The first timeline of 2020 is finally here! In the first half of January I have collected 68 events, a number that shows how the new year has started with an apparent decrease.
In this fortnight malicious actors have continued to target vulnerable VPN systems from Pulse Secure (CVE-2019-11510), and the unpatched vulnerability on Citrix systems (CVE-2019-19781) to distribute malware, predominantly ransomware. Effectively ransomware has characterized the end of 2019, and according to the first timeline, the beginning of 2020 doesn’t seem that different.
Another important event that has characterized this timeline is the cyber activity of Iran: the tension between USA and Iran, following the murder of Qasem Soleimani, has contributed to worsen a scenario (Iranian attackers have immediately defaced some US entities), which was already quite complicated. On December 29, 2019, Iranian attackers are suspected to have hit Bapco, the Bahrain’s national oil company, with a new data-wiping malware dubbed Dustman; additionally researchers have revealed that multiple state-sponsored groups affiliated to Iran, have been probing the American electric utilities during 2019.
The cyber espionage front has seen multiple operations: the Austrian foreign ministry has been targeted targeted by a cyber-attack allegedly carried out by a foreign country, APT28 has launched a malicious campaign against Burisma, the Ukrainian gas company with whom Hunter Biden worked, and researchers have also discovered a new operation by the SideWinder APT Group, targeting military entities, via malicious Android apps.
As always, browse the timeline for all the details, and feel free to share it with your peers to support my work and spread the risk awareness across the community. Last but not least, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
02/01/2020
Chuckling Squad
Adam Sandler's Twitter account
Adam Sandler's Twitter account is hacked and used to post offensive messages against Mariah Carey, President Obama, and President Trump.
Account Hijacking
R Arts entertainment and recreation
CC
US
Adam Sandler, Twitter, Mariah Carey, President Obama, President Trump, Chuckling Squad
2
02/01/2020
?
Klamath County Veterans Service Office
Klamath County Veterans Service Office notifies a phishing attack occurred on September 19, 2019
Account Hijacking
O Public administration and defence, compulsory social security
CC
US
Klamath County Veterans Service Office
3
03/01/2020
?
Alomere Health
The personal and medical information of 49,351 patients is exposed following a security incident involving two employees' email accounts.
Account Hijacking
Q Human health and social work activities
CC
US
Alomere Health
4
03/01/2020
?
Contra Costa County Library System
The Contra Costa County Library System is hit by ransomware
Malware
O Public administration and defence, compulsory social security
CC
US
The Contra Costa County Library System, ransomware
5
03/01/2020
?
Native American Rehabilitation Association
Native American Rehabilitation Association announces that it experienced an Emotet attack on November 4-5, 2019.
Malware
Q Human health and social work activities
CC
US
Native American Rehabilitation Association, Emotet
6
04/01/2020
?
Austria's foreign ministry
Austria's foreign ministry is targeted by a cyber-attack that is suspected to have been conducted by a foreign country.
Targeted attack
O Public administration and defence, compulsory social security
CE
AT
Austria
7
04/01/2020
Iran cyber security group hackers
U.S. Federal Depository Library Program
The homepage for the U.S. Federal Depository Library Program is briefly altered to show a pro-Iranian message and an image of bloodied Donald Trump being punched in the face.
Defacement
O Public administration and defence, compulsory social security
CW
US
FDLP, U.S. Federal Depository Library Program, Iran, Iran cyber security group hackers
8
04/01/2020
Shield Iran
Sierra Leone Commercial Bank (slcb.com)
For the same reason, a group of Iranian hackers dubbed "Shield Iran" defaces the Sierra Leone Commercial Bank
Defacement
K Financial and insurance activities
CW
SL
Shield Iran, Sierra Leone Commercial Bank, slcb.com
9
04/01/2020
?
Multiple targets
Researchers from Fortinet report that a ransomware strain known as DeathRansom, once considered a joke, is now capable of encrypting files using a solid encryption scheme.
Malware
Y Multiple Industries
CC
>1
Fortinet, ransomware, DeathRansom
10
04/01/2020
?
