It’s time to publish the first timeline of March containing the main events collected in the news in the third month of this troubled 2020. In this timeline I have collected 77 events (including 5 occurred in February), so it’ a sharp drop in comparison to February. I wonder if this is a positive consequence of the COVID-19 (for example ransomware operators promising to not target hospitals) despite, as you will discover soon, crooks are trying to capitalize the pandemic with an increasingly growing number of themed campaigns.
So if the COVID-19 pandemic is one element characterizing this timeline, ransomware attacks continue to be the majority of events. However, I don’t know if this is a coincidence of the above-mentioned truce, the number plunged to 18 (from 28 in the second half of February). Unfortunately this drop did not prevent to target some organizations facing the COVID-19 emergency such as the Champaign-Urbana Public Health District (in reality even the Brno University Hospital was hit, whether it’s not clear if it was ransomware.
Interestingly, even state-sponsored actors are jumping on the COVID-19 bandwagon. with at least two Chinese APTs (Mustang Panda and Vicious Panda) leveraging the pandemic for two operations respectively against targets in Vietnam and a public sector entity in Mongolia. Of course these are not the only operations motivated by cyber espionage, whose list also include other well-know actors as Turla, Kimsuky, and APT34.
Don’t be impatient, that’s all for the summary. The timeline is all yours, and contains the details that you can browse and share to support my work and spread the risk awareness across the community. And don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
01/01/1970
?
EMCOR Group
EMCOR Group, a Fortune 500 company specialized in engineering and industrial construction services, discloses a Ryuk ransomware incident that took down some of its IT systems.
Malware
C Manufacturing
CC
US
EMCOR Group, Ryuk, ransomware
2
01/01/1970
?
Coinhako
Coinhako is hit by a sophisticated attack.
Unknown
V Fintech
CC
SG
Coinhako, Crypto
3
01/01/1970
?
Okex and Bitfinex
Okex and Bitfinex suffered simultaneous distributed denial of service (DDoS)
DDoS
V Fintech
CC
US
HK
Okex, Bitfinex, Coinhako
4
01/01/1970
Kimsuky
South Korean officials
Researchers from IssueMakersLab reveal that a group of North Korean hackers embedded malware inside documents detailing South Korea's response to the COVID-19 epidemic. The embedded malware is BabyShark a backdoor previously utilized by a North Korean hacker group known as Kimsuky.
Targeted Attack
O Public administration and defence, compulsory social security
CE
KR
IssueMakersLab, COVID-19, Kimsuky, BabyShark
5
01/01/1970
Digileaker
Digitex
A hacker dubbed Digileaker claims to have stolen the data related to 8,000 Digitex users.
Unknown
V Fintech
CC
SC
Digitex, Digileaker
6
03/01/2020
?
Visser Precision
Visser Precision, parts maker for space and defense contractors confirms a DoppelPaymer ransomware attack.
Malware
C Manufacturing
CC
US
Visser Precision, DoppelPaymer, ransomware
7
03/01/2020
?
Community Development Bank
Community Development Bank becomes the latest victim of the Maze ransomware team.
Malware
K Financial and insurance activities
CC
US
Community Development Bank, Maze, Ransomware
8
03/02/2020
?
City of Novi Sad
The City of Novi Sad in Serbia is hit by the PwndLocker ransomware.
Malware
O Public administration and defence, compulsory social security
CC
RS
Novi Sad, Serbia, PwndLocker, ransomware
9
03/02/2020
?
Spartanburg School District One
Spartanburg School District One is hit with a ransomware attack.
Malware
P Education
CC
US
Spartanburg School District One
10
03/02/2020
APT34
Lebanon Government
Researchers from Cybaze-Yoroi ZLab discover a new campaign targeting the Lebanon government via the Karkoff implant.
Targeted Attack
O Public administration and defence, compulsory social security
CE
LB
Cybaze-Yoroi ZLab, Lebanon, Karkoff
11
03/02/2020
?
Large number of French critical infrastructure firms
A large number of French critical infrastructure firms appear to have been hacked as part of an extended malware campaign.
Malware
D Electricity gas steam and air conditioning supply
CC
FR
France
12
03/02/2020
Egypt?
India?
Saudi Arabia
UAE
Facebook removes hundreds of accounts and pages used in "Operation Red Card", a deceptive campaign that appears to be from Egyptian and Indian marketing firms, to post anti-Saudi and anti-Emirati content.
