Happy new infosec year! Let’s start this 2020 with the first timeline of December covering the main cyber attacks occurred during the first half of the same month. In this timeline I have collected a total of 83 events (including 6 that occurred before but were included in this timeline as well), a value that is back to the levels of the first half of November, and records a sharp increase in comparison to the previous one.
The list of the mega breaches has two new entries: the leak of 15 million debit cards in Iran (suspected as the work of an intelligence agency), and additional 460,000 cards in Turkey.
Ransomware continues to characterize the end of 2019: the number of victims grows month after month (governments, healthcare and educations institutions continue to be the top targets), the attacker’s demands are higher and higher ($6 million in case of Southwire Company, LLC), and in some cases the criminals also leak the data for those organizations that do not want to pay the ransom.
Another interesting aspect of this timeline is the unusual number (compared with the previous months) of Magecart attacks, which have done a comeback in this end of 2019. The list of victims in this fortnight includes Smith & Wesson’s, Sweaty Betty and Love Bonito.
On the Cyber Espionage front, the list of events is quite rich and includes operations carried out by old acquaintances such as APT28, APT32 (against BMW and Hyundai), Lazarus Group, and newcomers such as Gallum.
Now it’s time to browse the timeline, and to share it with your peers to support my work and spread the risk awareness across the community. And don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
13/10/2019
?
Sunapee New Hampshire School District
The Sunapee New Hampshire School District is hit by a ransomware attack.
Malware
P Education
CC
US
Sunapee New Hampshire School District, ransomware
2
13/11/2019
DarkSly
Hyundai Saudi Arabia
DarkSly claims to have hacked Hyundai Saudi Arabia.
SQLi
C Manufacturing
CC
SA
DarkSly, Hyundai Saudi Arabia
3
26/11/2019
Russian company in Panama
Ohio
Ohio officials reveal to have thwarted a cyber attack against its election infrastructure earlier this month (November 5). The attack was apparently linked to a Russian company in Panama.
SQLi
O Public administration and defence, compulsory social security
CC
US
Ohio, Russia, Panama
4
27/11/2019
China?
LIHKG
LIHKG, an online forum used by activists behind the ongoing Hong Kong protests is once again hit by a DDoS attack launched from the China Great DDoS Cannon.
DDoS
S Other service activities
CW
HK
LIHKG, China, Great Cannon
5
28/11/2019
?
Datrix
Datrix suffers a phishing attack that resulted in some customers' contact details being compromised.
Account Hijacking
M Professional scientific and technical activities
CC
UK
Datrix
6
29/11/2019
Gamaredon
Ukrainian targets, including diplomats, government and military officials
Researchers from Anomali reveal a new campaign carried out by the Russia-linked Gamaredon cyberespionage group, targeting Ukrainian targets, including diplomats, government and military officials.
Targeted attack
O Public administration and defence, compulsory social security
CE
UA
Anomali, Gamaredon
7
01/12/2019
olgired2017
Python users
The Python security team removes python3-dateutil and jeIlyfish, two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers.
A ransomware attack takes down the ticketing system and patron database for the Shakespeare Theatre of New Jersey and has also affected at least one other organization in the Madison area (the Museum of Early Trades and Crafts).
Malware
R Arts entertainment and recreation
CC
US
Shakespeare Theatre of New Jersey, ransomware, Museum of Early Trades and Crafts
9
01/12/2019
?
Single Individuals
A fake Steam skin giveaway site is created with the real purpose of stealing the victims' login credentials.
Account Hijacking
R Arts entertainment and recreation
CC
>1
Steam
10
02/12/2019
?
Healthcare and education organizations
Researchers from Cylance reveal a newly discovered hacking targeting healthcare and education organizations with a custom-built, Python-based trojan malware dubbed PyXie, used to distribute ransomware.
Malware
Y Multiple Industries
CC
>1
Cylance, PyXie
11
02/12/2019
?
