A new timeline is here! Today we have the list of the main cyber attacks occurred in the second half of January 2020 (you can find the first one at this link). In this timeline I have collected a total of 83 events, if we consider that 7 of them occurred in the first half of the same month, we are in line with the previous timeline.
Ransomware continues to be the main threat characterizing the cyber crime landscape. This fortnight has seen multiple additional high-profile targets, including Gedia, the City of Potsdam, Electronic Warfare Associates, and Bird Construction. In reality, the situation is getting even worse, since the ransomware gangs are starting to leak the data for those victims that refuse to pay the ransom.
Moving to Cyber Espionage, the most interesting event is probably the cyber intrusion against Mitsubishi Electric, occurred on June 2019, and allegedly carried out by a Chinese state-sponsored actor dubbed Thick and the revelation that Jeff Bezos’ phone was purportedly hacked by Saudi Arabia. Interestingly enough, another high-profile Japanese target, NEC, has revealed to have been hit with a cyberattack in 2018 that resulted in unauthorized access to its internal network and the exposure of 28,000 files.
Other malicious actors that carried out Cyber Espionage operations include APT33, APT34, and the Konni Group.
Last but not least, the tension between the US and Iran, has left a trail of additional micro events, none of them particularly relevant from an impact perspective.
We are used to long timelines lately, and this one is no exception, so, as always, my humble suggestion is to browse it all, and share it with your peers to support my work and spread the risk awareness across the community.
Follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
06/01/2020
?
Twitter account of former Australian cricket coach Darren Lehmann
The Twitter account of former Australian cricket coach Darren Lehmann is hacked by a Donald Trump supporter.
Account Hijacking
X Individual
H
AU
Twitter, Darren Lehmann, Donald Trump
2
08/01/2020
?
Kuwait State News Agency
Kuwait state news agency says its Twitter was hacked to spread misinformation about US withdrawal.
Account Hijacking
J Information and communication
H
KW
Kuwait State News Agency
3
10/01/2020
?
PIH Health
PIH Health notifies almost 200,000 patients whose protected health information was in employee email accounts that were compromised.
Account Hijacking
Q Human health and social work activities
CC
US
PIH Health
4
10/01/2020
?
Panama-Buena Vista Union School
Panama-Buena Vista Union School District is hit with a ransomware attack.
Malware
P Education
CC
US
Panama-Buena Vista Union School, ransomware
5
10/01/2020
Anonymous Iran
City of Ozark
Hackers from Anonymous Iran claim to have defaced the website of city of Ozark.
Defacement
O Public administration and defence, compulsory social security
H
US
Anonymous Iran, City of Ozark
6
13/01/2020
?
St. Louis Community College
More than 5,100 St. Louis Community College students and employees have their personal information accessed via a phishing scam.
Account Hijacking
P Education
CC
US
St. Louis Community College
7
15/01/2020
?
Town of Colonie
The Albany County town of Colonie is hit by a cyber-attack that takes the town's computer system and email offline.
Unknown
O Public administration and defence, compulsory social security
CC
US
Town of Colonie
8
16/01/2020
?
Vulnerable Citrix Systems
Researchers from FireEye discover a malicious actor deploying a previously-unseen payload called NOTROBIN on vulnerable Citrix Systems. The actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts, establishing a backdoor for subsequent campaigns.
CVE-2019-19781 vulnerability
Y Multiple Industries
CC
>1
FireEye, NOTROBIN, Citrix, CVE-2019-19781
9
16/01/2020
TA542
Pharmaceutical companies in the US, Canada and Mexico
Researchers from Proofpoint discover a new Emotet campaign targeting pharmaceutical companies in the US, Canada and Mexico
Malware
M Professional scientific and technical activities
CC
US
CA
MX
Proofpoint, Emotet
10
16/01/2020
?
Targets in Middle East
Researchers from Cisco Talos discover a new campaign selectively attacking targets in Middle East via a Remote Access Trojan (RAT), dubbed JhoneRAT, and abusing cloud services.
