It’s time to publish the first timeline of November covering the main cyber attacks occurred in the first fifteen days of this month. In this timeline I have collected a total of 82 events including 8 that sneaked into this timeline from the previous month. All in all we are experiencing a slightly decreasing trend.
At least in this timeline we don’t have any mega breaches… However ransomware continues to be the threat that most characterizes this period: the new trend is to infect Managed Service Provider to increase the impact on end customer: ConnectWise and Everis are the most notable examples in this space. Of course many other organizations suffered the same attack, including Boardriders (the brand behind Quicksilver and Billabong), along with the usual plethora of schools, healthcare and many other organizations worldwide.
Cyber Espionage continues to be quite a hot front with some important campaigns unearthed in this fortnight, including the attack to the Indian Space Research Organization by the Lazarus Group, and the discovery of new campaigns carried out by Platinum APT and APT33.
And while the advent of the 5th of November created many exceptions among the hacktivists, at the end the actions were limited to Italy with some operations against central and local governments websites and the leak of 5.4 Gb of personal data belonging to the Italian customers of Lyca Mobile. Despite unrelated to Operation #FifthOfNovember, another interesting event to mention is the DDoS attack against the UK Labour Party, in proximity of the general election of December 12, and claimed by an old acquaintance like the Lizard Squad.
Now, stop talking! Feel free to browse the timeline, and don’t forget to share it to support my work and spread the concept of risk awareness across the community. Of course feel free to contribute, suggesting noticeable cyber events, and do not forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
25/09/2019
?
Vmedia
Vmedia reveals that its forum has been compromised and shuts it down temporarily, urging users to change password.
vBulletin vulnerability (CVE-2019-16759)
J Information and communication
CC
CA
Vmedia, vBulletin, CVE-2019-16759
2
01/10/2019
?
Pipestone Kin-Ability Centre
The Pipestone Kin-Ability Centre in Moosomin, Sask is hit by a cyber attack in its payroll system. The criminals steal $400,000.
Unknown
Q Human health and social work activities
CC
CA
Pipestone Kin-Ability Centre, Sask
3
16/10/2019
TA2101
German organizations
Researchers from Proofpoint discover a first campaign distributing the CobaltStrike backdoor to German organizations, impersonating the German Federal Ministry of Finance.
Malware
Y Multiple Industries
CC
DE
CobaltStrike, Proofpoint, German Federal Ministry of Finance
4
23/10/2019
TA2101
German organizations
Researchers from Proofpoint discover a second campaign distributing the CobaltStrike backdoor to German organizations, impersonating the German Federal Ministry of Finance.
Malware
Y Multiple Industries
CC
DE
CobaltStrike, Proofpoint, German Federal Ministry of Finance
5
25/10/2019
?
Digital Insights
NCR Corp. temporarily blocks third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform, in response to a series of bank account takeovers.
Account Hijacking
K Financial and insurance activities
CC
US
NCR Corp., Mint, QuickBooks Online, Digital Insight
6
31/10/2019
TA2101
Italian Organizations
Researchers from Proofpoint discover a campaign distributing the Maze ransomware to Italian organizations, impersonating the Italian Ministry of Taxation.
Malware
Y Multiple Industries
CC
IT
Maze, Proofpoint, Italian Ministry of Taxation, ransomware
7
31/10/2019
?
Perth Anaesthetic Group
Perth Anaesthetic Group is hacked: criminals access patient information and several patients are sent fake invoices from the attackers demanding payments.
Unknown
Q Human health and social work activities
CC
AU
Perth Anaesthetic Group
8
31/10/2019
?
Watertown School District
Watertown School District is hit by a ransomware attack.
Malware
P Education
CC
US
Watertown School District, ransomware
9
01/11/2019
Wizard Spider
Multiple targets
Researchers from CrowdStrike discover new variants of Ryuk with a new functionality for identifying and encrypting files on hosts in a local area network using the Wake-on-LAN (WoL) utility to reach sleeping systems that it otherwise would have no ability to encrypt.
Malware
Y Multiple Industries
CC
>1
Ryuk, Wizard Spider, ransomware
10
01/11/2019
?