N/A
Researchers from Trend Micro reveal the details of CallerSpy, a mobile malware part of a cyber espionage campaign.
Targeted attack
Z Unknown
CE
N/A
Trend Micro, CallerSpy
12
02/12/2019
?
Facebook users
Researchers from MalwareHunterTeam discover an information-stealing Trojan, dubbed Socelars, disguised as a PDF reader that steals Facebook and Amazon session cookies as well as sensitive data from the Facebook Ads Manager.
Researchers from Promon reveal the details of StrandHogg, an Android vulnerability already exploited in the willd against several banks in the Czech Republic.
Android Vulnerability
K Financial and insurance activities
CC
CZ
Promon, StrandHogg, Android
14
02/12/2019
?
TECNOL
TECNOL, a manufacturer of products for waterproofing, insulating, cleaning, biotechnology, is another victim of the Ryuk ransomware.
Malware
C Manufacturing
CC
ES
TECNOL, Ryuk, ransomware
15
02/12/2019
?
Smith & Wesson's online store
American gun manufacturer Smith & Wesson's online store is compromised with a Magecart attack, by attackers who have injected a malicious script attempting to steal customer's payment information.
Malicious Script Injection
C Manufacturing
CC
US
Smith & Wesson, Magecart
16
02/12/2019
?
Maine School Administrative District 6
Maine School Administrative District 6 is hit with a ransomware attack.
Malware
P Education
CC
US
Maine School Administrative District 6, ransomware
17
03/12/2019
?
Sweaty Betty
The web site for UK retailer Sweaty Betty is the victim of a Magecart attack, and hacked to insert malicious code that attempts to steal a customer's payment information when making purchases.
Malicious Script Injection
G Wholesale and retail trade
CC
UK
Sweaty Betty, Magecart
18
03/12/2019
Lazarus Group
macOS users
Security researchers discover a new macOS malware sample believed to be the work of the North Korean Lazarus Group.
Malware
X Individual
CE
>1
Lazarus Group
19
03/12/2019
?
T-System
T-System, a provider of end-to-end solutions for emergency care facilities in the U.S. falls victim to Ryuk ransomware.
Malware
M Professional scientific and technical activities
CC
US
T-System, Ryuk. Ransomware
20
03/12/2019
?
ASD Audit
ASD Audit, a provider of software for financial auditing and analysis, is another Ryuk victim.
Malware
M Professional scientific and technical activities
CC
ES
ASD Audit, Ryuk, ransomware
21
03/12/2019
?
Banking users in Japan
Researchers from IBM X-Force detect a new TrickBot campaign targeting users in Japan.
Malware
K Financial and insurance activities
CC
JP
IBM X-Force, TrickBot
22
03/12/2019
?
Monash IVF Group
Monash IVF Group says scammers accessed emails, email addresses and address books belonging to a number of staff members in the targeted phishing attack.
Account Hijacking
Q Human health and social work activities
CC
AU
Monash IVF Group
23
03/12/2019
?
Sycamore School District 427
Sycamore School District 427 is hit with a ransomware attack.
Malware
P Education
CC
US
Sycamore School District 427
24
04/12/2019
xHunt and APT34
Energy companies active in the Middle East
Security researchers from IBM X-Force reveal that they identified ZeroCleare, a new strain of destructive data-wiping malware that was developed by Iranian state-sponsored hackers and deployed in cyber-attacks against energy companies active in the Middle East.
Targeted attack
D Electricity gas steam and air conditioning supply
CW
>1
IBM X-Force, ZeroCleare, Iran, xHunt, APT34
25
04/12/2019
?
Four online merchants
Researchers from Malwarebytes discover a new campaign hosting skimmers and stolen card data on Heroku, a cloud platform.
Malicious Script Injection
G Wholesale and retail trade
CC
N/A
Malwarebytes, Heroku, Magecart
26
04/12/2019
?