Targeted attack
Y Multiple Industries
CE
>1
Cisco Talos, RAT, JhoneRAT
11
16/01/2020
?
Multiple targets
Researchers from Zscaler discover a new version of the FTCODE ransomware with password-stealing capabilities.
Malware
Y Multiple Industries
CC
>1
Zscaler, FTCODE, ransomware
12
16/01/2020
?
Rudolf and Stephanie Hospital in Benešov
The Rudolf and Stephanie Hospital in Benešov is hit with a Ryuk ransomware attack.
Malware
Q Human health and social work activities
CC
CZ
The Rudolf and Stephanie Hospital, Benešov, Ryuk, Ransomware
13
16/01/2020
?
Georgia election server (Center for Election Systems at Kennesaw State University)
Forensic evidence shows signs that a Georgia election server may have been hacked ahead of the 2016 and 2018 elections by someone who exploited Shellshock.
Shellshock Vulnerability
O Public administration and defence, compulsory social security
CC
US
Georgia, Shellshock, Center for Election Systems at Kennesaw State University
14
16/01/2020
?
US Government and Military
A new research from Cisco Talos discover a new Emotet campaign affecting the United States of America's government and military.
Malware
O Public administration and defence, compulsory social security
CC
US
Talos, Emotet
15
16/01/2020
?
City of Detroit
The City of Detroit officials warn data breach exposed city workers and residents after several email accounts were compromised.
Account Hijacking
O Public administration and defence, compulsory social security
CC
US
City of Detroit
16
17/01/2020
?
Multiple targets
Microsoft publishes a security advisory containing mitigation measures for CVE-2020-0674, an actively exploited zero-day remote code execution (RCE) vulnerability impacting Internet Explorer.
Targeted attack
Y Multiple Industries
N/A
>1
Microsoft, CVE-2020-0674
17
17/01/2020
Phoenix’s Helmets (Anka Neferler Tim)
Several Greek government websites
Several Greek government websites are taken down by Turkish hackers. Targets include the Greek Parliament, the Foreign Affairs Ministry, the Athens Stock Exchange, the National Intelligence Service (EYP) and the Finance Ministry.
DDoS
O Public administration and defence, compulsory social security
H
GR
Phoenix’s Helmets, Anka Neferler Tim
18
17/01/2020
?
ADP Users
In proximity of the tax season, cybercriminals launch a phishing campaign targeting some ADP users.
Account Hijacking
X Individual
CC
US
ADP
19
17/01/2020
?
Sunset Cardiology
Sunset Cardiology is hit with a Maze ransomware attack.
Malware
Q Human health and social work activities
CC
US
Sunset Cardiology, Maze, ransomware
20
18/01/2020
?
Temple Har Shalom Synagogue
The Temple Har Shalom Synagogue is hit with a Sodinokibi Ransomware attack.
Malware
U Activities of extraterritorial organizations and bodies
CC
US
Temple Har Shalom Synagogue, Sodinokibi, Ransomware
21
18/01/2020
Anonymous Greece
Top Channel 24 TV
Anonymous Greece responds to the ongoing attacks of Turkish hackers by attacking the Turkish channel Top Channel 24 TV.
DDoS
J Information and communication
H
TR
Anonymous Greece, Top Channel 24 TV
22
18/01/2020
?
New Orleans Ernest N. Morial Convention Center
The New Orleans Ernest N. Morial Convention Center is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
New Orleans, Ernest N. Morial Convention Center, ransomware
23
18/01/2020
?
Adventist Health
Adventist Health notifies 2,653 patients after suffering a phishing incident.
Account Hijacking
Q Human health and social work activities
CC
US
Adventist Health
24
19/01/2020
?
Single Individuals
A new sextortion scam leverages the insecurity of connected devices to trick the victims.
Malicious Spam
X Individual
CC
>1
Sextortion
25
19/01/2020
?
Multiple targets
A hacker publishes a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.
Misconfiguration
Y Multiple Industries
CC
>1
Telnet, IoT
26
19/01/2020
?