Brooklyn Hospital Center
The Brooklyn Hospital Center reveals that a ransomware attack occurred in late July caused permanent loss of some patient's data.
Malware
Q Human health and social work activities
CC
US
Brooklyn Hospital Center, ransomware
11
01/11/2019
?
Vedantu
The Indian interactive online tutoring platform Vedantu suffered a data breach which exposed the personal data of 687k users.
Unknown
P Education
CC
IN
Vedantu
12
01/11/2019
?
U.S. Virgin Islands Water and Power Authority (WAPA).
The U.S. Virgin Islands Water and Power Authority is the latest victim of a new Click2Gov Breach.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
The U.S. Virgin Islands Water and Power Authority, WAPA, Click2Gov
13
02/11/2019
?
Vulnerable Windows Systems
Security researchers discover the first mass-hacking campaign using the BlueKeep exploit (a demo exploit released by the Metasploit back in September) to hack into unpatched Windows systems and install a cryptocurrency miner.
CVE-2019-0708 Vulnerability
Y Multiple Industries
CC
>1
CVE-2019-0708, BlueKeep, Metasploit
14
02/11/2019
?
Government of Nunavut
A ransomware attack cripples essential electronic communications within the Government of Nunavut.
Malware
O Public administration and defence, compulsory social security
CC
CA
Nunavut, ransomware
15
04/11/2019
?
Everis
A targeted ransomware attack takes down the network of Everis, a major IT services and consulting subsidiary of Japan-based global communications company NTT.
Malware
M Professional scientific and technical activities
CC
ES
Everis, Ransomware
16
04/11/2019
?
Sociedad Española de Radiodifusión (Cadena SER).
A targeted ransomware attack takes down the network of the radio company Sociedad Española de Radiodifusión (Cadena SER).
Malware
M Professional scientific and technical activities
CC
ES
Sociedad Española de Radiodifusión, Cadena SER, ransomware
17
04/11/2019
?
Several targets including one American manufacturing company
Researchers from Cisco Talos discover a malicious actor using both ransomware (DoppelPaymer) and point-of-sale malware (TinyPOS) to gain “a deep level of access” to the infrastructures of at least two targets, including a U.S.-based aluminum and stainless steel gratings company.
Malware
C Manufacturing
CC
>1
Cisco Talos, DoppelPaymer, TinyPOS
18
04/11/2019
?
Tejasswi Prakash's WhatsApp account
Tejasswi Prakash's WhatsApp account is hacked and the attacker uses the hacked account to make vulgar video calls
Account Hijacking
X Individual
CC
IN
Tejasswi Prakash, WhatsApp
19
04/11/2019
?
Lincoln County School District
Lincoln County School District is hit by a ransomware attack
Malware
P Education
CC
US
Lincoln County School District, ransomware
20
04/11/2019
?
Firefox users
Researchers from Malwarebytes discover that tech support scammers are still using an old Firefox bug to lock the screen of their victims' computer in order to convince them to call a bogus Windows support number.
Firefox vulnerability
Y Multiple Industries
CC
>1
Malwarebytes, Firefox
21
04/11/2019
?
WordPress sites
Researchers from Defiant reveal that WordPress sites have been the target of a highly active malicious campaign distributing the WP-VCD malware, spread through pirated copies of plugins.
Malware
Y Multiple Industries
CC
>1
Defiant, WordPress, WP-VCD
22
04/11/2019
?
Multiple targets
Researchers from Symantec reveal that the operators of Nemty ransomware have found a new distribution mechanism via the Trik botnet. The malware is spread to systems that have the Server Message Block (SMB) protocol exposed on the web and protected by weak credentials.
Malware
Y Multiple Industries
CC
>1
Symantec, Nemty, SMB, Ransomware
23
04/11/2019
?
InterMed
Healthcare provider InterMed informs about 30,000 patients that some of their PHI has been involved in a data breach, after an employee’s email account was compromised between September 4 and September 6.
Account Hijacking
Q Human health and social work activities
CC
US
InterMed
24
04/11/2019
?