Saskatchewan’s eHealth
Hackers make through the first level of security for Saskatchewan’s eHealth records system, locking the government out of some systems and asking for a ransom.
Unknown
Q Human health and social work activities
CC
US
Saskatchewan’s eHealth
11
06/01/2020
Iranian Hacker
Texas Department of Agriculture
The Texas Department of Agriculture is hit with a cyberattack that defaces its website with an image of Gen. Qassem Soleimani, the top Iranian commander who was killed in a U.S. strike the previous week.
Defacement
O Public administration and defence, compulsory social security
CW
US
Texas Department of Agriculture, Qassem Soleimani, Iranian Hacker
12
06/01/2020
SideWinder APT Group
Military entities
Researchers from Trend Micro discover the first example of a malicious app in the Google Play Market, exploiting the recently patched CVE-2019-2215 zero-day vulnerability.
Targeted attack
O Public administration and defence, compulsory social security
CE
>1
Trend Micro, Google Play Market, CVE-2019-2215
13
06/01/2020
?
Canyon
Canyon announces it was struck by a "massive cyber attack" over the Christmas break by a "professionally organized group".
Unknown
C Manufacturing
CC
DE
Canyon
14
06/01/2020
?
Focus Camera
Researchers from Juniper Threat Labs reveal that the website of popular photography and imaging retailer Focus Camera got hacked late in December 2019 by MageCart attackers to inject malicious code that stole customer payment card details.
Malicious Script Injection
G Wholesale and retail trade
CC
US
Focus Camera, Magecart, Juniper Threat Labs
15
06/01/2020
?
Single Individuals
Researchers from Fortinet discover a new campaign of the "Predator the Thief" malware.
Malware
X Individual
CC
>1
Fortinet, Predator the Thief
16
06/01/2020
?
Multiple targets
UK Security Researcher Kevin Beaumont warns that the attackers behind REvil ransomware (AKA Sodinokibi) are now targeting unpatched Pulse Secure VPN servers
CVE-2019-11510 vulnerability
Y Multiple Industries
CC
>1
Kevin Beaumont, Revil, Sodinokibi, Pulse Secure, CVE-2019-11510
17
06/01/2020
?
Pittsburg Unified School District
Students in the Pittsburg Unified School District of Pennsylvania are left without internet access as the result of a ransomware attack.
Malware
P Education
CC
US
Pittsburg Unified School District
18
06/01/2020
?
Hamden Schools
Public schools in Hamden are taken down by a malware attack.
Malware
P Education
CC
US
Hamden Schools
19
06/01/2020
?
Wallace State Community College
The Wallace State Community College is hit by a cyber attack.
Malware
P Education
CC
US
Wallace State Community College
20
07/01/2020
?
City of Las Vegas
The City of Las Vegas is hit by a cyber attack via a malicious email.
Targeted attack
O Public administration and defence, compulsory social security
N/A
US
City of Las Vegas
21
07/01/2020
?
Unpatched routers (D-Link, Netgear, and Linksys)
Researchers from BitDefender reveal the details of LiquorBot, a cryptomining botnet attacking unpatched routers since at least May 2019
CVE-2015-2051, CVE-2016-1555, and CVE-2016-6277 vulnerabilities
A new phishing campaign tries to take advantage of the Iran cyber attack scare.
Account Hijacking
X Individual
CC
>1
Iran
23
07/01/2020
Master X
Multiple targets
Researchers from AppRiver reveal that a hacker with the handle “Master X” is leveraging a PowerShell script that contains a reference to singer-songwriter Drake lyric’s “Kiki Do You Love Me” to deliver either the Lokibot info stealer or Azorult remote access trojan.
Malware
Y Multiple Industries
CC
>1
AppRiver, Master X, Drake, Lokibot, Azorult
24
07/01/2020
?
Enloe Medical Center
Enloe Medical Center is hit by a ransomware attack that causes the hospital to reschedule some elective procedures.
Malware
Q Human health and social work activities
CC
US
Enloe Medical Center, ransomware
25
07/01/2020
?