Kamaru Usman Twitter account
UFC champion Kamaru Usman says his Twitter account was hacked, after series of explicit tweets against Conor McGregor
Account Hijacking
X Individual
CC
US
UFC, Kamaru Usman, Twitter, Conor McGregor
27
19/01/2020
?
Oman United Insurance
Oman United Insurance, one among the largest insurers in the country discloses a “ransomware attack” on the company’s data centre early this month.
Malware
K Financial and insurance activities
CC
OM
Oman United Insurance, ransomware
28
20/01/2020
Tick (China)
Mitsubishi Electric
Mitsubishi Electric discloses a security breach that might have caused the leak of personal and confidential corporate information. The breach was detected on June 28, 2019.
Targeted attack
C Manufacturing
CE
JP
Mitsubishi Electric, Tick
29
20/01/2020
?
Hanna Andersson
US children's apparel maker and online retailer Hanna Andersson discloses that its online purchasing platform was hacked and malicious code was deployed to steal customers' payment info for almost two months.
Malicious Script Injection
G Wholesale and retail trade
CC
US
Hanna Andersson, Magecart
30
21/01/2020
Saudi Arabia
Jeff Bezos
An investigation reveals that Jeff Bezos' phone exfiltrated a massive amounts of personal information after receiving a WhatsApp-attached video file sent by the future king of Saudi Arabia, Prince Mohammed bin Salman on May 1, 2018.
Targeted attack
X Individual
CE
US
Jeff Bezos, WhatsApp, Prince Mohammed bin Salman
31
21/01/2020
?
Volusia County Public Library (VCPL
600 staff and public access computers were taken down at Volusia County Public Library (VCPL) branches from Daytona Beach, Florida, following a cyberattack that started around 7 AM on January 9
Unknown
O Public administration and defence, compulsory social security
CC
US
Volusia County Public Library, VCPL
32
21/01/2020
?
Vulnerable Wordpress sites
Researchers from Sucuri reveal that over 2,000 Wordpress sites have been hacked to fuel a campaign to redirect visitors to scam sites. The campaign was possible because of two vulnerable plugins ("CP Contact Form with PayPal" and "Simple Fields").
Vulnerable Wordpress Plugins
Y Multiple Industries
CC
>1
Sucuri, Wordpress, "CP Contact Form with PayPal", "Simple Fields"
33
21/01/2020
?
100 UPS Store Locations
Sensitive personal and financial information of UPS Store customers is exposed in a phishing incident affecting roughly 100 local store locations between September 29, 2019, and January 13, 2020.
Account Hijacking
G Wholesale and retail trade
CC
US
UPS Store
34
21/01/2020
Threat Actors from Iran
Multiple targets in the US
The FBI Cyber Division issues a flash security alert related to the recent defacement attacks operated by Iranian threat actors.
Defacement
Y Multiple Industries
CW
US
FBI, Iran
35
21/01/2020
?
Single Individuals
Researchers from Malwarebytes reveal the details of a large high-profile malvertising campaign distributing browser lockers.
Malvertising
X Individual
CC
>1
Malwarebytes
36
21/01/2020
?
Citibank customers
Researchers discover q new Citibank phishing scam that utilizes a convincing domain name, TLS certs, and even requests OTP codes that could easily trick their victims.
Account Hijacking
K Financial and insurance activities
CC
US
Citibank
37
21/01/2020
?
Multiple targets
Researchers from Microsoft discover a new version of the sLoad malware downloader, dubbed Starslord.
Malware
Y Multiple Industries
CC
>1
Microsoft, sLoad, Starslord
38
21/01/2020
?
PayPal customers
Researchers from ZeroFOX discover a new version of the 16Shop phishing campaign targeting PayPal customers.
Account Hijacking
G Wholesale and retail trade
CC
>1
ZeroFOX, 16Shop, PayPal
39
21/01/2020
?
Vulnerable internet routers running the Tomato firmware
Researchers from Palo Alto Networks reveal that internet routers running the Tomato alternative firmware are under active attack by the Muhstik botnet, searching for devices using default credentials.