PEXSuperstore.com
Researchers from PerimeterX reveal that PEXSuperstore.com is the latest victim of a Magecart attack (simultaneously by two different criminal groups).
Malicious Script Injection
G Wholesale and retail trade
CC
US
PEXSuperstore.com, PerimeterX
25
05/11/2019
?
James Fisher and Sons
Marine services provider James Fisher and Sons says that hackers had gained unauthorized access to its computer systems, sending its shares down as much as 5.7%.
Unknown
M Professional scientific and technical activities
CC
UK
James Fisher and Sons
26
05/11/2019
LulzSec ITA
Lyca Mobile
In name of Operation #FifthOfNovember, the hacktivists of LulzSec ITA dump 5.4 Gb of personal data belonging to Lyca Mobile Italian customers.
Unknown
J Information and communication
H
IT
LulzSec ITA, Lyca Mobile, #FifthOfNovember
27
05/11/2019
Anonymous Italia
Several Italian central and local government websites.
In name of Operation #FifthOfNovember, the hacktivists of Anonymous Italy hack several central and local government websites including the Chamber of Deputies, the prefecture of Naples, the order of the lawyers of Arezzo, Grosseto and Perugia, the Environment Agency in the Abruzzo and Puglia regions and many other sites.
SQLi
O Public administration and defence, compulsory social security
H
IT
Anonymous Italia,
28
05/11/2019
?
Multiple targets
Researchers from Trustwave discover a new phishing campaign using a specially crafted ZIP file designed to bypass secure email gateways and distribute the NanoCore RAT.
Malware
Y Multiple Industries
CC
>1
Trustwave, Nanocore
29
05/11/2019
?
Single Individuals
A new version of the MegaCortex Ransomware is discovered that not only encrypts files, but also changes the logged in user's password and threatens to publish the victim's files if they do not pay the ransom.
Malware
X Individual
CC
>1
MegaCortex, Ransomware
30
05/11/2019
?
Single Individuals
Researchers from Trend Micro discover a new exploit kit dubbed Capesand, exploiting vulnerabilities in Adobe Flash and Microsoft Internet Explorer to deliver the DarkRAT and njRAT malware.
Malware
X Individual
CC
>1
Trend Micro, Capesand, DarkRAT, njRAT
31
06/11/2019
?
Veritas Genetics
The DNA-testing firm Veritas Genetics experiences a security breach that included customer information, when a customer-facing portal is accessed by an unauthorized user.
Unknown
Q Human health and social work activities
CC
US
Veritas Genetics
32
06/11/2019
?
German organizations
Researchers from Proofpoint observe a new campaign against German users impersonating the German Federal Ministry of Finance, and distributing the Maze ransomware.
Malware
Y Multiple Industries
CC
DE
Proofpoint, German users, German Federal Ministry of Finance, Maze, ransomware
33
06/11/2019
?
Boardriders
Action sports giant Boardriders is hit by a ransomware attack that affected some of its subsidiaries, including QuikSilver and Billabong, and forced the company to shut down computing systems all over the world.
Malware
G Wholesale and retail trade
CC
US
Boardriders, ransomware, QuikSilver, Billabong
34
06/11/2019
?
Employees in the Insurance and retail industries
Researchers from Cofense discover a malware campaign targeting employees in the insurance and retail industries with phishing emails, claiming to be from the UK Ministry of Justice, but in reality distributing the "Predator the Thief" malware.
Malware
Y Multiple Industries
CC
UK
Cofense, Predator the Thief, UK Ministry of Justice
35
07/11/2019
Lazarus Group
Indian Space Research Organisation (ISRO)
It is believed that North Korean hackers from the Lazarus group targeted the Indian Space Research Organisation during the Chandrayaan-2 moon mission in September.
Targeted attack
O Public administration and defence, compulsory social security
CE
IN
North Korea, Lazarus, Indian Space Research Organisation, ISRO, Chandrayaan-2
36
07/11/2019
?
German organizations
Researchers from Proofpoint discover a new campaign targeting German organizations, impersonating a German internet service provider, 1&1 Internet AG, and distributing the Maze ransomware.
