It’s time to catch up with the timelines, so let’s go with a new one collecting the main cyber events occurred in the second half of May. In this timeline I have collected “only” 72 events, including 9 occurred in the previous weeks, so definitely a sharp drop in comparison to the numbers we have been used to in the previous weeks, after the beginning of the COVID-19 crisis.
Here we are again with the mega breaches. Unfortunately, the list of the victims is quite long this fortnight, and includes: a well-know low cost European airline (9 million customers compromised), a popular math solving application (25 million records compromised), a mobile poll app (40 million users compromised), a popular blogging platform (26 million users compromised), and multiple other data troves from several countries (Taiwan, India, Indonesia, and Russia).
Unsurprisingly ransomware continues to be a big issue, and this timeline is no exception, even in this case the list of the campaigns is quite long and include opportunistic and targeted operations against educational and governmental institutions.
COVID-19 related operations continue to dominate the timeline (10 events), despite the impact is lower in comparison to the previous timelines.
Cyber Espionage is always a hot front, with multiple operations carried out by known actors like Turla, Sandworm, Winnti Group and Ke3chang.
Last but not least, this fortnight has also see a spike of events related to hacktivism, mainly motivated by the murder of George Floyd (but also Italy experienced a noticeable attack against one of the main institutions involved in the fight to COVID-19). The number per se are still small, but in the previous months the events related to hacktivism had literally disappeared.
But now it’s time to browse the timeline, and read the details of each event. Of course you can share the timeline to support my work and spread the risk awareness across the community. And don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
01/01/1970
?
Etana Custody
Etana Custody states that its “client user interface was accessed by an unauthorized external party”
Unknown
V Fintech
CC
US
Etana Custody, Crypto
2
05/04/2020
?
Healthcare, government entities, financial institutions, and retail
The FBI issues a security alert about a new ransomware strain named ProLock, deployed in intrusions at healthcare, government entities, financial institutions, and retail.
Malware
Y Multiple Industries
CC
US
FBI, ProLock, ransomware
3
05/08/2020
?
Nipissing First Nation
Nipissing First Nation is hit by a ransomware attack.
Malware
U Activities of extraterritorial organizations and bodies
CC
CA
Nipissing First Nation, ransomware
4
05/10/2020
Powerful Greek Army
North Macedonia’s Ministry of Economy and Finance
A Greek group called Powerful Greek Army leaks dozens of email addresses and passwords from staffers in the North Macedonia’s Ministry of Economy and Finance, as well as from the municipality of Strumica
Unknown
O Public administration and defence, compulsory social security
H
MK
Powerful Greek Army, North Macedonia’s Ministry of Economy and Finance, Strumica
5
05/11/2020
?
Bernards Township
Bernards Township is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
Bernards Township, ransomware
6
01/01/1970
?
BlockFi
Crypto lending provider BlockFi reports that it suffered a data breach after, some of the company’s client data was breached through a SIM card swap attack performed on one of its employees.
Account Hijacking
V Fintech
CC
US
BlockFi, Crypto
7
01/01/1970
?
Single Individuals in the US
Researchers from the advocacy group Abuse.ch discover a COVID-19-related malspam campaign that impersonates the U.S. Treasury Department and more than likely looks to steal a taxpayer’s credentials using a remote access trojan.
Account Hijacking
X Individual
CC
US
COVID-19, Abuse.ch, U.S. Treasury Department
8
01/01/1970
?
9 million customers of the CDEK Express transportation service
Data belonging to nine million customers of the CDEK Express transportation service was is up for sale on the Web for 70 thousand rubles ($950).
Unknown
H Transportation and storage
CC
RU
CDEK Express
9
01/01/1970
?
Covve
Covve, the popular address book app, is identified as the source of a data breach that exposed the details of nearly 23 million individuals.
Unknown
J Information and communication
CC
CY
Covve
10
01/01/1970
?
Undisclosed Target
Researchers from Cofense discover a phishing tactic that leverages the OAuth2 framework and OpenID Connect (OIDC) protocol to access user data.
Account Hijacking
Z Unknown
CC
N/A
Cofense, OAuth2, OpenID Connect
11
01/01/1970
NetWalker
Multiple organizations
Researchers at Trend Micro discover a new fileless version of the NetWalker ransomware.
Malware
Y Multiple Industries
CC
>1
Trend Micro, NetWalker, Ransomware
12
01/01/1970
?
EasyJet
EasyJet admits that a "highly sophisticated cyber-attack" has affected approximately nine million customers. Email addresses and travel details have also been stolen and 2,208 customers had also their credit and debit card details "accessed". The attack was discovered on January.
Targeted Attack
H Transportation and storage
CC
UK
EasyJet
13
01/01/1970
?
Multiple organizations
Microsoft's Security Intelligence team warns of a "massive" COVID-19 themed phishing campaign that attempts to install NetSupport Manager, a remote access tool, by tricking users into opening email attachments containing malicious Excel 4.0 macros.
Malicious Spam
Y Multiple Industries
CC
>1
Microsoft, COVID-19, NetSupport Manager, Excel
14
01/01/1970
?
Banking users
Researchers from Malwarebytes and HYAS reveal the details of Silent Night, a botnet distributed via the RIG exploit kit and COVID-19 spam.