Fake Social Network Groups/Pages
O Public administration and defence, compulsory social security
CW
SA
AE
Operation Red Card, Facebook, India, Egypt
13
03/02/2020
?
Tesco
Tesco issues new cards to 600,000 Clubcard account holders after a credential stuffing attack.
Credential Stuffing
G Wholesale and retail trade
CC
UK
Tesco
14
03/02/2020
?
Android users
Google addresses a high-severity flaw in MediaTek’s Command Queue driver that developers said affects millions of devices, and which has an exploit already circulating in the wild.
Android Vulnerability (CVE-2020-0032)
X Individual
CC
>1
Google, Android, Mediatek, CVE-2020-0032
15
03/03/2020
CIA?
Chinese companies and government agencies
The Chinese company Qihoo 360 publishes a report accusing the CIA of hacking Chinese companies and government agencies for more than 11 years (from 2008 to 1019).
Targeted Attack
O Public administration and defence, compulsory social security
CE
CN
Qihoo 360, CIA
16
03/03/2020
Molerats (AKA Gaza Hackers Team and Gaza Cybergang)
Eight organizations in six different countries in the government, telecommunications, insurance and retail industries
Researchers from Palo Alto Unit 42 observe multiple instances of phishing attacks likely related to the threat group Molerats targeting eight organizations in six different countries in the government, telecommunications, insurance and retail industries
Targeted Attack
Y Multiple Industries
CE
>1
Molerats, Gaza Hackers Team, Gaza Cybergang, Palo Alto, Unit 42
17
03/03/2020
?
J.Crew
Clothing giant J.Crew says an unknown number of customers had their online accounts accessed “by an unauthorized party" in or around April 2019.
Credential Stuffing
G Wholesale and retail trade
CC
US
J.Crew
18
03/03/2020
Kimsuky
South Korea
Researchers from Cybaze-Yoroi ZLab discover a new campaign by the North Korea-linked APT group, Kimsuky, targeting South Korea.
Targeted Attack
O Public administration and defence, compulsory social security
CE
KR
Cybaze-Yoroi ZLab, Kimsuky
19
03/03/2020
?
Four Queens Hotel and Casino and Binion’s Casino
Four Queens Hotel and Casino and Binion’s Casino are hit with a ransomware attack.
Malware
R Arts entertainment and recreation
CC
US
Four Queens Hotel and Casino, Binion’s Casino, ransomware
20
03/04/2020
?
T-Mobile
US telecommunications giant T-Mobile discloses a security breach that impacted both its employees and customers alike. The attackers gained access to "certain T-Mobile employee email accounts, some of which contained account information for T-Mobile customers and employees."
Account Hijacking
J Information and communication
CC
US
T-Mobile
21
03/04/2020
?
Australian Defence
The Australian Signals Directorate (ASD reveals that a vulnerability in Citrix, could have been used by malicious actors to access a database of Australian Defence recruitment details.
Citrix Vulnerability (CVE-2019-19781)
O Public administration and defence, compulsory social security
CE
AU
Australian Signals Directorate, ASD, Citrix, Australian Defence, CVE-2019-19781
22
03/04/2020
?
Boots
Boots suspends payments using loyalty points in shops and online after attempts to break into customers' accounts using stolen passwords.
Password-spray
G Wholesale and retail trade
CC
UK
Boots
23
03/04/2020
?
Single Individuals
Researchers from Fortinet discover a new campaign delivering the Lokibot malware and exploiting the COVID-19 fear.
Malware
X Individual
CC
>1
Fortinet, Lokibot, COVID-19, Coronavirus
24
03/04/2020
?
Single Individuals
Researchers from Cofense discover an additional phishing campaign pushing fake messages from The Centers for Disease Control (CDC) stating that the coronavirus has “officially become airborne” and there “have been confirmed cases of the disease in your location.”
Account Hijacking
X Individual
CC
>1
Cofense, CDC, Coronavirus, COVID-19, The Centers for Disease Control
25
03/04/2020
?
SIngle Individuals
Researchers from Cofense discover a phishing campaign, leveraging OneNote to bypass detection tools and download malware onto victims’ systems.
Account Hijacking
X Individual
CC
>1
Cofense, OneNote
26
03/05/2020
?
Carnival Corp.
Carnival Corp. announces that two of its most popular lines, Holland America and Princess Cruises, were hit by a phishing attack between April 11 and July 23, 2019.