Malware
Y Multiple Industries
CC
DE
Maze, Malware, 1&1 Internet AG, ransomware
37
07/11/2019
?
IronMarch forum
A mysterious hacker publishes a database dump of one of the internet's most infamous neo-nazi meeting places -- the IronMarch forum.
Unknown
S Other service activities
CC
N/A
IronMarch
38
07/11/2019
?
Employees of large companies
Research from Malcrawler discover a new campaign aimed to distribute the TrickBot banking Trojan via fake sexual harassment complaints appearing to come from the U.S. Equal Employment Opportunity Commission.
Malware
K Financial and insurance activities
CC
US
Malcrawler, TrickBot, U.S. Equal Employment Opportunity Commission
39
07/11/2019
?
Multiple targets in Australia
The Australian Cyber Security Centre (ACSC) warns businesses and people of a new Emotet campaign in the wild.
Malware
Y Multiple Industries
CC
AU
Australian Cyber Security Centre ,ACSC, Emotet
40
07/11/2019
?
Android users
Researchers from Trend Micro discover 49 adware-laced Android apps, disguised as games, that were downloaded from the Google Play store more than 3 million times.
Malware
X Individual
CC
>1
Trend Micro, Android
41
07/11/2019
?
Salem Health Hospitals & Clinics
Salem Health Hospitals & Clinics reveals that an unauthorized person gained access to employee email accounts back in July.
Account Hijacking
Q Human health and social work activities
CC
US
Salem Health Hospitals & Clinics
42
08/11/2019
Platinum APT
Government, military, and political targets in Malaysia, Indonesia, and Vietnam
Researchers from Kaspersky discover a new campaign from the Platinum APT, using a new backdoor called Titanium
Targeted attack
O Public administration and defence, compulsory social security
CE
>1
Kaspersky, Platinum, Titanium
43
08/11/2019
?
ConnectWise
ConnectWise warns customers that hackers are targeting its software to gain access to their client networks and install ransomware.
Malware
M Professional scientific and technical activities
CC
US
ConnectWise, Ransomware
44
08/11/2019
?
WTVG 13abc
WTVG 13abc is hit by a ransomware attack.
Malware
J Information and communication
CC
US
WTVG 13abc, ransomware
45
08/11/2019
?
Single Individuals
A clever spam campaign is underway that pretends to be a WebEx meeting invite and uses a Cisco open redirect that pushes a Remote Access Trojan to the recipient.
Malware
X Individual
CC
>1
Cisco WebEx
46
08/11/2019
?
Delta Dental of Arizona
Delta Dental of Arizona discloses a July 8 phising incident possibly compromising PHI and PII of its patients.
Account Hijacking
Q Human health and social work activities
CC
US
Delta Dental of Arizona
47
09/11/2019
?
SmarterASP.NET
SmarterASP.NET, an ASP.NET hosting provider with more than 440,000 customers, is hit by ransomware.
Malware
M Professional scientific and technical activities
CC
US
SmarterASP.NET, ransomware
48
11/11/2019
?
Pemex
A ransomware attack hits computer servers and halts administrative work at Mexican state oil firm Pemex.
Malware
D Electricity gas steam and air conditioning supply
CC
MX
Pemex, ransomware
49
11/11/2019
?
Internet Explorer users from Vietnam, Korea, Malaysia and possibly other Asian countries.
A new malvertising campaign on low quality web games and blogs redirects Asian victims to the RIG exploit kit, which is then quietly installing the Sodinokibi Ransomware.
Malware
X Individual
CC
>1
Internet Explorer, RIG exploit kit, Sodinokibi, ransomware
50
11/11/2019
?
ZoneAlarm forum (forum.zonealarm.com)
ZoneAlarm suffers a data breach that exposes the data of the discussion forum users (forum.zonealarm.com). Around 4,500 users are affected.
vBulletin vulnerability (CVE-2019-16759)
M Professional scientific and technical activities
Thousands of hacked Disney+ accounts are already for sale on hacking forums, immediately after the launch of the streaming service.
