The second timeline of April is finally here (first one at this link), confirming the sustained level of activity that we have seen in the last months. In this fortnight I have collected 73 events.
Undoubtedly, ransomware, in its new targeted shape, is the attack vector that is characterizing this period. The list of the victim is quite long and includes Aebi Schmidt, A2 Hosting, Cleveland Hopkins International Airport, Verint, The Weather Channel, and many more.
New organizations have joined the list of the victims of mega breaches, such as Bodybuilding.com, potentially impacting several million users, and new e-commerce sites, including the online shops of the Atlanta Hawks, and Puma Australia, have joined the list of the Magecart victims.
Similarly the Cyber Espionage landscape is always crowded, one of the most well known actors, the infamous Iran-linked OilRig APT has been exposed, and this has allowed security researchers to understand that the group has been able to steal 13,000 passwords from 98,000 organizations worldwide.
Other unearthed operations include Sea Turtle (targeting organizations in the Middle East and North Africa), new campaigns against Ukraine, a comeback of the DNSpionage gang (with a possible link to OilRig), and much more…
Another long timeline, and another opportunity to spend some time to browse it, share it, and spread the verb of security awareness throughout the community (and do not forget to follow @paulsparrows on Twitter for the latest updates
wdt_ID
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
1
12/04/2019
?
Flashpoint
A 0-day vulnerability in the Yuzo WordPress plugin causes the Flashpoint website to briefly redirect the users to an external website with a pop-up leading to malware.
O-day Wordpress Vulnerability
M Professional scientific and technical activities
CC
US
Flashpoint, Yuzo
2
2
16/04/2019
?
iOS users from the U.S. and multiple European Union
Researchers from Confiant discover eGobbler, a massive malvertising campaign targeting iOS users from the U.S. and multiple European Union. Roughly 500 million users sessions were exposed.
Malvertising
X Individual
CC
>1
Confiant, eGobbler, iOS
3
3
16/04/2019
?
Multiple Ukrainian military departments
Researchers from FireEye reveal that multiple Ukrainian military departments were targeted by a spear phishing campaign which attempted to drop a RATVERMIN backdoor as part of a second-stage payload delivered with the help of a Powershell script.
Targeted Attack
O Public administration and defence, compulsory social security
CE
UA
FireEye, RATVERMIN, Powershell
4
4
16/04/2019
?
Single Individuals
Researchers from ESET reveal the details of Scranos, a rootkit-enabled operation spyware operation.
Malware
X Individual
CC
>1
Scranos, ESET
5
5
16/04/2019
?
Remotely Accessible Samba Servers
A new ransomware family called NamPoHyu Virus or MegaLocker Virus is targeting victims, running locally on a victim's computer, and remotely encrypt accessible Samba servers.
Malware
Y Multiple Industries
CC
>1
NamPoHyu, MegaLocker, Samba, Ransomware
6
6
16/04/2019
?
Users of the popular Electrum Bitcoin wallet
Researchers from Malwarebytes reveal that since at least late December 2018, users of the popular Electrum Bitcoin wallet have fallen victim to phishing attacks, estimated to net crooks over 771 Bitcoins, approximately $4 million at current exchange rate.
Account Hijacking
V Fintech
CC
>1
Bitcoin, Electrum, Malwarebytes, Crypto
7
7
16/04/2019
?
Single Individuals
Researchers from ZeroFOX discover multiple campaigns exploiting the tragic fire of Notre Dame for fake donation pages and new phishing campaigns.
Account Hijacking
X Individual
CC
>1
ZeroFOX, Notre Dame
8
8
16/04/2019
?
Centrelake Medical Group
Centrelake Medical Group notifies almost 198,000 patients after a virus investigation reveals earlier intrusion and suspicious activity.
Malware
Q Human health and social work activities
CC
US
Centrelake Medical Group
9
9
17/04/2019
?
Organizations in the Middle East and North Africa (ministries, military organizations, intelligence agencies, energy companies).
Researchers from Cisco Talos reveal the details of Sea Turtle, a state-sponsored attack manipulating DNS systems, targeting primarily national security organizations in the Middle East and North Africa.
DNS Hijacking
O Public administration and defence, compulsory social security
CE
>1
Cisco Talos, Sea Turtle
10
10
17/04/2019
?
Verint
The Israel offices of US cyber-security firm Verint are hit by ransomware.
Malware
M Professional scientific and technical activities
CC
IL
Verint, Ransomware
11
11
17/04/2019
?