Misconfiguration
Y Multiple Industries
CC
>1
Palo alto Networks, Muhstik, Tomato
40
21/01/2020
?
Multiple targets
Researchers from Cisco Talos discover a new large-scale cryptomining campaign, dubbed Vivin, acting since more than two years.
Malware
Y Multiple Industries
CC
>1
Cisco Talos, Vivin, Crypto
41
22/01/2020
?
Tillamook County
Tillamook County is hit by a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
Tillamook County, ransomware
42
22/01/2020
?
Greenville Water
Greenville Water is hit by a cyber attack.
Unknown
E Water supply, sewerage waste management, and remediation activities
CC
US
Greenville Water
43
22/01/2020
?
FedEx customers
FedEx warns of a new text message phishing scam that at first glance looks to be about a FedEx package delivery.
Account Hijacking
X Individual
CC
US
FedEx
44
22/01/2020
?
Android users
Researchers from Dr.Web discover a new campaign targeting Android users via the Android.Xiny mobile trojan.
Malware
X Individual
CC
>1
Dr.Web, Android, Android.Xiny
45
23/01/2020
?
Gedia Automotive Group
Parts manufacturer Gedia Automotive Group shuts down its network after being hit with a Sodinokibi ransomware attack.
Malware
C Manufacturing
CC
DE
Gedia Automotive Group, ransomware, Sodinokibi
46
23/01/2020
?
Sites belonging to a reseller of tickets for Euro Cup and the Tokyo Summer Olympics
The sites belonging to a reseller of tickets for Euro Cup and the Tokyo Summer Olympics (olympictickets2020[.]com), are the victims of a magecart attack.
Malicious Script Injection
R Arts entertainment and recreation
CC
N/A
Magecart, Euro Cup, Tokyo Summer Olympics, olympictickets2020[.]com
47
23/01/2020
APT33?
European energy sector organization
Researchers from Recorded Future discover a cyber espionage campaign with suspected ties to Iran, targeting the European energy sector in a reconnaissance campaign via the PupyRAT software.
Targeted attack
D Electricity gas steam and air conditioning supply
CE
EU
APT33, PupyRAT, Recorded Future
48
23/01/2020
?
Bitcoin Gold
Bitcoin Gold experiences a 51% attack. A total amount of over $70,000 is double-spent
51% Attack
V Fintech
CC
N/A
Bitcoin Gold
49
23/01/2020
?
Ben Gurion International Airport
As Israel hosted dozens of world leaders last week for the World Holocaust Forum, the country’s cyber defense system fended off hundreds of cyberattacks targeting the country’s international airport and the planes of the world leaders.
>1
H Transportation and storage
>1
IL
Ben Gurion International Airport
50
24/01/2020
?
City of Potsdam
The City of Potsdam severs the administration servers' Internet connection following a ransomware attack carried out exploiting the CVE-2019-1978 vulnerability.
Malware
O Public administration and defence, compulsory social security
CC
DE
City of Potsdam, ransomware, CVE-2019-1978
51
24/01/2020
Konni Group
U.S. government agency
Researchers at Palo Alto Networks' Unit 42 discover a new campaign dubbed "Fractured Statue", carried out via a malware called CARROTBALL, used in targeted attacks, against a U.S. government agency and non-US foreign nationals professionally affiliated with current activities in North Korea.
Targeted attack
O Public administration and defence, compulsory social security
CE
US
Palo Alto Networks, Unit 42, CARROTBALL, North Korea, Konni Group, Fractured Statue
52
24/01/2020
?
Targets in the government, military, and financial sector
A new version of the Ryuk Stealer malware is discovered. This version allows to steal a greater amount of confidential files related to the military, government, financial statements, banking, and other sensitive data.
Malware
Y Multiple Industries
CC
>1
Ryuk, ransomware
53
24/01/2020
Turkish hackers
Several Government websites in Greece
A new DDoS attack hits the official state websites of the Greek prime minister, the national police and fire service and other ministries.
