With the second timeline of December (the last for this year), we definitively leave 2019 behind us from an infosec perspective. In this timeline I have collected a total of 80 events, including 2 that should have been published in the previous timeline (but were missed). All an all we are in line with the previous timeline, and if you were expecting a break for the Christmas season, you have probably been disappointed.
And unfortunately, the Christmas season didn’t even stop the ransomware breaches, which characterize this timeline as well, confirming the trend of 2019: you will see multiple targets in different sectors, especially education, government and healthcare.
Looking at other events pertaining to Cybercrime, another interesting trend is the comeback of breaches due to PoS Malware: in particular there have been four cases in this fortnight. Additionally, Emotet continues to be a continuous threat.
Last but not least, as usual, even the cyber espionage front is quite “crowded”: this fortnight has seen multiple operations by threat actors like: APT10, The Lazarus Group, Rancor, along with the discovery of new victims of APT20, during the infamous operation Cloud Hopper, and the takedown of the infrastructure used by Thallium.
But for the details of each operation, including the ones that I could not mention in the summary, browse the timeline, and share it with your peers to support my work and spread the risk awareness across the community. And don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
02/12/2019
?
RiverKids Pediatric Home Health
RiverKids Pediatric Home Health is affected by a hacking incident.
Unknown
Q Human health and social work activities
CC
US
RiverKids Pediatric Home Health
2
11/12/2019
?
Arrigo Automotive Group
Arrigo Automotive Group is hit by a ransomware attack costing up to $250,000.
Malware
H Transportation and storage
CC
US
Arrigo Automotive Group, ransomware
3
16/12/2019
?
German users
BSI, the Germany's federal cybersecurity agency warns of an active malspam campaign, distributing the Emotet banking Trojan payloads via emails camouflaged to look like messages delivered by several German federal authorities.
Malicious Spam
X Individual
CC
DE
BSI, Emotet
4
16/12/2019
?
Devices running Linux
Researchers from Trend Micro reveal a notable malware activity, associated with the Momentum Botnet, and affecting devices running Linux.
Malware
Y Multiple Industries
CC
>1
Trend Micro, Momentum, Linux
5
16/12/2019
?
City of Galt
The city of Galt, California, is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
City of Galt, ransomware
6
16/12/2019
?
Epilepsy Foundation Twitter's account
The Epilepsy Foundation files a criminal complaint and requests investigation in response to some attacks on its Twitter feed, showing flashing and strobing lights.
Account Hijacking
Q Human health and social work activities
CC
US
Epilepsy Foundation, Twitter
7
17/12/2019
?
LifeLabs Medical Laboratory Services
LifeLabs Medical Laboratory Services, Canada’s largest lab testing company, reveals to have paid a ransom after a major cyberattack led to the theft of lab results for 85,000 Ontarians and potentially the personal information of 15 million customers.
Malware
Q Human health and social work activities
CC
CA
LifeLabs Medical Laboratory Services, ransomware
8
17/12/2019
?
200 victims in South Korea, Japan, Indonesia, Turkey, Germany, Ecuador, and the United Kingdom
Researchers from CyberX's Section 52 reveal the details of Gangnam Industrial Style, an ongoing cyberespionage campaign against industrial, engineering, and manufacturing organizations.
Targeted Attack
C Manufacturing
CE
>1
CyberX, Section 52, Gangnam Industrial Style
9
17/12/2019
The Lazarus Group
Multiple targets
Researchers from Netlab 360 reveal the details of a new campaign carried out by the Lazarus Group, using a new trojan, called Dacls, to infect Windows and Linux systems.
Targeted Attack
Y Multiple Industries
CE
>1
The Lazarus Group, Dacls, Linux, Windows
10
17/12/2019
?
Justus Liebig University
The Justus Liebig University is hit with an Emotet malware attack and as consequence 38,000 students and staff are asked to change their password.
Malware
P Education
CC
DE
Justus Liebig University
11
17/12/2019
?
