs, according to three sources in the infosec community who've observed the malicious behavior —SANS ISC, Qihoo 360 Netlab, and GreyNoise Intelligence.Brute-ForceV FintechCC>1
415/05/2018?Multiple UsersResearchers from Qihoo 360 discover a particular miner dubbed IdleBuddyMiner, which asks nicely for permission to mine via a popup.MalwareY Multiple IndustriesCC>1
516/05/2018?SecurusA hacker provides Motherboard with 2,800 login details for Securus, a company that buys phone location data from major telecom companies and then sells it to law enforcement. The company confirms the breach few days later.UnknownX IndividualCCUS
616/05/2018?Windows UsersResearchers from Qihoo 360 discover a massive malware campaign spreading a new coinminer, which appears to have made roughly 500,000 victims in three days alone. The miner is called WinstarNssmMiner.MalwareX IndividualCC>1
716/05/2018?Ethereum WalletsResearchers from RiskIQ unveil the details of MEWKit, a sophisticated phishing campaign aimed at stealing credentials of Ethereum wallets, and in the same time, perform and automated transfer with the stolen details.Account HijackingX IndividualCC>1
816/05/2018?ZooPark APT GroupA vigilante hacker claims to have hacked the alleged Iran-linked group behind the ZooPark campaign discovered by Kaspersky earlier this month, and dumps the files purportedly stolen from a server controlled by the attackers.UnknownO Public administration and defence, compulsory social securityCCIR
916/05/2018?LifeBridge Health and LifeBridge Potomac ProfessionalsLifeBridge Health and LifeBridge Potomac Professionals notify patients about a malware incident occurred back in March 18, 2018. The number of affected patients could be 500,000.MalwareQ Human health and social work activitiesCCUS
1016/05/2018?Wordpress WebsitesA report from security firm Wordfence reveals that hackers have come up with a never-before-seen method of installing backdoored plugins on websites running the open-source WordPress CMS, and this new technique relies on using weakly protected WordPress.com accounts and the Jetpack plugin.Account HijackingY Multiple IndustriesCC>1
1116/05/2018Racoon HackerRussian-speaking Telegram usersResearchers from Cisco Talos reveal the details of TeleGrab, a malware harvesting cache and key files from Telegram.MalwareX IndividualCCRU
1216/05/2018?Android UsersResearchers from security company Avast discover 26 apps on the Google Play Store that include adware forcing ads on compromised systems.MalwareX IndividualCC>1
1317/05/2018?blackphoenixalchemylab.comblackphoenixalchemylab.com discovers malware inserted into the portion of the checkout page between May 1 and May 16.MalwareR Arts entertainment and recreationCCUS
1417/05/2018?Corporation Service Company (CSC)Hackers steal the personally identifiable information of 5,678 customers of the Corporation Service Company (CSC), according to a notice the company sent to the California attorney general's office.UnknownN Administrative and support service activitiesCCUS
1517/05/2018?Fortnite PlayersResearchers at Zscaler’s ThreatLabZ discover malicious apps on Google Play, in disguise of a mobile version of the popular game Fortnite.MalwareX IndividualCC>1
1617/05/2018?Vulnerable IoT devicesResearchers from Fortinet discover a new variant of the Mirai botnet dubbed ‘Wicked Mirai’MalwareY Multiple IndustriesCC>1
1717/05/2018?Independent Like the North State Group ForumAn online forum designated for California’s First Congressional District debate was hacked by unknown hackers, who take over the live stream to broadcast gay pornography.UnknownS Other service activitiesCCUS
1818/05/2018Sun TeamNorth Korean defectors and journalistsResearchers from McAfee discover RedDawn, a new campaign on Google Play targeting North Korean defectors and journalists.Targeted AttackX IndividualCEKR
1918/05/2018?DrayTek routersDrayTek, a Taiwan-based manufacturer of broadband CPE devices, announces that hackers are exploiting a zero-day vulnerability to change DNS settings on some of its routers.DrayTek routers vulnerabilityX IndividualCC>1
2018/05/2018?University of BuffaloUniversity of Buffalo confirms to be investigating and responding to a breach of 2,690 UBITName accounts.Account HijackingP EducationCCUS
2118/05/2018?TidalJay-Z’s Tidal streaming platform announces to have enlisted an “independent, third party cyber-security firm” to investigate a possible data breach, after reports of inflated subscriber and streaming numbers.UnknownR Arts entertainment and recreationCCUS
2218/05/2018?Mobile UsersResearchers from Kaspersky reveal a new campaign carried on using the Roaming Mantis mobile trojan, targeting Europe and Middle East, and adding new features, like a phishing option for iOS devices, and crypto-mining capabilities for the PC.MalwareX IndividualCC>1
2318/05/2018?Shona McGartyActress Shona McGarty, who plays Whitney Carter in EastEnders, is the latest celebrity to have intimate pictures leaked on the internet. Apparently her photos were stolen from the iCloud account.Account HijackingX IndividualCCUK
2418/05/2018?Bitcoin GoldAn unidentified hacker performs several "double spend" attacks on the infrastructure of the Bitcoin Gold cryptocurrency and manages to amass over $18 million worth of BTG (Bitcoin Gold) coins in the process.51% attackV FintechCCN/A