Account Hijacking
R Arts entertainment and recreation
CC
US
Carnival Corp., Holland America, Princess Cruises
27
03/05/2020
?
Communications & Power Industries (CPI)
Communications & Power Industries (CPI) is still down after a ransomware attack suffered in January.
Malware
C Manufacturing
CC
US
Communications & Power Industries, CPI
28
03/05/2020
?
EVRAZ
EVRAZ, one of the world's largest steel manufacturers and mining operations, has its North American activities taken down by a Ryuk ransomware attack.
Malware
C Manufacturing
CC
US
EVRAZ, Ryuk, ransomware
29
03/05/2020
?
Banking users in Italy
Researchers from Sophos discover a new campaign distributing the Trickbot malware in Italy and exploiting the COVID-19 outbreak.
Malware
K Financial and insurance activities
CC
IT
Sophos, Trickbot, COVID-19
30
03/05/2020
?
Multiple targets
Researchers from Kaspersky discover a new campaign inviting victims to install malware in disguise of an expired certificate.
Malware
Y Multiple Industries
CC
>1
Kaspersky
31
03/05/2020
Tonto Team
Multiple targets in Russia, Japan, and South Korea
Researchers from Cisco Talos reveal the detail of a new cyber espionage campaign carried out by the Tonto Team via the Bisonal RAT.
Targeted Attack
Y Multiple Industries
CE
>1
Cisco Talos, Tonto Team, Bisonal RAT
32
03/05/2020
?
Chrome Users
Researchers at MyCrypto discover a malicious Chrome extension able to steal Ledger wallet recovery seeds.
Malicious Browser Extension
V Fintech
CC
>1
MyCrypto, Chrome, Ledger
33
03/06/2020
?
The City of Durham and Durham County
The City of Durham and Durham County are hit by a Ryuk ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
City of Durham, Durham County, Ryuk. Ransomware
34
03/06/2020
?
Trident Crypto Fund
The usernames and passwords of more than a quarter of a million Trident Crypto Fund customers have been stolen and published online.
Unknown
V Fintech
CC
MA
Trident Crypto Fund, Crypto
35
03/06/2020
?
Entercom
US radio giant Entercom reports a data breach that took place in August 2019 after an unauthorized party was able to access database backup files stored in a third-party cloud hosting service and containing Radio.com user credentials.
Unknown
J Information and communication
CC
US
Entercom
36
03/06/2020
?
Koodo Mobile
Telus-owned Koodo Mobile suffers a data breach after their systems were hacked on February 13, 2020, and customer data from August and September 2017 was stolen by the attackers.
Account Hijacking
J Information and communication
CC
CA
Koodo Mobile
37
03/06/2020
?
Multiple targets
The US Federal Bureau of Investigation (FBI) warns private industry partners of threat actors abusing Microsoft Office 365 and Google G Suite as part of Business Email Compromise (BEC) attacks.
Business Email Compromise
Y Multiple Industries
CC
US
Federal Bureau of Investigation, FBI, Microsoft Office 365, Google G Suite
38
03/07/2020
?
SIngle Individuals
Researchers from MalwareHunterTeam discover another email campaign pretending to be Coronavirus (COVID-19) information from the World Health Organization (WHO), and in reality distributing a malware downloader that installs the FormBook information-stealing Trojan.
Malicious Spam
X Individual
CC
>1
MalwareHunterTeam, Coronavirus, COVID-19, World Health Organization, WHO, FormBook
39
03/07/2020
?
Six Southeast Asian countries, including Malaysia and Singapore
Researchers from Technisanct discover hundreds of thousands of credit card details from at least six Southeast Asian countries, leaked online.
Unknown
K Financial and insurance activities
CC
>1
Malaysia, Singapore, Technisanct
40
03/08/2020
?
Multiple targets
Researchers from Volexity reveal that state-sponsored hacking groups are using a recently disclosed Microsoft Exchange vulnerability (CVE-2020-0688) to attack targets. The same warning is sent also by the NSA.
Microsoft Vulnerability (CVE-2020-0688)
Y Multiple Industries
CC
>1
Volexity, Microsoft Exchange, CVE-2020-0688
41
03/08/2020
?
University of Kentucky and UK HealthCare
The University of Kentucky and UK HealthCare discovers that is suffered a malware attack aimed to install cryptominers.
Malware
P Education
CC
US
University of Kentucky and UK HealthCare
42
03/09/2020
?
