Here’s the second timeline of May covering the main events occurred in the second fortnight of May (part I here). I am glad to announce that this timeline confirms the decreasing trend in the number of events (61 vs. 69 reported in the first timeline, and 74 in the second timeline of April).
So where do we want to start from? For sure there have been multiple high-profile targets that have disclosed breaches in this period. The list includes: Stack Overflow (attackers accessed production systems), TeamViewer (the attack happened in 2016!), Computacenter UK Ltd. (victim of a phishing attack), and Canva (139 million records leaked by the infamous Gnosticplayers).
With regards to Cyber Espionage, new and well-known actors continue to make the headlines: MuddyWater, APT10, Emissary Panda, Turla, and TA505 are just a few examples of state-sponsored actors that appear in this timeline.
And, last but not least the social networks are becoming the new battleground of cyberwar, this fortnight has also seen the discovery of two campaigns spreading misinformation via social media and fake websites.
As usual it’s impossible to summarize everything in few lines, so feel free to browse the timeline, share it, and spread the verb of security awareness throughout the community. And also do not forget to follow @paulsparrows on Twitter for the latest updates.
wdt_ID
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
1
16/05/2019
?
Stack Overflow
In a short announcement, Stack Overflow informs that it was the target of an attack that resulted in hackers accessing its production systems. The breach occurred on May 5.
Website Vulnerability
J Information and communication
CC
US
Stack Overflow
2
2
16/05/2019
?
OGUSERS
OGUSERS, a forum where hackers and cybercriminals trade stolen Instagram and Twitter accounts is apparently hacked.
Plugin vulnerability
U Activities of extraterritorial organizations and bodies
CC
N/A
OGUSERS
3
3
16/05/2019
Archimedes Group
Facebook Users
Facebook removes 265 Facebook and Instagram accounts, pages, groups and events involved in inauthentic behavior. The activity originated in Israel and focused on Nigeria, Senegal, Togo, Angola, Niger, Tunisia, Latin America and South East Asia.
Fake Social Networks Accounts
X Individual
CW
>1
Facebook, Instagram, Archimedes Group, Nigeria, Senegal, Togo, Angola, Niger, Tunisia, Latin America, Southeast Asia
4
4
16/05/2019
?
Singapore Red Cross
The Singapore Red Cross says its website has been hacked and the personal data of more than 4,000 potential blood donors compromised.
Unknown
U Activities of extraterritorial organizations and bodies
CC
SG
Singapore Red Cross
5
5
16/05/2019
/
The Shubert Organization
Theater company The Shubert Organization discloses a data breach. An authorized party had accessed certain Shubert employees’ email accounts, which contained customer information.
Account Hijacking
R Arts entertainment and recreation
CC
US
The Shubert Organization
6
6
17/05/2019
Attackers from China
TeamViewer
TeamViewer confirms today that it has been the victim of a cyber attack which was discovered during the autumn of 2016, but was never disclosed. This attack is thought to be of Chinese origins and utilized the Winnti backdoor.
Targeted Attack
M Professional scientific and technical activities
CE
DE
TeamViewer, Chinese, Winnti
7
7
17/05/2019
Unistellar
Unsecured MongoDB
Over 12,000 unsecured MongoDB databases have been deleted over the past three weeks, with only a message left behind asking the owners of the databases to contact the cyber-extortionists to have the data restored.
Misconfiguration
Y Multiple Industries
CC
>1
MongoDB, Unistellar
8
8
17/05/2019
?
Oregon Construction Contractors Board
The Oregon Construction Contractors Board says it has discovered a breach involving 8,013 accounts. Unauthorized individuals gained access to some contractors’ usernames and passwords between Oct. 27 and Oct. 29, 2018, and was discovered on April 12, 2019
Unknown
O Public administration and defence, compulsory social security
CC
US
Oregon Construction Contractors Board
9
9
17/05/2019
?
Cancer Treatment Centers of America
Cancer Treatment Centers of America sends notification letters to patients whose protected health information was in an employee email account compromised by a phishing attack.
Account Hijacking
Q Human health and social work activities
CC
US
Cancer Treatment Centers of America
10
10
18/05/2019
?