DDoS
O Public administration and defence, compulsory social security
H
GR
Turkey, Greece
54
24/01/2020
?
Tampa Bay Times
The Tampa Bay Times suffers a Ryuk ransomware attack.
Malware
J Information and communication
CC
US
Tampa Bay Times, Malware
55
26/01/2020
?
Bird Construction
Bird Construction acknowledges to have been recently hit with a Maze ransomware attack.
Malware
M Professional scientific and technical activities
CC
CA
Bird Construction, Maze, ransomware
56
26/01/2020
?
SuperCasino
The online gambling platform SuperCasino experiences a data breach that exposes sensitive information belonging to its customers.
Unknown
R Arts entertainment and recreation
CC
MT
SuperCasino
57
27/01/2020
State-sponsored Turkish hackers
At least 30 organizations
Turkish hackers allegedly acting in the interest of the Turkish government are believed to have attacked at least 30 organizations, including government ministries, embassies and security services as well as companies and other groups
DNS hijacking
Y Multiple Industries
CE
>1
Turkey
58
27/01/2020
OurMine
Twitter accounts of over a dozen popular American football teams, the NFL, the UFC, and ESPN.
The OurMine collective hacks hijacks the Twitter accounts of over a dozen popular American football teams, including the San Francisco 49ers and Kansas City Chiefs, who competed in the Super Bowl Final, the NFL, the UFC, and ESPN.
Account Hijacking
R Arts entertainment and recreation
CC
US
OurMine, Twitter, San Francisco 49ers, Kansas City Chiefs, Super Bowl, NFL, UFC, ESPN
59
27/01/2020
Aggah
Some Italian companies operating in the Retail sector
Researchers from Yoroi-Cybaze ZLab discover a new attack attempts directed to some Italian companies operating in the Retail sector linked to Aggah campaign.
Targeted attack
G Wholesale and retail trade
CC
IT
Aggah, Yoroi-Cybaze Zlab
60
27/01/2020
?
Royal Yachting Association
The Royal Yachting Association (RYA) forces a password reset for all online users after warning that some that their data may have been compromised by a third party.
Unknown
S Other service activities
CC
US
Royal Yachting Association
61
28/01/2020
?
Vulnerable Citrix ADC servers
A new ransomware called Ragnarok is detected being used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit.
Malware
Y Multiple Industries
CC
>1
Ragnarok, Citrix, CVE-2019-19781, Ransomware
62
28/01/2020
?
Red Kite Community Housing
Red Kite Community Housing announces to have fallen victim to a cyber-scam in which criminals posed as genuine service providers to steal a staggering £932,000.
Domain Spoofing
S Other service activities
CC
UK
Red Kite Community Housing
63
28/01/2020
?
Tissue Regenix Group PLC
Tissue Regenix Group PLC says that its computer systems and a third-party IT service provider in the United States were accessed without authorization.
Unknown
C Manufacturing
CC
US
Tissue Regenix Group PLC
64
28/01/2020
?
Personal Touch Home Care of Greater Portsmouth.
Personal Touch Home Care of Greater Portsmouth notifies a Maze ransomware attack occurred on December 1, 2019.
Malware
S Other service activities
CC
US
Personal Touch Home Care of Greater Portsmouth, Maze, Ransomware
65
29/01/2020
?
United Nations
A leaked report reveals that the European network of the United Nations were compromised during the Summer of 2019
Targeted attack
U Activities of extraterritorial organizations and bodies
CE
N/A
United Nations
66
29/01/2020
?
Electronic Warfare Associates (EWA)
Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor, is hit with the Ryuk ransomware.
A new campaign is discovered distributing the Emotet malware in Japan, and leveraging the scare of Coronavirus.
Malicious Spam
X Individual
CC
JP
Emotet, Coronavirus
68
29/01/2020
?
Multiple targets
The attackers behind the Maze ransomware publish a list of 25 victims with small data sets leaked as a proof of the hack.
Malware
Y Multiple Industries
CC
>1
Maze
69
29/01/2020
?