ENTSO-E
The European Network of Transmission System Operators for Electricity (ENTSO-E), says that its IT network had been compromised in a “cyber intrusion.”
Unknown
D Electricity gas steam and air conditioning supply
N/A
EU
ENTSO-E, European Network of Transmission System Operators for Electricity
43
03/09/2020
?
Russian users
Researchers from MalwareHunterTeam discover a new phishing scam targeting Russian victims, and utilizing a "customer service" chatbot.
Account Hijacking
X Individual
CC
RU
MalwareHunterTeam
44
03/09/2020
?
Single Individuals
Researchers from IBM X-Force Threat Intelligence discover a new sextortion campaign, luring victims with emails promising to give access to the nude extortion pics of a friend's girlfriend, and delivering the Raccoon malware.
Malicious Spam
X Individual
CC
>1
IBM, X-Force, sextortion, Raccoon
45
03/09/2020
?
TrueFire
The popular online guitar tutoring website TrueFire suffers a ‘Magecart‘ attack that might have exposed customers’ personal information and payment card data.
Malicious Script Injection
S Other service activities
CC
US
TrueFire, Magecart
46
03/09/2020
?
Single Individuals
Researchers from security firm Reason discover a fake Coronavirus map, delivering the AZORult trojan.
Malware
X Individual
CC
>1
Reason, COVID019, Coronavirus, AZORult
47
03/09/2020
?
Fort Worth Independent School District
The Fort Worth Independent School District is hit with a ransomware attack,
Malware
P Education
CC
US
Fort Worth Independent School District, ransomware
48
03/10/2020
Mustang Panda
Targets in Vietnam
Vietnamese cyber-security firm VinCSS detects a Chinese state-sponsored group (codenamed Mustang Panda) spreading emails with a RAR file attachment purporting to carry a message about the coronavirus outbreak from the Vietnamese Prime Minister.
Targeted Attack
Y Multiple Industries
CE
VN
VinCSS, Mustang Panda, Coronavirus
49
03/10/2020
?
Multiple targets
Researchers from Cybereason discover a campaign where attackers are trojanizing multiple hacking tools with njRat, a well known RAT.
Malware
Y Multiple Industries
CC
>1
Cybereason, njRAT
50
03/10/2020
?
Undisclosed organization in Asia
Researchers from Lastline discover a new campaign spreading the Paradise ransomware via IQY files.
Malware
Z Unknown
CC
N/A
Lastline, Paradise, ransomware, IQY
51
03/10/2020
?
Undisclosed target
Researchers from Cofense discover a phishing campaigns using YouTube redirects to evade security controls.
Account Hijacking
Z Unknown
CC
N/A
YouTube
52
03/10/2020
?
Multiple targets
Attackers start to exploit a recently discovered vulnerability on ManageEngine Desktop Central.
CVE-2020-10189 vulnerability
Y Multiple Industries
CC
>1
ManageEngine Desktop Central, CVE-2020-10189
53
03/10/2020
?
Wichita State University
Wichita State University notifies 1,762 individuals whose personal information was accessed by hackers between December 3, 2019 and December 5, 2019.
Unknown
P Education
CC
US
Wichita State University
54
03/10/2020
?
Undisclosed company
A global company with an office in Perth is attacked by criminals who demand a $30 million ransom to unlock its computer system in Australia.
Malware
Z Unknown
CC
AU
Perth
55
03/11/2020
?
Champaign-Urbana Public Health District
In the midst of a coronavirus pandemic, the Champaign-Urbana Public Health District is hit with a NetWalker ransomware attack.
Malware
Q Human health and social work activities
CC
US
Champaign-Urbana Public Health District, NetWalker, ransomware
56
03/11/2020
?
Global insurance, healthcare, and pharmaceutical organizations
Researchers from Proofpoint discover a new phishing campaign impersonating Vanderbilt University Medical Center and sending out fake HIV test result emails.
Malicious Spam
Y Multiple Industries
CC
>1
Proofpoint, Vanderbilt University Medical Center, HIV
57
03/11/2020
?
Northeast Radiology
Northeast Radiology announces that on January 11, 2020, unauthorized individuals gained access to Northeast Radiology’s picture archiving and communication system (“PACS”),
Unknown
Q Human health and social work activities
CC
US
Northeast Radiology
58
03/12/2020
?