KH - Katholische Hochschule Freiburg (Catholic University in Freiburg)
Katholische Hochschule Freiburg is also hit with an Emotet infection.
Researchers from Palo Alto reveal a new wave of attacks carried out by a Chinese APT dubbed Rancor, using a new malware strain dubbed Dudell.
Targeted Attack
O Public administration and defence, compulsory social security
CE
KH
Palo Alto Networks, Rancor, Dudell
13
17/12/2019
?
St. Lucie County Sheriff’s Office
The St. Lucie County Sheriff’s Department is forced to shutter most of its network after it is struck with ransomware.
Malware
O Public administration and defence, compulsory social security
CC
US
St. Lucie County Sheriff’s Office, ransomware
14
17/12/2019
?
Single Individuals
Researchers from Sophos discover a new sextortion campaign trying to trick the victims inserting the victim's password in the subject.
Malicious Spam
X Individual
CC
>1
Sophos
15
18/12/2019
?
Targets in the United States and Europe
Researchers from Deep Instinct disclose the details of "Hornet's Nest", a campaign using the "Legion Loader" dropper to infect its victims with multiple malware strains.
Malware
Y Multiple Industries
CC
>1
Deep Instinct, Hornet's Nest, Legion Loader
16
18/12/2019
?
Bad Homburg
Also the City of Bad Homburg is hit with an Emotet infection.
Malware
O Public administration and defence, compulsory social security
CC
DE
Bad Homburg, Emotet
17
18/12/2019
?
Single Individuals
Researchers from Malwarebytes reveal that the Spelevo exploit kit's operators have recently added a new infection vector as part of their attacks, attempting to social engineer potential targets into downloading and executing addition malware payloads from decoy adult sites.
Malware
X Individual
CC
>1
Malwarebytes, Spelevo exploit kit
18
18/12/2019
?
Andrew Agencies
Andrew Agencies is another victim of the Maze Ransomware with allegedly 245 computers encrypted during a cyberattack in October.
Malware
K Financial and insurance activities
CC
CA
Andrew Agencies, Maze, Ransomware
19
18/12/2019
?
Large real estate
Researchers from Morphisec discover a campaign against a large real estate using ScreenConnect to install the Zeppelin Ransomware and other malware.
Malware
L Real estate activities
CC
US
Morphisec, ScreenConnect, Zeppelin, Ransomware
20
18/12/2019
?
Marietta, Ga., Power & Water Department
Marietta, Ga., Power & Water Department is the latest victim of the Click2Gov breach.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
Marietta, Ga., Power & Water Department, Click2Gov
21
19/12/2019
?
Wawa
Convenience store chain Wawa discloses today a card breach after its security team finds malware installed on its payment processing systems. The malware was installed on March 4 this year, and impacts potentially all locations.
PoS Malware
G Wholesale and retail trade
CC
US
Wawa
22
19/12/2019
?
Islands restaurants
Islands restaurants announces a PoS malware incident.
PoS Malware
I Accommodation and food service activities
CC
US
Islands restaurants
23
19/12/2019
?
Champagne French Bakery Café
Even Champagne French Bakery Café announces a credit card breach due to a PoS malware.
PoS Malware
I Accommodation and food service activities
CC
US
Champagne French Bakery Café
24
19/12/2019
?
City of Frankfurt
Frankfurt shuts down its IT network following an infection with the Emotet malware.
Malware
O Public administration and defence, compulsory social security
CC
DE
Frankfurt, Emotet
25
19/12/2019
APT20
Government entities and managed service providers
Researchers from Fox-IT reveal the details of Operation Wocao, an operation carried out by a Chinese state-sponsored actor able to bypass 2 factor authentication.
Targeted Attack
Y Multiple Industries
CE
>1
Fox-IT, Operation Wocao, APT20
26
19/12/2019
?
Ring
The log-in credentials for 3,672 Ring camera owners are compromised, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras.