LiveRamp
Facebook reveals that back in October, hackers commandeered the personal account of a LiveRamp employee and used it to gain access to the company's Business Manager account -- allowing them to run ads using other people's money.
Account Hijacking
M Professional scientific and technical activities
CC
US
Facebook, LiveRamp
70
30/01/2020
NEC
NEC confirms to have been hit with a cyberattack since 2018 that resulted in unauthorized access to its internal network and the exposure of 28,000 files.
Targeted attack
C Manufacturing
CE
JP
NEC
71
30/01/2020
APT34 AKA Oilrig (Iran government-backed)
US Government workers
Researchers from Intezer Lab reveal the details of a spear-phishing campaign, mimicking Westat surveys, a well-known US government contractor that has managed and administered surveys to more than 80 federal agencies, since at least 16 years.
Targeted attack
O Public administration and defence, compulsory social security
CE
US
APT34, Oilrig, Iran, Intezer Lab, Westat
72
30/01/2020
TA505
Multiple targets
Researchers from Microsoft and Prevailion reveal a new campaign by TA505, weaponizing Excel documents.
Targeted attack
Y Multiple Industries
CC
>1
Microsoft, Prevailion, TA 505, Excel
73
30/01/2020
?
Undisclosed Canadian Insurance company
A Canadian insurance company paid nearly $1 million USD (about $1.3 million CAD) following a ransomware attack.
Malware
K Financial and insurance activities
CC
CA
Ransomware
74
30/01/2020
?
Users in the US
Multiple Coronavirus Phishing Campaigns are discovered, actively targeting US users.
Account Hijacking
X Individual
CC
US
Coronavirus
75
30/01/2020
?
Single Individuals
Researchers discover a new phishing campaign distributing malware, pretending to be from the Spamhaus Project.
Malicious Spam
X Individual
CC
>1
Spamhaus
76
30/01/2020
?
Rijksmuseum Twenthe
Hackers posing as a veteran London art dealer trick Rijksmuseum Twenthe, a Dutch museum, buying a John Constable painting into paying 2.4 million pounds ($3.1 million) to a fraudulent bank account.
Business Email Compromise
S Other service activities
CC
NL
Rijksmuseum Twenthe, John Constable
77
30/01/2020
?
UK Taxpayers
Cybersecurity company Mimecast discover an uptick in scams using the promise of tax refunds as a way to entice the victims into giving up private information including their name, address, phone number and card details.
Account Hijacking
X Individual
CC
UK
Mimecast, HMRC
78
30/01/2020
?
Multiple targets
Researchers from Lastline discover a large-scale spam campaign spreading info-stealing malware (Agent Tesla and LokiBot) and using advanced obfuscation techniques.
Malicious Spam
Y Multiple Industries
CC
>1
Lastline, Agent Tesla, LokiBot
79
31/01/2020
?
Bouygues Construction
French construction giant Bouygues Construction shut down their computer network to avoid having all of their data encrypted by the Maze Ransomware.
Malware
M Professional scientific and technical activities
CC
FR
Bouygues Construction, Maze, Ransomware
80
31/01/2020
?
Hong Kong Universities
Researchers from ESET discover a new campaign of the Winnti group targeting some Hong Kong universities via the ShadowPad backdoor.
Targeted attack
P Education
CE
HK
ESET, Winnti. Hong Kong, ShadowPad
81
31/01/2020
?
TVEyes
TVEyes, a broadcast television search engine used by political campaigns to monitor opponents and track ads, is hit with a ransomware attack.
Malware
J Information and communication
CC
US
TVEyes, ransomware
82
31/01/2020
?
Single Individuals
A new extortion campaign leverages the Ashley Madison breach
Malicious Spam
X Individual
CC
>1
Ashley Madison
83
31/01/2020
?
City of Racine
The city of Racine is hit with a ransomware attack that knocks most of its non-emergency computer services offline.
Malware
O Public administration and defence, compulsory social security
I’m afraid the dates all show 01/01/1970 which seems to be an error.