2519/05/2018Two unidentified studentsBloomfield Hills High SchoolTwo students from Bloomfield Hills High School are the main suspects of a recent hack discovered at the school. The two broke into the school's MISTAR Student Information System portal where they changed grades, attendance records, and attempted to refund lunch purchases.Unknown vulnerabilityP EducationCCUS
2620/05/2018?200 million JapaneseA hacker suspected to be operating out of China has put on sale the data of around 200 million Japanese users on an underground cybercrime forum, according to a FireEye iSIGHT Intelligence report. The data appears to have been assembled by hacking up to 50 smaller Japanese sites.UnknownY Multiple IndustriesCCJP
2720/05/2019?Allied PhysiciansAllied Physicians reports it was hit with a SamSam ransomware attack earlier this month (May 17).MalwareQ Human health and social work activitiesCCUS
2820/05/2019?Manuel Delia's BlogManuel Delia's blog (a Maltese journalist and blogger) is the target of a DDoS attack. Apparently the attack comes from Ukraine.DDoSJ Information and communicationCCMT
2921/05/2019?Gigabit Passive Optical Network (GPON) routersSecurity researchers from Qihoo 360 Netlab discover that the operators behind the TheMoon botnet are now leveraging a zero-day exploit to target GPON routers.MalwareY Multiple IndustriesCC>1
3021/05/2019?Gigabit Passive Optical Network (GPON) routersTrend Micro researchers detect a new attack mimicking the Mirai botnet modus operandi, originating from Mexico and targeting Gigabit Passive Optical Network (GPON)-based home routers via two vulnerabilities (CVE-2018-10561 and CVE-2018-10562).Vulnerabilities (CVE-2018-10561 and CVE-2018-10562)Y Multiple IndustriesCC>1
3121/05/2019?Twitter account of Charlie LeeThe Twitter account of Charlie Lee, the creator of Litecoin is hacked.Account HijackingX IndividualCCUS
3221/05/2019?BombasBombas notifies consumers of breach going back to 2015 when malware in the code of the e-commerce platform was identified and removed on February 9, 2015.MalwareG Wholesale and retail tradeCCUS
3322/05/2019?Verge CryptocurrencyA hacker finds a way around a previous patch in the Verge cryptocurrency source code and takes advantage of the flaw to monopolize mining operations and create Verge coins (XVG) at a rapid pace. He is able to mine over 35 million XVG coins in just a few hours for a profit of $1.65 million.51% attackV FintechCCN/A
3422/05/2019?Mac UsersAccording to researchers at Malwarebytes, many Mac users in the past weeks have been infected with a new strain of Monero miner. The owners of the infected Mac systems noticed the presence of a process named “mshelper” had been consuming a lot of CPU power and draining their batteries.MalwareX IndividualCC>1
3523/05/2018State sponsored attackers (Russia?)500,000 organizations worldwideResearchers from Cisco Talos unveil the details of VPNFilter, a massive campaign lasting since 2016 and carried on by nation-state hackers, infecting at least 500,000 victims in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment, as well as QNAP NAS devices. An update of June 6 reveals new capabilities, such as the possibility to perform MITM attacks, and other vulnerable devices (ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE).MalwareY Multiple IndustriesCE>1
3623/05/2018?University of VermontUniversity of Vermont officials say they have no reason to believe the personal information of 37,000 current and former faculty, staff and students fell into the wrong hands following an intrusion of the school’s computer systems.UnknownP EducationCCUS
3724/05/2018Trisis, AKA Xenotime, AKA HatManMultiple TargetsSecurity researchers from CyberX reveal that the threat actor behind the Triton malware (aka Trisis, Xenotime, and HatMan) is now targeting organizations worldwide and safety systems.Targeted AttackY Multiple IndustriesCE>1
3824/05/2018?Android UsersAvast reveals a list of 140 Android devices whose firmware is infected with a malware called Cosiloon.MalwareX IndividualCC>1
3924/05/2018?Screens at the Mashhad airport in IranHackers deface the screens at the Mashhad airport in Iran to protest against the Government and the military’s activities in the Middle East.DefacementH Transportation and storageHIR
4024/05/2018?Associates in Psychiatry and PsychologyAssociates in Psychiatry and Psychology notifies 6,546 patients and the U.S. Department of Health and Human Services (HHS) of a ransomware incident that occurred in March.MalwareQ Human health and social work activitiesCCUS
4125/05/2018?Oxnard CityOxnard city officials are contacted by a bank representative about fraudulent purchases being made with the cards people used to pay their utility billsAccount HijackingO Public administration and defence, compulsory social securityCCUS
4225/05/2018?American Family Life Assurance Company of Columbus (Aflac)American Family Life Assurance Company of Columbus (Aflac) issues a press release concerning the breach of independent contractor sales agents’ email accounts. The breach occurred between Jan. 17 and April 2 and has reportedly affected some clients’ personal information.UnknownK Financial and insurance activitiesCCUS