Credential Stuffing
M Professional scientific and technical activities
CC
US
Ring
27
19/12/2019
?
Single Individuals
Researchers from Sophos reveal the details of a new variant of the MyKingz botnet, hiding the cryptominer malware under an image of pop singer Taylor Swift.
Malware
X Individual
CC
>1
Sophos, MyKingz, Taylor Swift
28
19/12/2019
?
Iren
Iren, one of the most important utilities in Italy, is crippled by a ransomware attack.
Malware
E Water supply, sewerage waste management, and remediation activities
CC
IT
Iren, ransomware
29
19/12/2019
?
Fratelli Beretta
Fratelli Beretta, one of the most important food companies in Italy, is hit with the Maze ransomware.
Malware
I Accommodation and food service activities
CC
IT
Fratelli Beretta, ransomware, Maze
30
19/12/2019
?
Sinai Health System
Sinai Health System discovers that the email accounts of two of its employees have been compromised as a result of responses to phishing emails discovered on October, 16.
Account Hijacking
Q Human health and social work activities
CC
US
Sinai Health System
31
19/12/2019
?
Single Individuals
Researchers from Kaspersky discover over 30 fraudulent websites and social media profiles disguised as official "Star Wars: The Rise of Skywalker " movie accounts, supposedly distributing free copies of the film, but in reality phishing the users of their Credit Cards.
Account Hijacking
X Individual
CC
>1
Kaspersky discover, "Star Wars: The Rise of Skywalker "
32
19/12/2019
?
Single Individuals
A new Emotet distribution campaign uses Greta Thunberg as a bait to lure users.
Malicious Spam
X Individual
CC
>1
Emotet, Greta Thunberg
33
19/12/2019
?
Nexus Mods
The popular game modification site Nexus Mods announces a security incident: an unauthorized actor hacked their services on November 8th, 2019 through an exploit in their legacy codebase.
Undisclosed vulnerability
R Arts entertainment and recreation
CC
UK
Nexus Mods
34
20/12/2019
Saudi Arabia
Twitter users
Twitter announces it has removed a batch of around 6000 state-backed Twitter accounts, used for manipulation operations, which a "significant" number of these were from Saudi Arabia.
Fake Social Network Accounts
X Individual
CW
>1
Twitter, Saudi Arabia
35
20/12/2019
?
Tokyo 2020 Summer Olympics
Tokyo 2020 Summer Olympics staff publishes a warning, alerting of an ongoing phishing campaign delivering emails designed to look like they're coming from the Tokyo Organizing Committee of the Olympic and Paralympic Games.
Account Hijacking
X Individual
CC
JP
Tokyo 2020
36
20/12/2019
?
Cisco ASA and Firepower customers
Cisco issues a warning to its customers, revealing that CVE-2018-0296 is recently used in denial-of-service and information disclosure attempts.
CVE-2018-0296 vulnerability
Y Multiple Industries
CC
>1
Cisco, CVE-2018-0296, ASA, Firepower
37
20/12/2019
?
PayPal customers
Researchers from ESET discover an ongoing phishing campaign, targeting PayPal customers, and trying to steal every information.
Account Hijacking
X Individual
CC
>1
ESET, PayPal
38
20/12/2019
?
Facebook users
Facebook says it shut down hundreds of fake accounts, pages and groups that misled users, including some that used artificial intelligence to generate fake profile pictures.
Fake Social Network Accounts
X Individual
CC
>1
Facebook
39
20/12/2019
?
Master’s Touch, LLC
Monroe County reveals to have been alerted on Nov. 1 that Master’s Touch, LLC, which provides the online Web portal fell victim to a malware attack on Oct. 23.
Malware
M Professional scientific and technical activities
CC
US
Monroe County, Master’s Touch, LLC
40
21/12/2019
?
RavnAir
RavnAir cancels at least a half-dozen flights in Alaska, following what the company described as “a malicious cyber attack” on its computer network. Fingers are pointed to ransomware.