Multiple targets
Researchers from Proofpoint discover Buer, a previously undocumented loader used in several recent malware campaigns and being sold on underground markets.
Malware
Y Multiple Industries
CC
>1
Proofpoint, Buer
27
05/12/2019
?
Chinese venture capital firm
Researchers from Check Point reveal the case of a Chinese venture capital firm, losing one million USD after falling victim of a BEC scam during a deal with an Israeli Startup.
Business Email Compromise
K Financial and insurance activities
CC
CN
Check Point
28
05/12/2019
?
CyrusOne
CyrusOne, one of the biggest data center providers in the US, is hit with a REvil (Sodinokibi) ransomware attack.
Malware
M Professional scientific and technical activities
CC
US
CyrusOne, REvil, Sodinokibi, ransomware
29
05/12/2019
?
Financial institutions in Ethiopia
Ethiopia Information Network Security Agency (INSA) reveals that a cyber attack directed at financial institutions in the country forced the agency to disconnect the Internet in the country for up to 20 minutes.
Unknown
K Financial and insurance activities
CC
ET
Ethiopia Information Network Security Agency, INSA
30
05/12/2019
?
Institutions from the financial services
The Department of Homeland Security alerts institutions from the financial services sector of risks stemming from ongoing Dridex malware attacks.
Malware
K Financial and insurance activities
CC
US
Department of Homeland Security, DHS, Dridex
31
05/12/2019
?
Fort Worth Water Department
The Fort Worth Water Department notifies about 3,000 customers that their payment information may have been exposed during a data breach. This is another occurrence of the Click2Gov breach.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
Fort Worth Water Department, Click2Gov
32
05/12/2019
?
Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS)
Southeastern Minnesota Oral & Maxillofacial Surgery is hit with a ransomware attack. 80,000 patients are notified.
Researchers from Google and FireEye reveal that threat actors from APT28 and Sandworm hacked the correspondence of French President Emmanuel Macron in May 2017.
Targeted attack
O Public administration and defence, compulsory social security
CE
FR
Google, FireEye, APT28, Sandworm, Emmanuel Macron
34
06/12/2019
APT32 AKA Ocean Lotus
BMW
Hyundai
German media report that hackers from APT32 AKA Ocean Lotus, suspected to have ties to the Vietnamese government, have breached the networks of two car manufacturers, namely BMW and Hyundai.
Targeted attack
C Manufacturing
CE
DE
KR
BMW, Hyundai, APT32, Ocean Lotus
Split
35
06/12/2019
Pakistan or China?
Indian Armed Forces
The Indian Armed forces are hit by a spear phishing attack.
Targeted attack
O Public administration and defence, compulsory social security
CE
IN
India, Pakistan, China
36
06/12/2019
?
Eight schools in Hong Kong
Hackers break into WebSAMS (web-based school administrative and management system), a government system used by most of Hong Kong’s schools, as a consequence eight schools are breached, with three of them reporting data leaks.
Unknown
P Education
CC
HK
WebSAMS
37
06/12/2019
?
Reddit users
Reddit bans 61 accounts linked to an alleged Russian influence campaign.
Fake Social Networks Accounts
O Public administration and defence, compulsory social security
CW
>1
Reddit
38
06/12/2019
?
The Elder Scrolls Online users
Researchers from Malwarebytes discover a new social engineering campaign, where scammers are masquerading as The Elder Scrolls Online developers and sending PlayStation private messages that state the recipient's account will be banned if they do not provide their login credentials.
Account Hijacking
R Arts entertainment and recreation
CC
>1
Malwarebytes, The Elder Scrolls Online
39
06/12/2019
?
Sunrise Community Health
Sunrise Community Health Notifies Patients of a phishing attack occurred on November 6th.
Account Hijacking
Q Human health and social work activities
CC
US
Sunrise Community Health
40
06/12/2019
?