City of Bend
The City of Bend is the latest victim of the Click2Gov breach.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
City of Bend
26
08/01/2020
?
US financial entity
The FBI says that unidentified threat actors have used the CVE-2019-11510 Pulse Secure VPN flaw "to exploit a notable US financial entity’s research network since August 2019.
CVE-2019-11510 vulnerability
K Financial and insurance activities
CC
US
FBI, CVE-2019-11510, Pulse Secure VPN
27
08/01/2020
?
US municipal government
The FBI says that also a US municipal government was breached via the CVE-2019-11510 Pulse Secure VPN flaw.
CVE-2019-11510 vulnerability
O Public administration and defence, compulsory social security
CC
US
FBI, CVE-2019-11510, Pulse Secure VPN
28
08/01/2020
?
Well-known personalities in Korea
A recent report from South Korean media claims that Samsung Galaxy smartphones of many well-known personalities in Korea were hacked. According to the report, the hacker extorts cash from its victims. If the victim fails to pay the ransom, the hacker threatens to disclose all data.
Account Hijacking
X Individual
CC
KR
Samsung, South Korea
29
08/01/2020
?
Multiple targets
Security researchers observe ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers vulnerable to attacks exploiting CVE-2019-19781.
A new ransomware called Snake emerges in the threat landscape.
Malware
Y Multiple Industries
CC
>1
Snake, Ransomware
31
08/01/2020
Lazarus Group
Cryptocurrency businesses
Researchers from Kaspersky reveal the details of a new wave of attacks linked to Operation AppleJeus, and targeting cryptocurrency business in multiple countries including UK, Poland, Russia and China.
Targeted attack
V Fintech
CC
>1
Kaspersky, Operation AppleJeus, Lazarus Group
32
08/01/2020
?
Firefox users
Mozilla warns Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in “targeted attacks” against users. The vulnerability is indexed as CVE-2019-17026.
Targeted attack
X Individual
CC
>1
Mozilla, Firefox
33
09/01/2020
Iranian state-sponsored hackers
Bapco
Multiple sources reveal that Iranian state-sponsored hackers have deployed Dustman, a new strain of data-wiping malware on the network of Bapco, Bahrain's national oil company. The attack occurred on December 29, 2019.
Malware
D Electricity gas steam and air conditioning supply
CW
BH
Dustman, Bapco, Iran
34
09/01/2020
?
Albany International Airport
Albany International Airport's staff announces that the New York airport's administrative servers were hit by Sodinokibi Ransomware following a cyberattack that took place over Christmas.
Malware
H Transportation and storage
CC
US
Albany International Airport, Ransomware, Sodinokibi
35
09/01/2020
Magnallium AKA APT33, Refined Kitten, or Elfin
American Electric Utilities
Researchers from Dragos reveal that a state-sponsored group affiliated to Iran called Magnallium has been probing American electric utilities for the past year.
Password-Spaying
D Electricity gas steam and air conditioning supply
The same report details the activities of three additional groups targeting the American Electric Utilities.
Targeted attack
D Electricity gas steam and air conditioning supply
CW
US
Xenotyme, Dymalloy, Electrum, Dragos
37
09/01/2020
?
Android users
Google reveals to have removed roughly 1,700 applications infected with the Joker Android malware (also known as Bread) since the company started tracking it in early 2017.
Malware
X Individual
CC
>1
Android, Bread, Joker, Google
38
09/01/2020
?
Multiple targets
A new ransomware dubbed Ako emerges in the threat landscape.
Malware
Y Multiple Industries
CC
>1
Ako, Ransomware
39
09/01/2020
?
Multiple targets
Researchers at Sentinel One reveal that the Russian-speaking cybercriminals behind the TrickBot malware have developed a stealthy backdoor dubbed “PowerTrick,” in order to infiltrate high-value targets.
Malware
Y Multiple Industries
CC
>1
Sentinel One, TrickBot, PowerTrick
40
09/01/2020
?
City of Dunwoody
The City of Dunwoody reveals to have been hit by a cyber attack during the Christmas Eve.