Malware
H Transportation and storage
CC
US
RavnAir, ransomware
41
21/12/2019
?
HMI Institute of Health Sciences
The Singapore Ministry of Defence (MINDEF) and Singapore Armed Forces (SAF) announce that two of its vendors, HMI Institute of Health Sciences and ST Logistics, have suffered a data breach, respectively a ransomware and phishing attack. Over 120,000 individuals are involved.
Malware
Q Human health and social work activities
CC
SG
Singapore Ministry of Defence, MINDEF, Singapore Armed Forces, SAF, HMI Institute of Health Sciences, ST Logistics, Ransomware
42
21/12/2019
?
ST Logistics
The Singapore Ministry of Defence (MINDEF) and Singapore Armed Forces (SAF) announce that two of its vendors, HMI Institute of Health Sciences and ST Logistics, have suffered a data breach, respectively a ransomware and phishing attack. Over 120,000 individuals are involved.
Account Hijacking
Q Human health and social work activities
CC
SG
Singapore Ministry of Defence, MINDEF, Singapore Armed Forces, SAF, HMI Institute of Health Sciences, ST Logistics,
43
21/12/2019
?
Users in the UAE
ToTok, an application specifically aimed at users in the UAE, but also installed heavily in other parts of the world, including the United States, is flagged as a spy tool by the US intelligence.
Malware
X Individual
CE
UAE
ToTok
44
21/12/2019
?
Juniata College
Juniata College reveals the details of a phishing incident occurred in March 2019.
Account Hijacking
P Education
CC
US
Juniata College
45
21/12/2019
?
Town of New Milford
The Town of New Milford provides notice of a phishing incident occurred on October 3, 2019.
Account Hijacking
O Public administration and defence, compulsory social security
CC
US
Town of New Milford
46
22/12/2019
?
Entercom
Entercom is targeted in a new cyberattack that may have impacted the back-office functions.
Unknown
J Information and communication
CC
US
Entercom
47
22/12/2019
?
Moss Adams
The accounting, consulting and wealth management firm Moss Adams posts a cybersecurity incident notice centered on an employee email account that was accessed by an unauthorized person compromising PII.
Account Hijacking
K Financial and insurance activities
CC
US
Moss Adams
48
23/12/2019
?
Customers of Royal Bank of Canada (RBC)
Researchers from Check Point detect a new phishing campaign impersonating the Royal Bank of Canada (RBC).
Account Hijacking
K Financial and insurance activities
CC
CA
Check Point, Royal Bank of Canada, RBC
49
23/12/2019
?
Companies in the U.S.
Organizations in the private sector receive an alert from the F.B.I. about operators of the Maze ransomware focusing on companies in the U.S.
Malware
Y Multiple Industries
CC
US
F.B.I., Ransomware, Maze
50
23/12/2019
?
Roosevelt General Hospital
Roosevelt General Hospital informs its patients to monitor their credit reports after the healthcare unit discovered malware on a digital imaging server on November 14, 2019.
Malware
Q Human health and social work activities
CC
US
Roosevelt General Hospital
51
23/12/2019
?
Maastricht University (UM)
Maastricht University (UM) announces that almost all of its Windows systems have been encrypted by ransomware following a cyber-attack that took place on December 23.
Malware
P Education
CC
NL
Maastricht University, UM, ransomware
52
23/12/2019
?
Organizations in the U.S.
The FBI issues a warning to private industry recipients to provide information and guidance on the LockerGoga and MegaCortex Ransomware.
Malware
Y Multiple Industries
CC
US
FBI, LockerGoga, MegaCortex, Ransomware
53
23/12/2019
?
Multiple targets
Researchers from Trustwave discover a fake French FedEx malspam campaign distributing the Nanocore RAT via a an ISO Image.
Malicious Spam
Y Multiple Industries
CC
FR
Trustwave, FedEx, Nanocore, ISO
54
23/12/2019
?