Cucamonga Valley Water District
Cucamonga Valley Water District discloses a new Click2Gov data breach.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
Cucamonga Valley Water District, Click2Gov
41
06/12/2019
?
Leesport borough
The Leesport borough issues an alert to residents, advising taxpayers that a tax collector has been hacked.
Account Hijacking
O Public administration and defence, compulsory social security
CC
US
Leesport borough
42
07/12/2019
?
Complete Technology Solutions (CTS)
Complete Technology Solutions (CTS), a company that specializes in providing IT services to dental offices suffers a Sodinokibi (AKA rEvil) ransomware attack that is disrupting operations for more than 100 dentistry practices.
Malware
M Professional scientific and technical activities
A clever phishing campaign is spotted that bundles the scam's landing page in the HTML attachment rather than redirecting users to another site that asks them to log in.
Account Hijacking
X Individual
CC
>1
HTML, Phishing
44
07/12/2019
?
Prison Rehabilitative Industries and Diversified Enterprises Inc (PRIDE)
Prison Rehabilitative Industries and Diversified Enterprises Inc (PRIDE) is hit by a ransomware attack
Malware
Q Human health and social work activities
CC
US
Prison Rehabilitative Industries and Diversified Enterprises Inc, PRIDE, ransomware
45
08/12/2019
?
City of East Greenwich
The City of East Greenwich is hit by a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
East Greenwich, ransomware
46
08/12/2019
DarkSly
Jaguar Land Rover in multiple countries.
DarkSly claims to have hacked Jaguar Land Rover in Saudi Arabia, Kuwait, UAE, Oman, Egypt, Mexico, Morocco, Lebanon, Iraq, Qatar and Tunisi.
Unknown
C Manufacturing
CC
>1
DarkSly, Jaguar Land Rover
47
09/12/2019
?
City of Pensacola
A Maze ransomware attack cripples the city of Pensacola's computer communication systems. The attackers demand $1M ransom.
Malware
P Education
CC
US
Pensacola, ransomware
48
09/12/2019
?
Single Individuals
Researchers from Sophos discover a new campaign of the Snatch ransomware, using a never-before-seen trick to bypass antivirus software and encrypt victims' files without being detected. The malware reboots an infected computer into Safe Mode, and runs the ransomware's file encryption process from there.
Malware
X Individual
CC
>1
Sophos, Snatch, ransomware
49
09/12/2019
?
Multiple targets
Researchers from Palo Alto Networks discover a new malicious campaign baiting targets with phishing messages promising annual bonuses, abusing Google Suite cloud services to infect them with Trickbot banking Trojan payloads.
Malware
K Financial and insurance activities
CC
>1
Trickbot, Palo Alto Networks
50
09/12/2019
?
Walla Walla University
Walla Walla University is disrupted by a ransomware attack.
Malware
P Education
CC
US
Walla Walla University, ransomware
51
09/12/2019
?
City of Pascagoula
The city of Pascagoula confirms to have been hit by a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
City of Pascagoula, ransomware
52
10/12/2019
U.S.?
Israel?
Iran
The private details of 15 million debit cards in Iran are published on Telegram. Cyber security experts suspect it was the work of intelligence agencies from the U.S. or Israel.
Unknown
K Financial and insurance activities
CW
IR
U.S., Israel
53
10/12/2019
?
Customers accessing hundreds of counterfeit online shoe stores
Researchers from Malwarebytes reveal a campaign injecting credit card skimmers via the compromise of hundreds of counterfeit online shoe stores.
Malicious Script Injection
X Individual
CC
>1
Malwarebytes, Magecart
54
10/12/2019
?
Office 365 customers
Researchers from PhishLabs discover a phishing campaign that uses the novel approach of gaining access to a recipient's Office 365 account and its data through the Microsoft OAuth API.
Account Hijacking
Y Multiple Industries
CC
>1
PhishLabs, Office 365, Oauth
55
10/12/2019
?