Malware
O Public administration and defence, compulsory social security
CC
US
City of Dunwoody
41
09/01/2020
?
btyDental
btyDental notifies patients after suffering a ransomware attack discovered on November 2019.
Malware
Q Human health and social work activities
CC
US
btyDental, ransomware
42
09/01/2020
?
Bartlett Public Library District
The Bartlett Public Library District’s computer systems recovers from a ransomware attack occurred on Saturday, November 30.
Malware
O Public administration and defence, compulsory social security
CC
US
Bartlett Public Library District, ransomware
43
09/01/2020
?
City of Dawson Creek
The City of Dawson Creek says its computer systems were hacked in an apparent ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
CA
Dawson Creek, Ransomware
44
10/01/2020
?
Manor Independent School District
Manor Independent School District announces that email scammers had fleeced the District out of $2.3 million.
Business Email Compromise
P Education
CC
US
Manor Independent School District
45
10/01/2020
?
European websites for Perricone MD
Researchers from RapidSpike reveal that multiple european websites for the Perricone MD anti-aging skin-care brand have been compromised with scripts that steal customer payment card info when making a purchase.
Malicious Script Injection
G Wholesale and retail trade
CC
>1
Perricone MD, RapidSpike, Magecart
46
10/01/2020
?
Multiple targets in the US
The US Cybersecurity and Infrastructure Security Agency (CISA) alerts organizations to patch their Pulse Secure VPN servers as a defense against ongoing attacks trying to exploit the CVE-2019-11510 remote code execution (RCE) vulnerability.
CVE-2019-11510 vulnerability
Y Multiple Industries
CC
>1
US Cybersecurity and Infrastructure Security Agency, CISA, CVE-2019-11510, RCE
47
10/01/2020
?
Website collecting donations for the victims of the Australia bushfires
Researchers from Malwarebytes discover that attackers compromised a website collecting donations for the victims of the Australia bushfires and injected ATMZOW, a malicious script that steals the payment information of the donors.
Malicious Script Injection
Q Human health and social work activities
CC
AU
Magecart, Malwarebytes, ATMZOW
48
10/01/2020
?
Single Individuals
A malicious ad campaign is underway in Google Search results that leads users to fake Amazon support sites and tech support scams.
Search Engine Poisoning
X Individual
CC
>1
Google Search, Amazon
49
10/01/2020
?
High-profile Facebook pages
Facebook addresses a security issue that exposed page admin accounts, after the bug was exploited in attacks in the wild against several high-profile pages.
Facebook Vulnerability
X Individual
CC
>1
Facebook
50
10/01/2020
?
Android users
Researchers from Malwarebytes discover that the UMX U686CL, an Android phone subsidized by the US government for low-income users comes preinstalled with malware (Android/Trojan.HiddenAds.WRACT).
The popular Boing Boing blog is hacked by an unknown party who plants malicious code into the site’s WordPress theme. Users visiting the site from desktop computers are redirected to a fake download page for an Adobe Flash update.
Account Hijacking
J Information and communication
CC
US
Boing Boing, Adobe Flash
52
10/01/2020
?
The Center for Facial Restoration
The Center for Facial Restoration reveals to have been victim of hack back in November 2019, with the attackers threatening to release the patients' data.
Unknown
Q Human health and social work activities
CC
US
The Center for Facial Restoration
53
10/01/2020
?
Los Angeles County
Los Angeles County confirms it was the target of a phishing attack last month, which staff detected and contained before it exposed any county resident data.
Account Hijacking
P Education
CC
US
Los Angeles County
54
11/01/2020
?
Android users
Researchers from Kaspersky reveal that an Android malware, dubbed Trojan-Dropper.AndroidOS.Shopper.a, camouflaged as a system app is used by threat actors to disable the Google Play Protect service, generate fake reviews, install malicious apps, show ads, and more.
Malware
X Individual
CC
>1
Kaspersky, Android, Trojan-Dropper.AndroidOS.Shopper.a, Google Play Protect
55
13/01/2020
?