Multiple targets
Researchers from Trustwave discover a new malicious spam campaign, spamming fake invoices through an email attachment with the disk image format DAA.
Malicious Spam
Y Multiple Industries
CC
>1
Trustwave, DAA
55
23/12/2019
?
Vulnerable Netgear, D-Link, and Huawei routers
Researchers from Netlab 360 reveal that Netgear, D-Link, and Huawei routers are actively being probed for weak Telnet passwords and taken over by a new peer-to-peer (P2P) botnet dubbed Mozi.
Misconfiguration (weak passwords)
Y Multiple Industries
CC
>1
Netlab 360, Netgear, D-Link, Huawei, Mozi
56
23/12/2019
?
Synoptek
Synoptek, a California business that provides cloud hosting and IT management services, suffers a Sodinokibi ransomware attack that disrupts operations for many of its clients. The company reportedly pays a ransom demand in a bid to restore operations as quickly as possible.
Malware
M Professional scientific and technical activities
CC
US
Synoptek, Sodinokibi, ransomware
57
24/12/2019
?
The Heritage Company
The Heritage Company, a telemarketing company, sends home more than 300 employees and tells them to find new jobs after IT recovery efforts didn't go according to plan following a ransomware incident that took place at the start of October 2019.
Malware
M Professional scientific and technical activities
CC
US
The Heritage Company, ransomware
58
24/12/2019
?
The Center for Health Care Services (CHSC)
San Antonio's The Center for Health Care Services (CHSC) shuts down computing systems for all its clinics in response to a larger-scale cyber-attack.
Unknown
Q Human health and social work activities
CC
US
The Center for Health Care Services, CHSC
59
24/12/2019
?
Almex
Almex, a booking site for customers of Japanese “love hotels” is hacked. Customer data including guest email addresses, handle name, birth date and gender, telephone number, log-ins, address and credit card information could all have been swiped by attackers.
Unknown
I Accommodation and food service activities
CC
JP
Almex
60
24/12/2019
?
Single Individuals
Sextortion campaigns add new evasion tricks for the holiday season, embedding the text into an image, or also sending the message in a different language.
Malicious Spam
X Individual
CC
>1
Sextortion
61
25/12/2019
BigBrother’s Gaze
Prison in south Thailand
Authorities in Thailand investigate an apparent online break-in by a computer hacker that allowed him to broadcast surveillance video from inside a prison in the country’s south.
Unknown
O Public administration and defence, compulsory social security
CC
TH
South Thailand, BigBrother’s Gaze
62
26/12/2019
FIN7
Targets in the finance sector
Researchers from Fortinet discover BIOLOAD, a new tool used by the financially-motivated cybercriminal group FIN7 to load new versions of the Carbanak backdoor.
Malware
K Financial and insurance activities
CC
>1
Fortinet, BIOLOAD, FIN7, Carbanak
63
27/12/2019
?
Richmond Community Schools
Richmond Community Schools are hit with a ransomware attack.
Malware
P Education
CC
US
Richmond Community Schools, ransomware
64
28/12/2019
?
Multiple targets
A new version of the Clop Malware is discovered, able to terminate 663 Windows processes before encrypting files.
Malware
Y Multiple Industries
CC
>1
Clop, ransomware
65
28/12/2019
?
Special Olympics of New York
Special Olympics of New York, a nonprofit organization focused on competitive athletes with intellectual disabilities, has its email server hacked and later used to launch a phishing campaign against previous donors.
Account Hijacking
S Other service activities
CC
US
Special Olympics of New York
66
29/12/2019
Bronze President
Undisclosed human rights group
Researchers from Secureworks reveal a new campaign targeting a human rights group defending Uighur and other Muslim minorities in China, and activists in Hong Kong.
Targeted Attack
U Activities of extraterritorial organizations and bodies
CE
N/A
Secureworks, Bronze President
67
29/12/2019
?