Account Hijacking
R Arts entertainment and recreation
CC
US
Disney+
52
12/11/2019
Lizard Squad
UK Labour Party
The UK Labour Party is hit by two DDoS attack in the same day. The Lizard Squad group takes responsibility for the attack.
DDoS
S Other service activities
H
UK
UK Labour Party
53
12/11/2019
?
UK Conservative Party
The UK Conservative Party is hit by a DDoS attack in the same day.
DDoS
S Other service activities
N/A
UK
UK Conservative Party
54
12/11/2019
?
US users
Researchers from Proofpoint observe thousands of emails attempting to deliver malicious emails impersonating the United States Postal Service (USPS) and distributing the IcedID banking Trojan.
Malware
K Financial and insurance activities
CC
FR
Proofpoint, United States Postal Service, USPS, IcedID
55
12/11/2019
?
Penn-Harris-Madison School
The Penn-Harris-Madison School is hit by a ransomware attack.
Malware
P Education
CC
US
Penn-Harris-Madison School, ransomware
56
12/11/2019
?
Multiple targets
Researchers from Intezer and IBM X-Force discover a new malware called PureLocker, targeting production serves on multiple platforms (Windows and Linux).
Malware
Y Multiple Industries
CC
>1
Intezer, IBM X-Force, PureLocker, Windows, Linux
57
12/11/2019
?
Arvan
Arvan, a cloud infrastructure provider in Iran, is hit by a DDoS attack through Telegram Proxy servers.
DDoS
M Professional scientific and technical activities
CC
IR
Arvan, Iran
58
12/11/2019
?
Multiple targets
Microsoft releases the November Patch Tuesday, including a fix for CVE-2019-1429, an Internet Explorer vulnerability currently exploited in the wild.
CVE-2019-1429 vulnerability
Y Multiple Industries
CC
>1
Microsoft, November Patch Tuesday, CVE-2019-1429
59
12/11/2019
TA505
System Integrator companies
Researchers from Yoroi discover a new campaign from TA505, targeting system integrator companies.
Targeted attack
M Professional scientific and technical activities
CC
N/A
Yoroi, TA505
60
12/11/2019
?
University of North Carolina - Chapel Hill School of Medicine
The University of North Carolina - Chapel Hill School of Medicine notifies 3,716 patients that their PII was exposed after a phishing incident occurred on between May 17, 2018 and June 18, 2018 and confirmed on September 2019.
Account Hijacking
Q Human health and social work activities
CC
US
University of North Carolina - Chapel Hill School of Medicine
61
12/11/2019
?
Port Neches-Groves Independent School District
Port Neches-Groves Independent School District is hit by a ransomware, causing the disruption of all technology connections.
Malware
P Education
CC
US
Port Neches-Groves Independent School District, ransomware
62
12/11/2019
?
Starling Physicians
Starling Physicians reveals to have been hit by a phishing attack on February 8.
Account Hijacking
Q Human health and social work activities
CC
US
Starling Physicians
63
13/11/2019
China?
National Association of Manufacturers (NAM)
Sources reveal that suspected Chinese hackers broke into the National Association of Manufacturers over the Summer
Targeted attack
N Administrative and support service activities
CE
US
NAM, National Association of Manufacturers, China
64
13/11/2019
APT33
Multiple targets in the Oil Industry
Researchers from Trend Micro expose the infrastructure used by APT33, composed of obfuscated botnets, to target the Oil Industry.
Targeted attack
D Electricity gas steam and air conditioning supply
CE
>1
APT33, Trend Micro
65
13/11/2019
India
Pakistan
Researchers from DisinfoLab uncover a network of 265 online news sites using the names and brands of defunct newspapers from the 20th century to push anti-Pakistan media coverage.
Fake Information Network
X Individual
CW
PK
India, Pakistan, DisinfoLab
66
13/11/2019
?
Single Individuals
Researchers from Fortinet discover a new malware dropper designed to drop both RevengeRAT and WSHRAT on vulnerable Windows systems.
Malware
X Individual
CC
>1
Fortinet, RevengeRAT, WSHRAT
67
13/11/2019
?