4325/05/2018?Aultman Health FoundationAbout 42,600 patients tied to AultWorks Occupational Medicine, Aultman Hospital, and some Aultman physician offices may have had personal health and identification information stolen in a data breach after unknown and unauthorized individuals gained access to certain email accounts in February and March.UnknownQ Human health and social work activitiesCCUS
4426/05/2018?Afghan diplomats in PakistanAfghan diplomats in Pakistan are warned they are believed to be victims of "government-backed" digital attacks trying to steal their email passwords.Targeted AttackO Public administration and defence, compulsory social securityCEAF
4526/05/2018?ArloArlo advises its customers to change their passwords after credential-stuffing attempts detected.Brute-ForceC ManufacturingCCUS
4627/05/2018?Goliath and GoliathComedy and entertainment agency Goliath and Goliath suffered a loss of more than 300,000 ZAR (22,000 USD worth) in what appears to be a phishing scam.Account HijackingR Arts entertainment and recreationCCZA
4728/05/2018?Bank of MontrealBank of Montreal, the country's fourth bank, announces to have been contacted by fraudsters claiming to have stolen personal and financial information of a limited number of the bank's customers. According to the bank, less than 50,000 c customers are affected by the incident.UnknownK Financial and insurance activitiesCCCA
4828/05/2018?Canadian Imperial Bank of Commerce (CIBC)Also the Canadian Imperial Bank of Commerce (CIBC), the country's fifth largest bank is affected by the same incident, and they believe that 40,000 users could be possibly affected from its subsidiary Simplii Financial.UnknownK Financial and insurance activitiesCCCA
4928/05/2018?Taylor CryptocurrencyThe creators of the Taylor cryptocurrency trading app claim that an unidentified hacker has stolen around $1.35 million worth of Ether from the company's wallets.Account HijackingV FintechCCEE
5028/05/2018Cobalt AKA CarbanakSeveral Russian BanksGroup-IB reveals that, despite the alleged arrest of its leader, the Cobalt (AKA Carbanak) hacker group that's specialized in stealing money from banks and financial institutions is still active, even launching a new campaign.Targeted AttackK Financial and insurance activitiesCCUS
5128/05/2018?Harare Institute of TechnologyA database from the Harare Institute of Technology is leaked, containing 3,500 users.UnknownP EducationCCZW
5229/05/2018Hidden CobraMultiple TargetsThe FBI and Department of Homeland Security jointly release two technical alerts via the US-CERT, warning of two malware families dating back to at least 2009 that they say are tied to the suspected North Korea-sponsored APT group Hidden Cobra. The two malware families are the remote access tool (RAT) Joanap and the Server Message Block-based (SMB) worm Brambul.Targeted AttackY Multiple IndustriesCEUS
5329/05/2018?Brazilian IndividualsResearchers from IBM X-Force uncover a new Brazilian, Delphi-based banking malware, dubbed MnuBot. The malware uses Microsoft SQL Server as ITS command and control server.MalwareK Financial and insurance activitiesCCBR
5429/05/2018?EOS Blockchain nodesThreat Intelligence firm GreyNoise discovers that a mysterious attacker is scanning the Internet for EOS blockchain nodes that are accidentally exposing private keys through an API misconfiguration.Brute-ForceV FintechCCN/A
5530/05/2018IsHaKdZTicketflyThe Ticketfly website is defaced with an image of V from the film V for Vendetta. Unfortunately, after refusing to pay a 1 BTC ransom, Ticketfly reveals that the personal information of 27 million accounts, including ticket buyers and venue operators, was accessed by the attacker.Undisclosed vulnerabilityR Arts entertainment and recreationCCUS
5630/05/2018?Purdue University Pharmacy and the Family Health Clinic of Carroll CountyPatients of the Purdue University Pharmacy and the Family Health Clinic of Carroll County receive notices that their information might be compromised because of a security breach. A malicious file was installed on some computers on September 1st.MalwareQ Human health and social work activitiesCCUS
5731/05/2018North Korean APT actor Group123?South KoreansResearchers from Cisco Talos discover NavRAT, a remote access trojan that apparently went undiscovered for at least two years, targeting Koreans in a spam campaign using the possible upcoming U.S.-North Korea nukes summit as a phishing lure. The tool leverages the email platform from South Korea-based Naver Corporation to communicate with the attackers.Targeted AttackX IndividualCEKR
5831/05/2018Andariel GroupSouth KoreansLocal media in South Korea reveal that a North Korean cyber-espionage group has exploited at least nine ActiveX zero-day vulnerabilities, including a new 0-day, to infect South Korean targets with malware or steal data from compromised systems.Targeted AttackO Public administration and defence, compulsory social securityCEKR
5931/05/2018?Sooke School DistrictThe Sooke School District warns parents about a privacy invasion after an employee’s email was hacked.Account HijackingP EducationCCUS

Leave a Reply

%d bloggers like this: