The second timeline of November is here, covering the main events reported in the news during the second half of the same month (at this link you will find the first one).
In the following table, I have collected a total of 63 events. I don’t know if this is the consequence of the Christmas atmosphere, but this number is definitely lower than the average level recorded in the previous months (just in the first half of November we had 82 events). We’ll see if this is an isolated occurrence or the beginning of a nee trend.
Unsurprisingly ransomware attacks continue to characterize this 2019, and the end of the year is no exception. Once again we must record an increasing list of victims including Managed service providers, which continue to be a consolidated target (since they allow to dramatically increase the blast radius of the attack): Virtual Care Provider Inc. is the most noticeable example of this month. But even governments are constantly in the list (this month it has been the turn of Louisiana with 79 systems down) and also Prosegur, a Spanish security firm, has been hit.
Schools and hospitals are also constantly targeted: the University Hospital Centre (CHU) in Rouen was forced to switch off to paper in the wake of a ransomware attack.
We hadn’t recorded an attack against a cryptocurrency exchange since a while, but unfortunately this positive trend has been interrupted: South Korean cryptocurrency exchange Upbit has suffered the theft of $48.5 million in cryptocurrency (342,000 in Ethereum at the time of writing).
Instead massive breaches are always under the corner, and this month has left us with the one at Mixcloud, an audio streaming platform, which had more than 20 million user accounts exposed.
Moving to the Cyber Espionage-drive events, this front is always pretty hot: this timeline has led us multiple operations carried out by new actors and old acquaintances such as APT33 and Longhorn, but also the revelation of a wave of attacks allegedly launched from Chinese actors against the Belgium’s trade mission to China.
Last but not least, the hacktivist Phineas Fisher, revealing to have hacked (confirmed by the victim) The Cayman National Bank (Isle of Man) Limited, and offering a bounty for other hacktivists to do the same against Banks and Oils companies.
But now you can browse the timeline, and don’t forget to share it with your peers to support my work and spread the concept of risk awareness across the community. If you want, you can also follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
27/10/2019
?
National Veterinary Associates (NVA)
National Veterinary Associates (NVA), a California company that owns more than 700 animal care facilities around the globe, is hit by a ransomware attack.
Malware
M Professional scientific and technical activities
CC
US
National Veterinary Associates, NVA
2
11/11/2019
?
Sag Harbor’s Pierson High School
Sag Harbor’s Pierson High School is hit by a ransomware attack.
Malware
P Education
CC
US
Sag Harbor’s Pierson High School, ransomware
3
15/11/2019
?
Single individuals
A new Trojan, SectopRAT, appears in the wild and it's able to launch a hidden secondary desktop to control browser sessions on infected machines.
Malware
X Individual
CC
>1
SectopRAT
4
17/11/2019
?
Liver Wellness
Liver Wellness, writes to customers to inform them that the company's email account had been hacked.
Account hijacking
Q Human health and social work activities
CC
IE
Liver Wellness
5
18/11/2019
?
Louisiana State Government
A ransomware infection takes down 79 IT systems and websites managed by the Louisiana state government. Targets include: the Office of the Governor, Louisiana State Legislature, Office of Motor Vehicles, Department of Corrections, the Louisiana Division of Administration, the Department of Transportation & Development, and more.
Malware
O Public administration and defence, compulsory social security
CC
US
Ransomware, Louisiana state government, Office of the Governor, Louisiana State Legislature, Office of Motor Vehicles, Department of Corrections, the Louisiana Division of Administration, the Department of Transportation & Development
6
18/11/2019
Phineas Fisher
Cayman National Bank (Isle of Man) Limited
The Cayman National Bank (Isle of Man) Limited confirms to have been hacked by Phineas Fisher back in 2016
Unknown
K Financial and insurance activities
H
IM
Cayman National Bank (Isle of Man) Limited, Phineas Fisher
7
18/11/2019
?
CHU de Rouen
The University Hospital Centre (CHU) in Rouen is forced to abandon PCs after a ransomware attack.
Malware
Q Human health and social work activities
CC
FR
CHU de Rouen, Ransomware
8
18/11/2019
?
Monero users
The official website of the Monero cryptocurrency is compromised to deliver a malware-infected file that steals funds from account owners.
Malware
V Fintech
CC
N/A
Monero
9
18/11/2019
?
Windows and Linux systems
Researchers from Intezer discover ACBackdoor, a new multi-platform backdoor that infects Windows and Linux systems allowing the attackers to run malicious code and binaries on the compromised machines.
Malware
Y Multiple Industries
CC
>1
Intezer, ACBackdoor, Windows, Linux
10
18/11/2019
?
Single individuals
New email campaigns are underway that pretend to be Thanksgiving Day greeting cards and office closing notices with last minute invoices, but in reality distributing malware.
Malicious Spam
X Individual
CC
US
Thanksgiving Day
11
18/11/2019
?
Single individuals
A new spam campaign is spotted distributing the Buran Ransomware through IQY file.
Malicious Spam
X Individual
CC
>1
Buran, ransomware
12
19/11/2019
?
US automotive industry
The FBI warns private industry partners of incoming cyberattacks against the US automotive industry targeting sensitive corporate and enterprise data.
Targeted Attack
C Manufacturing
CC
US
FBI
13
19/11/2019
?
Twitter account of Arron Banks, the founder of the pro-Brexit campaign Leave.EU
The Twitter account of Arron Banks, the founder of the pro-Brexit campaign Leave.EU, is hacked. The attackers leak thousands of his private messages.
Account hijacking
X Individual
CC
UK
Twitter, Arron Banks, Brexit, Leave.EU
14
19/11/2019
?
Single individuals
Researchers from Trustwave discover a flawed campaign distributing the Cyborg ransomware from GitHub.
Malware
X Individual
CC
>1
Trustwave, Cyborg, GitHub
15
19/11/2019
?
EpicBot
A leak containing data for about 800,000 accounts on RuneScape bot provider EpicBot, is dumped online.
Unknown
R Arts entertainment and recreation
CC
N/A
EpicBot
16
20/11/2019
APT33
Manufacturers, suppliers, or maintainers of industrial control system
Researchers from Microsoft reveal a new campaign by APT33 targeting the physical control systems used in electric utilities, manufacturing, and oil refineries.
Malware
C Manufacturing
CE
>1
Microsoft, APT33
17
20/11/2019
?
Vulnerable Webmin servers
Researchers from Qihoo 360 reveal the details of Roboto, a P2P botnet targeting Linux servers running vulnerable Webmin apps.
Webmin vulnerability
Y Multiple Industries
CC
>1
Qihoo 360, Roboto, Linux, Webmin
18
20/11/2019
?
Single individuals
Researchers from Cybereason reveal that a new keylogger called Phoenix is now linked to more than 10,000 infections.
Malware
X Individual
CC
>1
Cybereason, Phoenix
19
20/11/2019
?
Victims in Latin America
Researchers from ESET discover Mispadu, a new banking Trojan distributed via malvertising and malspam campaigns using fake McDonald’s coupons as lures.
Malware
K Financial and insurance activities
CC
>1
ESET, Mispadu
20
20/11/2019
?
Chicopee Public Schools
Chicopee Public Schools computers are hit by a Ryuk ransomware attack.
Malware
P Education
CC
US
Chicopee Public Schools, Ryuk, ransomware
21
21/11/2019
Belgium
ISIS
According to the Belgian Police, a cyberattack takes down 26,000 accounts tied to the Islamic State, on social networks, websites and communication channels.
Unknown
U Activities of extraterritorial organizations and bodies
CW
N/A
Belgium, ISIS
22
21/11/2019
Lambert AKA Longhorn
A private company, in Central Europe, and dozens of computers in the Middle East.
Researchers from ESET discover DePriMon a malware downloader using the novel "Port Monitor" methods that have not been detected before in active campaigns, to drop the ColoredLambert malware.
Targeted Attack
Y Multiple Industries
CE
>1
Lambert, Longhorn, DePriMon, ESET, ColoredLambert
23
21/11/2019
?
Edenred
Payment solutions giant Edenred reveals in a statement that a malware incident affected an undisclosed number of its computing systems.
Malware
K Financial and insurance activities
CC
FR
Edenred
24
21/11/2019
?
Allied Universal
Allied Universal is hit by the Maze ransomware and has some of the stolen data leaked.
Malware
M Professional scientific and technical activities
CC
US
Allied Universal, Maze
25
21/11/2019
?
Single individuals
Researchers from Malwarebytes reveal a new malicious campaign stealing credit card data via rogue payment service platform.
Account hijacking
X Individual
CC
>1
Malwarebytes
26
21/11/2019
?
The City of Dothan
The City of Dothan is another victim of the Click2Gov breach.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
The City of Dothan
27
21/11/2019
?
Southern First Nations Network of Care
Southern First Nations Network of Care is hit by a ransomware attack.
Malware
P Education
CC
CA
Southern First Nations Network of Care, ransomware
28
21/11/2019
?
Ferguson Medical Group (FMG)
Ferguson Medical Group (FMG) reveals to have been hit with a ransomware attack on September 20th.
Malware
Q Human health and social work activities
CC
US
Ferguson Medical Group, FMG, ransomware
29
22/11/2019
Golden Falcon (AKA APT-C-34)
Kazakhstan
Researchers from Qihoo 360 publish a report exposing an extensive operation targeting the country of Kazakhstan, and directed against government agencies, military personnel, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike.
Targeted Attack
O Public administration and defence, compulsory social security
CE
KZ
Qihoo 360, Kazakhstan, Golden Falcon, APT-C-34
30
22/11/2019
?
T-Mobile
The US branch of telecommunications giant T-Mobile discloses a security breach that impacted a small number of customers of its prepaid service. The company said its cybersecurity team discovered and shut down malicious, unauthorized access to some information related to T-Mobile prepaid wireless accounts.
Unknown
J Information and communication
CC
US
T-Mobile
31
22/11/2019
?
OnePlus
OnePlus discloses a security breach that impacted users of its online store. The breach, caused by an undisclosed vulnerability, occurred last week and saw attackers gaining access to past customer orders.
Undisclosed vulnerability
C Manufacturing
CC
CN
OnePlus
32
22/11/2019
?
Livingston School District
Livingston School District is hit by ransomware.
Malware
P Education
CC
US
Livingston School District, ransomware
33
22/11/2019
?
Single individuals
A new version of the Clop CryptoMix Ransomware is discovered, attempting to disable Windows Defender as well as remove the Microsoft Security Essentials and Malwarebytes' standalone Anti-Ransomware programs.
Malware
X Individual
CC
>1
Clop, CryptoMix, Ransomware, Microsoft Security Essentials, Malwarebytes
34
22/11/2019
?
Church’s Chicken
Church’s Chicken investigates a possible data breach involving credit and debit card information at some of its company owned locations in the U.S.
PoS Malware
I Accommodation and food service activities
CC
US
Church’s Chicken
35
23/11/2019
China
Belgium
Belgium’s trade mission to China suffers a "massive cyber-attack." China State Security is indicated as the possible culprit.
Unknown
O Public administration and defence, compulsory social security
CE
BE
China, Belgium
36
23/11/2019
?
Virtual Care Provider Inc. (VCPI)
Virtual Care Provider Inc., providing technology services to more than 100 nursing homes, is hold hostage of a ransomware after the company couldn't afford a $14 million ransom demand.
Malware
M Professional scientific and technical activities
CC
US
Virtual Care Provider Inc., VCPI, Ransomware
37
23/11/2019
?
Catch Hospitality Group
Catch Hospitality Group discloses that PoS systems at Catch NYC, Catch Rooftop, and Catch Steak were infected with malware that allowed attackers to steal credit card information from customers.
PoS Malware
I Accommodation and food service activities
CC
US
Catch Hospitality Group
38
23/11/2019
?
Banking users
A new version of the Trickbot banking trojan is discovered, and it's able to steal OpenSSH private keys and OpenVPN passwords and configuration files.
Malware
K Financial and insurance activities
CC
>1
Trickbot
39
24/11/2019
?
Exposed Docker platforms
Researching from Bad Packets reveal that a hacking group is currently mass-scanning the internet looking for Docker platforms that have API endpoints exposed online.
Docker misconfiguration
Y Multiple Industries
CC
>1
Bad Packets, Docker
40
24/11/2019
?
New York City Police Department
The New York Post reveals that the New York City Police Department’s fingerprint database was hit with ransomware in October 2018.
Malware
O Public administration and defence, compulsory social security
CC
US
New York City Police Department, ransomware
41
24/11/2019
?
Waterloo Catholic District School Board
The Waterloo Catholic District School Board is hit by a ransomware attack.
Malware
P Education
CC
CA
Waterloo Catholic District School Board, ransomware
42
25/11/2019
?
Great Plains Health
Great Plains Health medical center is hit by a ransomware and forces switching to pen and paper to maintain activity.
Malware
Q Human health and social work activities
CC
US
Great Plains Health, ransomware
43
25/11/2019
?
Android users
A new strain of an Android mobile banking trojan called Ginp is discovered, shifting its focus on stealing credit card details.
Malware
X Individual
CC
>1
Android, Ginp
44
25/11/2019
?
Single individuals
Researchers from Cofense discover a new campaign distributing the Raccoon malware and using Dropbox to evade detection.
Malware
X Individual
CC
>1
Cofense, Raccoon, Dropbox
45
26/11/2019
Multiple threat actors
Users in 149 countries
Google reveals to have sent more than 12,000 security warnings to users in 149 countries about email attacks coming from a government-backed hacking groups.
Targeted Attack
Y Multiple Industries
CE
>1
Google
46
26/11/2019
?
Multiple targets
Researchers from Microsoft detail a new malware strain that has been infecting Windows computers since October 2018 to hijack their resources to mine cryptocurrency. Named Dexphot, the malware reached its peak in mid-June this year, when its botnet reached almost 80,000 infected computers.
Malware
Y Multiple Industries
CC
>1
Microsoft, Dexphot
47
26/11/2019
?