Facebook Users
Facebook, Twitter and Instagram remove multiple accounts and pages for a coordinated inauthentic behavior on behalf in Ghana and Nigeria on behalf of individuals in Russia, targeting primarily the United States.
Fake Social Network Groups/Pages
X Individual
CW
US
Facebook, Instagram, Twitter, Ghana, Nigeria, Russia, United States.
59
03/12/2020
?
Multiple targets
Researchers from MalwareHunterTeam discover a new campaign distributing a malware cocktail consisting of the Coronavirus Ransomware and the Kpot information-stealing Trojan.
Malware
Y Multiple Industries
CC
>1
MalwareHunterTeam, Coronavirus, Kpot
60
03/12/2020
Vicious Panda
Public sector entity of Mongolia
Researchers from Check Point discover a campaign, dubbed Vicious Panda, carried out by a Chinese APT group on a public sector entity of Mongolia, leveraging the coronavirus pandemic.
Targeted Attack
O Public administration and defence, compulsory social security
CE
MN
Check Point, Mongolia, Coronavirus
61
03/12/2020
?
Open Exchange Rates
Open Exchange Rates announces a data breach that exposed the personal information and salted and hashed passwords for customers of its API service. The breach occurred between February 9th, 2020, and March 2nd, 2020.
AWS Account Hijacking
M Professional scientific and technical activities
CC
US
Open Exchange Rates
62
03/12/2020
Turla
Several high-profile Armenian websites
Researchers from ESET discover a watering hole operation targeting several high-profile Armenian websites via a fake Adobe Flash update, delivering two previously undocumented pieces of malware dubbed NetFlash and PyFlash.
Targeted Attack
O Public administration and defence, compulsory social security
CE
AM
ESET, Turla, Adobe Flash, NetFlash, PyFlash
63
03/12/2020
?
Multiple targets
Researchers from IBM X-Force discover a new malware strain dubbed PXJ (AKA XVFXGW).
Malware
Y Multiple Industries
CC
>1
IBM, X-Force, PXJ, XVFXGW
64
01/01/1970
?
The National
The National, a Scottish newspaper, is hit by a DDoS attack.
DDoS
J Information and communication
CC
UK
The National, DDoS
65
01/01/1970
?
Brno University Hospital
The Brno University Hospital, a COVID-19 testing center, is hit by a cyberattack right in the middle of a COVID-19 outbreak.
Malware
Q Human health and social work activities
CC
CZ
Brno University Hospital, COVID-19, Coronavirus
66
01/01/1970
?
Android users
Researchers from Domaintools reveal the details of Covidlock, a ransomware encrypting data on Android devices.
Malware
X Individual
CC
>1
Domaintools, Covidlock, Android
67
01/01/1970
Ancient Tortoise
Multiple targets
Researchers from Agari reveal that the Ancient Tortoise Group is now starting using coronavirus-themed scam emails that take advantage of the COVID-19 global outbreak to convince potential victims to send payments to attacker-controlled accounts.
Business Email Compromise
Y Multiple Industries
CC
>1
Agari, Ancient Tortoise
68
01/01/1970
?
Aerial Direct
Aerial Direct reveals that an unauthorized third party had been able to access customer data on 26 February through an external backup database, which included personal information on both current and expired subscribers from the last six years.
Unknown
J Information and communication
CC
UK
Aerial Direct
69
01/01/1970
?
Healthcare professionals
A new email scam targets healthcare professionals with phishing emails about "coronavirus awareness" - part of a wave of scams capitalizing on the pandemic.
Account Hijacking
Q Human health and social work activities
CC
>1
Coronavirus, COVID-19
70
01/01/1970
?
Randleman Eye Center
Randleman Eye Center discloses a malware attack occurred on January 13.
Malware
Q Human health and social work activities
CC
US
Randleman Eye Center
71
01/01/1970
?
Jay Public School District
The Jay Public School District is hit with a cyber attack.
Unknown
P Education
CC
US
Jay Public School District
72
01/01/1970
?
Facebook Android users
Researchers from Kaspersky discover the CookieThief malware, targeting the Facebook accounts of Android users.
Malware
X Individual
CC
>1
Kaspersky, CookieThief, Facebook, Android
73
01/01/1970
?
Multiple targets
Researchers from MalwareHunterTeam discover a new backdoor malware called BlackWater pretending to be a COVID-19 information while abusing Cloudflare Workers as an interface to the malware's command and control (C2) server.