Multiple Targets
Researchers from Trend Micro discover a potential targeted attack, making use of legitimate script engine AutoHotkey, in combination with malicious script files.
Targeted Attack
Y Multiple Industries
CE
>1
Trend Micro, AutoHotkey
12
12
17/04/2019
?
Chipotle
Some Chipotle customers claim their accounts have been hacked and report fraudulent orders charged to their credit cards. The company states credential stuffing is to blame.
Credential Stuffing
I Accommodation and food service activities
CC
US
Chipotle
13
13
18/04/2019
Lab Dookhtegan
OilRig, AKA APT34, AKA HelixKitten
A collective dubbed Lab Dookhtegan reveal details about the inner workings of the cyber-espionage group known as OilRig, APT34, and HelixKitten, linked to the Iranian government. The source code of their tools is leaked on Telegram.
Unknown
S Other service activities
CW
IR
Lab Dookhtegan, OilRig, APT34, HelixKitten, Iran
14
14
18/04/2019
?
The Weather Channel
The Weather Channel is hit by a ransomware attack.
Malware
J Information and communication
CC
US
The Weather Channel, Ransomware
15
15
18/04/2019
?
Entities from North America, Europe, Asia, and the Middle East
Researchers from Palo Alto Networks reveal the details of "Aggah", a malicious campaign targeting entities from North America, Europe, Asia, and the Middle East using a combination of pages hosted on Bit.ly, BlogSpot, and Pastebin to evade detection.
Targeted Attack
Y Multiple Industries
CE
>1
Palo Alto Networks Unit 42, Aggah, North America, Europe, Asia, Middle East, Bit.ly, BlogSpot, Pastebin, RevengeRAT
16
16
18/04/2019
?
Single Individuals
A new variant of the CryptoMix ransomware emerges, appending the .DLL extension to encrypted files and is said to be installed through hacked remote desktop services.
Malware
X Individual
CC
>1
Cryptomix, DLL, Remote Desktop, Ransomware
17
17
18/04/2019
?
City of Augusta
The City of Augusta municipal services are hit by a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
Augusta, Ransomware
18
18
18/04/2019
TA505
Financial entities in the United States and worldwide
Researchers at Cyberint uncover a new campaign of the russian actor TA505 against financial entities in the United States and worldwide.
Targeted Attack
K Financial and insurance activities
CC
>1
Cyberint, TA505
19
19
18/04/2019
?
Multiple Targets
The attackers responsible for launching phishing campaigns against Wipro, India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant.
Account Hijacking
S Other service activities
CC
>1
Wipro, Infosys, Cognizant.
20
20
19/04/2019
?
Ad Agencies
Researchers from Check Point uncover a series of applications conducting fraudulent activities against Ad Agencies, carried out via a mobile malware dubbed ‘PreAMo’. The malware totaled over 90 million installs from Google Play across 6 applications.
Malware
S Other service activities
CC
>1
Check Point, PreAMo, Android, Google Play
21
21
19/04/2019
?
Partners for Quality
Partners for Quality notifies 3,673 clients after some employees' email accounts are compromised.
Account Hijacking
Q Human health and social work activities
CC
US
Partners for Quality
22
22
20/04/2019
?
Atlanta Hawks
The online shop for the Atlanta Hawks professional NBA basketball team has malicious code injected into (Magecart Infection).
Malicious Script Injection
R Arts entertainment and recreation
CC
US
Atlanta Hawks, NBA, Magecart
23
23
20/04/2019
?
EmCare Inc.
EmCare Inc. discloses that an unauthorized party obtained access to a number of employees’ email accounts that contained the personal information of as many as 60,000 individuals, 31,000 of which are patients.
Account Hijacking
Q Human health and social work activities
CC
US
EmCare Inc.
24
24
22/04/2019
?
Bodybuilding.com
Bodybuilding.com notifies its customers of a security breach detected during February 2019 which was the direct result of a phishing email received back in July 2018. Potentially 18M users are impacted.
Account Hijacking
G Wholesale and retail trade
CC
US
Bodybuilding.com
25
25
22/04/2019
?
Vulnerable WordPress Sites
Researchers from Palo Alto Networks discover an additional campaign exploiting the CVE-2019-9978 vulnerability of the Social Warfare Wordpress plugin.
Vulnerability (CVE-2019-9978)
Y Multiple Industries
CC
>1
Palo Alto Networks Unit 42, WordPress, Social Warfare, CVE-2019-9978
Pingback: 16-30 April 2019 Cyber Attacks Timeline – rlocone InfoSec Blog