LibertyBus
Passwords and log-in details for hundreds of LibertyBus customers are obtained by attackers, who used a spoof website to divert those wanting to top up their pre-paid cards.
Account Hijacking
H Transportation and storage
CC
US
LibertyBus
11
11
19/05/2019
?
President Trump’s U.S. Golf Association account
Hackers access President Trump’s U.S. Golf Association account and add four fake golf scores for games allegedly played at two courses.
Account Hijacking
X Individual
CC
US
Donald Trump
12
12
20/05/2019
MuddyWater
Targets in Middle East
Researchers from Cisco Talos reveal the details of a new campaign carried out by the MuddyWater threat group, using new techniques to avoid detection.
Targeted Attack
Y Multiple Industries
CE
>1
Cisco Talos, MuddyWater
13
13
20/05/2019
?
Single Individuals
Researchers at Fortinet discover a new campaign of the Satan ransomware that includes new exploits to its portfolio and also installs a miner payload.
Malware
X Individual
CC
>1
FortiGuard Labs, Satan, Ransomware
14
14
20/05/2019
?
Members of the cryptocurrency community
Numerous members of the cryptocurrency community are hit by SIM swapping attacks, in what appears to be a coordinated wave of attacks.
Account Hijacking
X Individual
CC
US
SIM Swapping, Crypto
15
15
20/05/2019
?
Coventry Local School District
Coventry Local School District is forced to send students and some of its staff home after a Trickbot malware infection causes major issues to its IT infrastructure.
Malware
P Education
CC
US
Coventry Local School District, Trickbot
16
16
20/05/2019
?
Louisville Regional Airport Authority (LRAA)
The Louisville Regional Airport Authority (LRAA) is hit by a ransomware attack.
Researchers from Trend Micro discover a new Trickbot variant that uses a URL redirect in a spam email as a tactic to bypass spam filters.
Malware
X Individual
CC
>1
Trend Micro, Trickbot
18
18
20/05/2019
?
The Voice Kids
Channel One TV, the channel that broadcasts the show "The Voice Kids" in Russia, announces to cancel the results of the vote after an investigation by Group-IB reveals a massive automated SMS spamming” in favor of one participant.
SMS Spamming
R Arts entertainment and recreation
CC
RU
Channel One TV, The Voice Kids, Group-IB
19
19
21/05/2019
Anonymous Italia
Italian Union of State Police
In name of #OpPulizia, Anonymous Italia release leaks of the Italian Union of State Police and four additional national organizations.
SQLi
O Public administration and defence, compulsory social security
H
IT
Anonymous Italia, #OpPulizia
20
20
21/05/2019
US Navy
US Air Force
The US Air Force opens an investigation into a "malware" infection, which it is blaming on lawyers employed by the US Navy who are working on a war crimes case.
Targeted Attack
O Public administration and defence, compulsory social security
CE
US
US Navy, US Air Force
21
21
21/05/2019
?
Multiple retailer websites
Researchers from Malwarebytes discover a new online POS skimmer used by one of the Magecart groups, injecting an iframe into retailer websites that asks for payment card information.
Malicious Script Injection
G Wholesale and retail trade
CC
>1
Malwarebytes, Magecart
22
22
21/05/2019
?
Sunderland City Council
Hackers access users’ personal details in a cyber attack on Sunderland City Council’s library database.
Unknown
O Public administration and defence, compulsory social security
CC
UK
Sunderland City Council
23
23
22/05/2019
?
Single Individuals
A new ransomware called GetCrypt is being installed through malvertising campaigns that redirect victims to the RIG exploit kit. Luckily a decryptor is immediately available.
Malware
X Individual
CC
>1
GetCrypt, RIG exploit kit, Ransomware
24
24
22/05/2019
?
High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada
Researchers from Palo Alto Networks discover a new campaign distributing the Shade Ransomware.
Malware
Y Multiple Industries
CC
>1
Palo Alto Networks, Shade Ransomware
25
25
22/05/2019
?
Computacenter UK Ltd
The third-party mailbox used by Computacenter UK Ltd employees and contractors to deposit data for security clearance applications is hacked and used in phishing scams.
Account Hijacking
M Professional scientific and technical activities
Pingback: 16-31 May 2019 #CyberAttacks Timeline | rlocone InfoSec Blog