Yerington Paiute Tribe
The Yerington Paiute Tribe is hit by a ransomware virus.
Malware
U Activities of extraterritorial organizations and bodies
CC
US
Yerington Paiute Tribe, ransomware
56
10/12/2019
?
Helix Hosting
Popular 'pirate' IPTV provider Helix Hosting appears to be facing a crisis after someone claiming to be a hacker posts a message on the service's homepage.
Unknown
J Information and communication
CC
N/A
Helix Hosting
57
11/12/2019
US?
Iran
Iranian Telecoms Minister reveals to have foiled a major state-sponsored cyber attack on its infrastructure that was launched by a foreign government.
Unknown
O Public administration and defence, compulsory social security
CW
IR
US, Iran
58
11/12/2019
?
Turkish users
Researchers from Group-IB reveal that details for 463,378 Turkish payment cards are currently being sold online on Joker's Stash. Javascript skimmers are suspect number one.
Malicious Script Injection
K Financial and insurance activities
CC
TR
Group-IB, Joker's Stash
59
11/12/2019
?
Networks of tech and healthcare companies across Europe and North America.
Researchers from Cylance reveal the details of Zeppelin, a new VegaLocker/Buran ransomware variant targeting users in the US and Europe.
Malware
Q Human health and social work activities
CC
>1
Cylance, Zeppelin, Ransomware, VegaLocker, Buran
60
11/12/2019
?
Ring cameras' users
A wave of attacks targets Ring cameras' users, abusing weak default credentials.
Account Hijacking
X Individual
CC
US
Ring
61
11/12/2019
?
Southwire Company, LLC
Maze Ransomware operators claim responsibility for the cyber attack against leading wire and cable manufacturer Southwire Company, LLC. They demand a $6 million ransom.
Malware
C Manufacturing
CC
US
Maze, Southwire Company, LLC, ransomware
62
11/12/2019
?
iPhone users
Researchers from the Media Trust’s Digital Security & Operations (DSO) team discover a malvertising campaign, involving more than 100 publisher websites, and targeting iPhone users to deliver the Smart Krampus-3PC Malware.
Malvertising
X Individual
CC
>1
Media Trust’s Digital Security & Operations, DSO, iPhone, Smart Krampus-3PC
63
11/12/2019
?
City of Waco
The City of Waco is the latest victim of the Click2Gov breach and warns residents that their online payments for water services may have been intercepted by hackers who stole credit card details.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
Click2Gov, City of Waco
64
11/12/2019
?
The Cancer Center of Hawaii
A ransomware attack temporarily halts cancer radiation treatment services at The Cancer Center of Hawaii. The attack occurred on November 5.
Malware
Q Human health and social work activities
CC
US
The Cancer Center of Hawaii, ransomware
65
11/12/2019
?
Cheyenne Regional Medical Center
Cheyenne Regional Medical Center notifies patients and employee of a phishing attack occurred in March.
Account Hijacking
Q Human health and social work activities
CC
US
Cheyenne Regional Medical Center
66
12/12/2019
Gallium
Telecommunications companies
Microsoft reveals the details of a hacking group it calls Gallium that has malware infrastructure in China and Hong Kong and has been targeting telecommunications companies. The attackers are scanning for internet-exposed and vulnerable web servers, such as JBoss, and then using publicly known exploits to attack them.
Targeted attack
J Information and communication
CE
>1
Microsoft, Gallium
67
12/12/2019
?
22 different potential victim organizations in countries including the United States, Canada, China, Australia, Sweden and more.
Researchers from Anomali discover a mysterious new phishing campaign, targeting government departments and related business services around the world in cyberattacks that aim to steal the login credentials from victims.
Account Hijacking
Y Multiple Industries
CE
>1
Anomali
68
12/12/2019
?
countries including Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.
Researchers from Trend Micro reveal the details of a monero crypto mining campaign against targets across countries including Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan, using a dropper leveraging process hollowing to go undetected.