Select Health
Select Health discloses that one of its employee's email accounts was accessed by a not yet known actor without authorization from May 22, 2019 to June 13, 2019.
Account Hijacking
Q Human health and social work activities
CC
US
Select Health
68
13/11/2019
?
Solara Medical Supplies
Solara Medical Supplies warns that a number of its employees' Office 365 accounts were accessed without authorization between April 2, 2019, and June 20, 2019 after a series of phishing attacks. The breach was discovered on June 28.
Account Hijacking
C Manufacturing
CC
US
Solara Medical Supplies
69
13/11/2019
?
Single Individuals
A new and strange ransomware called AnteFrigus appears. Being distributed through malvertising that redirects users to the RIG exploit kit, it only targets drives associated with removable devices and mapped network drives.
Malware
X Individual
CC
US
Ransomware, AnteFrigus
70
13/11/2019
?
Select Health Network
Select Health Network reveals compromise of employee email accounts that may impact an unspecified number of patients.
Account Hijacking
Q Human health and social work activities
CC
US
Select Health Network
71
13/11/2019
?
City of San Angelo
The City of San Angelo investigates a security breach with the city’s online water billing system after fears customer’s credit card information may have been stolen in the wake of the City2Gov breach.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
San Angelo, City2Gov
72
14/11/2019
?
Macy's
Macy's announces a data breach caused by Magecart card-skimming code being implanted in the firm's online payment portal. The incident was discovered on October 15, and was active since October 7.
Malicious Script Injection
G Wholesale and retail trade
CC
US
Macy's, Magecart
73
14/11/2019
?
Android users
Researchers from Malwarebytes discover FakeAdsBlock, a new Android adware distributed as an ad blocker.
Malware
X Individual
CC
>1
Malwarebytes, Android, FakeAdsBlock
74
14/11/2019
?
Office 365 customers
Researchers from PhishLabs discover a new phishing campaign actively targeting Microsoft Office 365 administrators with the end goal of compromising their entire domain and using newly created accounts on the domain to deliver future phishing emails.
Account Hijacking
Y Multiple Industries
CC
>1
PhishLabs, Office 365
75
14/11/2019
?
SIngle Individuals
Researchers from Cisco Talos reveal the details of a threat campaign, active since January, using custom droppers to inject well-known information stealers like Agent Tesla.
Malware
X Individual
CC
>1
Cisco Talos, Agent Tesla
76
15/11/2019
?
2K Interactive social media account
The social media accounts of 2K Interactive are hacked. The attackers post offensive content.
Account Hijacking
R Arts entertainment and recreation
CC
US
2K Interactive
77
15/11/2019
?
Italian National TV
The bank accounts of several executives and journalists of the Italian National TV are breached by attackers from Eastern Europe.
Targeted attack
J Information and communication
CE
IT
Italian National TV
78
15/11/2019
?
Clients of the NextCloud file sync and share service
A new ransomware is found in the wild, called NextCry due to the extension appended to encrypted files and to the fact that it targets clients of the NextCloud file sync and share service.
Malware
X Individual
CC
>1
NextCry, NextCloud, ransomware
79
15/11/2019
?
Single Individuals
A new phishing campaign is underway where the attackers state that the victim's password will expire and be changed unless they login and confirm that they want to keep it the same.
Account Hijacking
X Individual
CC
>1
80
15/11/2019
?
At least seventeen merchant websites
Visa Payment Fraud Disruption warns of a new JavaScript skimmer dubbed Pipka used to siphon payment data from e-commerce merchant websites.
Malicious Script Injection
Y Multiple Industries
CC
>1
Visa Payment Fraud Disruption, Pipka
81
15/11/2019
?
Choice Cancer Care Treatment Center
Choice Cancer Care Treatment Center notifies patients of a May data security incident due to a phishing attack.
Account Hijacking
Q Human health and social work activities
CC
US
Choice Cancer Care Treatment Center
82
15/11/2019
?
CAH Holdings
CAH Holdings Inc. notifies a data security incident involving some employee email accounts that may have impacted a limited amount of personally identifiable information and protected health information (PHI).