Multiple targets
Researchers from Cofense reveal that after almost a three-week holiday vacation, the Emotet trojan is back and targeting the over eighty countries with malicious spam campaigns.
Malicious Spam
X Individual
CC
>1
Cofense, Emotet
56
13/01/2020
?
UNIX Systems
The security team at npm takes down a malicious package, discovered by the Microsoft Vulnerability Research team and named 1337qq-js, caught stealing sensitive information from UNIX systems.
Malicious npm package
Y Multiple Industries
CC
>1
npm, Microsoft Vulnerability Research team, 1337qq-js,UNIX
57
13/01/2020
?
Android users
An Android banking Trojan dubbed Faketoken has recently been observed by security researchers from Kaspersky while draining its victims' accounts to fuel offensive mass text campaigns targeting mobile devices from all over the world.
Malware
K Financial and insurance activities
CC
>1
Android, Faketoken, Kaspersky
58
13/01/2020
?
Account receivable specialists
Researchers from Agari discover a new group called Ancient Tortoise targeting accounts receivable specialists tricking them into sending over aging reports and thus collecting info on customers they can scam in later attack stages.
Business Email Compromise
K Financial and insurance activities
CC
>1
Agari, Ancient Tortoise
59
13/01/2020
?
Company in the medical tech sector
Researchers from Guardicore reveal the details of an attack targeting a company in the medical tech sector via a malware hiding its modules in WAV audio files and spreading to vulnerable Windows 7 machines on the network via EternalBlue.
Malware
C Manufacturing
CC
N/A
Guardicore, WAV, EternalBlue, Crypto
60
14/01/2020
Fancy Bear AKA APT28
Burisma
Researchers from Area 1 reveal that Russian spies from GRU are suspected of trying to hack into Burisma, the Ukrainian gas company with whom Hunter Biden worked.
Targeted attack
D Electricity gas steam and air conditioning supply
CE
UA
Area 1, Burisma, GRU, Hunter Biden, Russia, APT28, Fancy Bear
61
14/01/2020
Omnichorus
LimeLeads
49 million user records extracted from a misconfigured Elasticsearch database by US data broker LimeLeads are put up for sale online.
Misconfiguration
M Professional scientific and technical activities
CC
US
Elasticsearch, LimeLeads, Omnichorus
62
14/01/2020
?
Single Individuals
The cybercrime group behind Satan ransomware and other malware seems to be involved in the development of a new ransomware named 5ss5c.
Malware
X Individual
CC
>1
Satan, ransomware, 5ss5c
63
14/01/2020
?
Single Individuals
Researchers from Bitdefender discover 17 Google Play apps that, once installed, start hiding their presence on the user’s device and constantly display aggressive ads.
Malware
X Individual
CC
>1
Bitdefender, Google Play
64
14/01/2020
?
New Mexico Public Regulation Commission
The New Mexico Public Regulation Commission is "hacked by an outside source"
Unknown
O Public administration and defence, compulsory social security
CC
US
New Mexico Public Regulation Commission
65
15/01/2020
?
United Nations
The United Nations is hit by a cyberattack through the malware Emotet.
Malware
U Activities of extraterritorial organizations and bodies
CC
N/A
United Nations,Emotet
66
15/01/2020
?
P&N Bank
P&N Bank in Western Australia informs its customers that hackers may have accessed personal information stored on its systems following a cyber attack on December 12, during an upgrade at a third-party hosting company.
Unknown
K Financial and insurance activities
CC
AU
P&N Bank
67
15/01/2020
?
PlanetDrugsDirect
Canadian online pharmacy PlanetDrugsDirect emails customers, notifying them of a data security incident that might have impacted some of their sensitive personal and financial information. 400,000 individuals are potentially compromised.
Unknown
Q Human health and social work activities
CC
CA
PlanetDrugsDirect
68
15/01/2020
?
Single Individuals
An emergent and effective data-harvesting tool dubbed Oski is proliferating in North America and China, stealing online account credentials, credit-card numbers, cryptowallet accounts and more.
I’m afraid no data available.