Portuguese users
New trojan called ‘Lampion’ spreads using template emails from the Portuguese Government Finance & Tax during the last days of 2019.
Malicious Spam
X Individual
CC
PT
Lampion
68
30/12/2019
APT10
Multiple targets
A Wall Street Journal investigation reveals new companies affected by APT10 as part of the Cloud Hopper operation, specifically targeting managed service providers. The list includes: Canada's CGI Group, the Finnish IT services company Tieto Oyj and IBM. Those companies' clients include Rio Tinto, Philips, American Airlines, Deutsche Bank, Allianz and GlaxoSmithKline.
Targeted Attack
Y Multiple Industries
CE
>1
Wall Street Journal, APT10, Cloud Hopper, operation, CGI Group, Tieto Oyj, IBM, Rio Tinto, Philips, American Airlines, Deutsche Bank, Allianz, GlaxoSmithKline
69
30/12/2019
Thallium
Government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues
Microsoft takes control of 50 domains used by Thallium, a state sponsored actor tied to North Korea, used to conduct targeted attacks against numerous organizations.
Targeted Attack
Y Multiple Industries
CE
US
JP
KR
Microsoft, Thallium
70
30/12/2019
?
Town of Erie
Colorado Town of Erie loses more than $1 million to a business email compromise scam (BEC).
Business Email Compromise
O Public administration and defence, compulsory social security
CC
US
Town of Erie
71
30/12/2019
?
Belgian and Dutch citizens
Cybersecurity officials from Belgium reveal that more than 8,000 phishing emails have been sent out from fake emails of the Belgian and Dutch post services.
Account Hijacking
X Individual
CC
BE
NL
Belgium, Netherland
72
30/12/2019
?
Poloniex
The Poloniex Exchange forces a password reset after someone leaked a list of email addresses and passwords on Twitter.
Unknown
V Fintech
CC
PL
Poloniex
73
30/12/2019
?
Undisclosed maritime facility
The U.S. Coast Guard issues a security alert after a Ryuk ransomware attack takes down the network of a federally regulated maritime facility.
Malware
O Public administration and defence, compulsory social security
CC
US
U.S. Coast Guard, Ryuk, ransomware
74
30/12/2019
?
Active Network
School software vendor Active Network notifies to have suffered a breach between Oct. 1, 2019 and Nov. 13, 2019, when there was illegal activity taking place on its Blue Bear platform during which time personal information was accessed or acquired by malicious actors.
Unknown
M Professional scientific and technical activities
CC
US
Active Network
75
30/12/2019
?
Multiple targets
Security researchers discover a new wave of Magecart attacks using multiple evasion techniques (steganography and WebSockets).
Malicious Script Injection
Y Multiple Industries
CC
>1
Magecart, WebSockets
76
31/12/2019
?
Travelex
Travelex is forced to take down its website after a ransomware attack.
Malware
K Financial and insurance activities
CC
UK
Travelex, ransomware
77
31/12/2019
?
Landry's
Restaurant chain Landry's discloses a security incident that involved the discovery of malware on the network of 63 restaurants. The malware was designed to collect payment card data from cards swiped at its bars and restaurants, and was active from March 13 to October 2019.
PoS Malware
I Accommodation and food service activities
CC
US
Landry's
78
31/12/2019
?
Cryptocurrency users
A Google Chrome extension, called Shitcoin Wallet, is caught injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals.
Malicious Browser Extension
V Fintech
CC
>1
Google Chrome, Shitcoin Wallet
79
31/12/2019
?
Mariah Carey's Twitter
Mariah Carey's Twitter account appears to have been hacked.
Account Hijacking
X Individual
CC
US
Mariah Carey, Twitter
80
31/12/2019
?
Aurora Water
Aurora Water announces yet another data breach involving the Click2Gov payment system. Payments between Aug. 30 and Oct. 14 were impacted.
Malicious Script Injection
O Public administration and defence, compulsory social security