Single individuals
A new ransomware called DeathRansom emerges in the landscape.
Malware
X Individual
CC
>1
DeathRansom, ransomware
48
26/11/2019
?
On the Border
On the Border, a border-style Mexican food chain notifies a data breach in a payment-processing system serving restaurants in 28 states. Some customer credit card information could have been compromised on visits between April 10 and August 10, 2019.
PoS Malware
I Accommodation and food service activities
CC
US
On the Border
49
26/11/2019
FIN7
DiBella’s Old Fashioned Submarine
DiBella’s Old Fashioned Submarines reveals that its stores in Connecticut, Indiana, Michigan, Ohio, New York and Pennsylvania may have had the information on as many as 305,000 payment cards compromised between March 22, 2018 and December 28, 2018.
PoS Malware
I Accommodation and food service activities
CC
US
DiBella’s Old Fashioned Submarine, FIN7
50
26/11/2019
?
Victims in Russia, Ukraine, Belarus and Kazakhstan
Researchers from ESET discover a new variant of the Stantinko botnet, adding a Monero cryptomining module to its arsenal.
Malware
X Individual
CC
>1
ESET, Stantinko, Monero, crypto
51
26/11/2019
?
Youth Development, Inc.
Youth Development, Inc. reveals to have been hit by a phishing attack.
Account hijacking
Q Human health and social work activities
CC
US
Youth Development, Inc.
52
26/11/2019
?
Ivy Rehab Physical Therapy
Ivy Rehab Physical Therapy reveals to have discovered that in May, some employee email accounts may have been compromised.
Account hijacking
Q Human health and social work activities
CC
US
Ivy Rehab Physical Therapy
53
27/11/2019
?
Adobe
Adobe discloses a security breach that impacts users registered on the company's Magento Marketplace. The point of entry was a vulnerability in the Magento Marketplace website that allowed "an unauthorized third-party" to access account information for registered users.
Magento Vulnerability
M Professional scientific and technical activities
CC
US
Adobe, Magento
54
27/11/2019
?
Upbit
South Korean cryptocurrency exchange Upbit informs customers that a cyberattack has led to the theft of $48.5 million in cryptocurrency (342,000 in Ethereum).
Unknown
V Fintech
CC
KR
Upbit, Crypto
55
27/11/2019
Full(z) House
Full(z) House
Researchers from RiskIQ and FlashPoint reveal the details of Full(z) House, a criminal group moving from the phishing to the Magecart criminal business.
Malicious Script Injection
G Wholesale and retail trade
CC
>1
RiskIQ, FlashPoint, Full(z) House
56
27/11/2019
?
Loudoun Medical Group D/B/A Comprehensive Sleep Care Center
The Loudoun Medical Group D/B/A Comprehensive Sleep Care Center notifies patients after an employee email account is compromised. The attack occurred between June 15 and June 19.
Account hijacking
Q Human health and social work activities
CC
US
Loudoun Medical Group D/B/A Comprehensive Sleep Care Center
57
28/11/2019
RevengeHotels
Hotels, hostels, hospitality and tourism companies
Researchers at Kaspersky publish a report on a targeted campaign, tracked as RevengeHotels, hitting hotels, hostels, hospitality and tourism companies. According to the experts, the threat actor has been active since 2015, but its activity peaked in 2019.
Targeted Attack
I Accommodation and food service activities
CE
>1
Kaspersky, RevengeHotels
58
28/11/2019
?
Twitter account of Huawei Brazil
The Twitter account of Huawei Brazil is hacked and starts to post offensive tweets against Apple.
Account hijacking
C Manufacturing
CC
BR
Twitter, Apple, Huwawei, Brazil
59
29/11/2019
?
Prosegur
Spanish multinational security firm Prosegur is hit by the Ryuk ransomware, and shuts down its IT network, reportedly sending its employees home.
Malware
M Professional scientific and technical activities
CC
ES
Prosegur, Ryuk, Ransomware
60
29/11/2019
?
Mixcloud
A data breach at Mixcloud, a U.K.-based audio streaming platform, leaves more than 20 million user accounts exposed after the data is put on sale on the dark web.
Unknown
R Arts entertainment and recreation
CC
UK
Mixcloud
61
29/11/2019
?
Chrome users
A new Windows trojan, CStealer, is discovered that attempts to steal passwords stored in the Google Chrome browser and send then to a remote MongoDB.
Malware
X Individual
CC
>1
CStealer, Google Chrome, MongoDB.
62
30/11/2019
?
A major player in Britain’s nuclear power industry
The UK National Cyber Security Centre (NCSC) is called in after a cyber attack on a major player in Britain’s nuclear power industry triggers a security crisis.
Unknown
D Electricity gas steam and air conditioning supply