Malware
X Individual
CC
>1
Trend Micro, crypto, Monero, Process hollowing
69
12/12/2019
?
GoSport et Courir
GoSport et Courir is hit by a ransomware attack. 2 out of 84 shops are closed as a consequence of the attack.
Malware
G Wholesale and retail trade
CC
FR
GoSport et Courir, ransomware
70
12/12/2019
?
Vulnerable IoT devices
A new version of the Echobot botnet is discovered, exploiting 77 RCE flaws.
Multiple Vulnerabilities
Y Multiple Industries
CC
>1
Echobot
71
12/12/2019
?
Telegram Users in Russia
Researchers from Group-IB reveal that in recent weeks, more than a dozen Russian entrepreneurs have seen their Telegram accounts hacked, in attacks that may have ramifications for anyone using the messaging app.
Account Hijacking
X Individual
CE
RU
Telegram, Group-IB
72
12/12/2019
?
Baton Rouge Community College
Baton Rouge Community College servers and computers are shut down following a ransomware attack.
Malware
P Education
CC
US
Baton Rouge Community College, ransomware
73
12/12/2019
?
City of Sugarland
The City of Sugarland joins the list of the victims of the Click2Gov breach.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
Sugarland, Click2Gov
74
12/12/2019
?
City of Odessa
The city of Odessa notifies residents of the Click2Gov breach.
Malware
O Public administration and defence, compulsory social security
CC
US
City of Odessa
75
13/12/2019
?
City of New Orleans
The city of New Orleans is hit with a ransomware attack. All employees are immediately alerted to power down computers, unplug devices & disconnect from the city's WiFi.
Malware
O Public administration and defence, compulsory social security
CC
US
City of New Orleans, Ransomware
76
13/12/2019
?
Love Bonito
Love Bonito reports a data breach, with personal and credit card information potentially accessed. The company discovered a malicious code being added to their e-commerce site on 10 Dec.
Malicious Script Injection
G Wholesale and retail trade
CC
SG
Love Bonito, Magecart
77
13/12/2019
?
Keybase
Keybase announces the closure of its free Lumens (XLM) cryptocurrency drop scheme due to an influx of spam accounts.
Spam accounts
V Fintech
CC
US
Keybase
78
13/12/2019
?
Single Individuals
Researchers from Cofense discover a new Emotet campaign uses Christmas-themed emails to entice users to open the malicious attachment.
Malware
K Financial and insurance activities
CC
>1
Cofense, Emotet
79
11/12/2019
?
Rooster Teeth Productions
Rooster Teeth Productions notifies to have suffered a data breach that allowed attackers to steal credit card and other payment information from shoppers on the company's online store. The breach was discovered on December 2nd.
Malicious Script Injection
R Arts entertainment and recreation
CC
US
Rooster Teeth Productions
80
13/12/2019
?
Vimly Benefit Solutions
Vimly Benefit Solutions says that it is mailing letters to some of its customers whose information may have been compromised as part of a phishing attempt.
Account Hijacking
M Professional scientific and technical activities
CC
US
Vimly Benefit Solutions
81
14/12/2019
FIN8
Gas stations and gas pumps in North America
Payments processor VISA says North American merchants who operate gas stations and gas pumps are facing a rash of attacks from cybercrime groups wanting to deploy point-of-sale (POS) malware on their networks.
PoS Malware
G Wholesale and retail trade
CC
US
Visa, FIN8
82
15/12/2019
APT27
Iran
Iran telecommunications minister announces that for the second time in a week, the country has foiled a cyber attack against its infrastructure allegedly carried out by APT27.
Targeted attack
O Public administration and defence, compulsory social security
CE
IR
APT27
83
15/12/2019
?
Hackensack Meridian Health
The largest hospital in New Jersey, the Hackensack Meridian Health, reveals it was the victim of a ransomware attack that disrupted its network, and also that the IT staff decided to pay the ransom to restore the files.