Researches from Cisco Talos reveal the details of WolfRAT, a new Trojan targeting Thai users of Whatsapp, Facebook Messenger, and Line messaging apps on the Android mobile platform.
Researchers from Agari discover Scattered Canary, a group of business email compromise (BEC) Nigerian scammers targeting U.S. unemployment systems and COVID-19 relief funds provided through the CARES Act.
Business Email Compromise
X Individual
CC
US
Agari, Scattered Canary, BEC, COVID-19, CARES Act
17
01/01/1970
?
Undisclosed Target
Researchers from Abnormal Security reveal the detail of a new campaign impersonating the collaboration software provider, LogMeIn.
Account Hijacking
Z Unknown
CC
N/A
Abnormal Security, LogMeIn
18
01/01/1970
Winnti Group
Massively multiplayer online (MMO) game developers located in South Korea and Taiwan
Cybersecurity firm ESET releases a report on the Winnti APT group, using PipeMon, a new, modular malware on the systems of several massively multiplayer online (MMO) game developers located in South Korea and Taiwan.
Targeted Attack
R Arts entertainment and recreation
CE
KR
TW
ESET, Winnti, PipeMon
19
01/01/1970
ShinyHunters
Wishbone
ShinyHunters puts up for sale the details of 40 million users registered on Wishbone, a popular mobile app that lets users compare two items in a simple voting poll.
Unknown
M Professional scientific and technical activities
CC
US
ShinyHunters, Wishbone
20
01/01/1970
?
Banking users in the U.S., Canada, Germany, Poland, and Australia
Researchers from Proofpoint reveal the details of a new version of the ZLoader banking malware seen in more than 100 email campaigns since the beginning of the year.
Malware
K Financial and insurance activities
CC
>1
Proofpoint, ZLoader
21
01/01/1970
CyberWare
Scam companies
A group of hackers calling themselves CyberWare starts targeting scam companies with ransomware and DDoS attacks.
Malware
S Other service activities
CC
N/A
CyberWare
22
01/01/1970
?
Multiple organizations
The FBI issues a security alert about Zoom-bombing.
Zoom-bombing
Y Multiple Industries
CC
US
FBI, Zoom bombing
23
01/01/1970
?
Multiple organizations
Researchers from Sophos reveal the details of RagnarLocker, a new ransomware installing virtual machines to avoid detection.
Malware
Y Multiple Industries
CC
>1
Sophos, RagnarLocker, ransomware
24
01/01/1970
Hackers of Savior
2000 Israeli websites
More than 2000 Israeli websites are defaced to show an anti-Israeli message and with malicious code seeking permission to access visitors' webcams. Most of the websites were hosted on uPress, a local Israeli WordPress hosting service.
Defacement
Y Multiple Industries
H
IL
uPress, Hackers of Savior
25
01/01/1970
Ke3chang (AKA APT15, Vixen Panda, Playful Dragon, and Royal APT)
Multiple organizations
Researchers from Intezer discover a new operation from the Ke3chang APT, using a new malware dubbed Ketrum.
Researchers from Armorblox discover a new campaign in disguise of the Supreme Court, using a CAPTCHA page to evade security controls on Office 365.
Account Hijacking
Y Multiple Industries
CC
>1
Armorblox, Supreme Court, CAPTCHA, Office 365
27
01/01/1970
Chafer APT
Governments in Kuwait and Saudi Arabia
Researchers from BitDefender reveal the details of the Iran-linked Chafer APT group, targeting governments in Kuwait and Saudi Arabia
Targeted Attack
O Public administration and defence, compulsory social security
CE
KW
SA
Chafer APT, Iran, BitDefender
28
01/01/1970
?
Multiple organizations
Researchers from Trustwave uncover a new phishing campaigns, taking advantage of “the reputation and services” of the Google Cloud’s Firebase mobile and web application development platform.
Account Hijacking
Y Multiple Industries
CC
>1
Trustwave, Google Cloud, Firebase
29
01/01/1970
LulzSecITA
San Raffaele Hospital
Hackers from LulzSecITA leak sensitive data from the San Raffaele Hospital in Milan. Data includes personal details of patients, doctors, nurses, and various employees. The breach occurred two months ago.
SQLi
Q Human health and social work activities
H
IT
LulzSecITA, San Raffaele
30
01/01/1970
ShinyHunters
Mathway
ShinyHunters breaches Mathway, a popular math solving application, stealing more than 25 million emails and passwords.
Unknown
M Professional scientific and technical activities
CC
US
ShinyHunters, Mathway
31
01/01/1970
?
Multiple organizations
Researchers from Sentinel One discover a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers.
A threat actor shares the 2014 voter information for close to 2 million Indonesians on a hacker forum.
Unknown
X Individual
CC
ID
Indonesia
33
01/01/1970
?
EduCBA
Online education site EduCBA starts notifying customers that they are resetting their passwords after suffering a data breach.
Unknown
P Education
CC
IN
EduCBA
34
01/01/1970
?
Italian companies operating in the manufacturing sector.
Researchers from ZLab discover a new malicious espionage activity targeting Italian companies operating worldwide in the manufacturing sector.
Targeted Attack
C Manufacturing
CE
IT
ZLab
35
01/01/1970
?
Unknown resume aggregator
Researchers from Cyble discover a dump containing 29.1M Indian jobseekers personal details, offered for free in the hacking underground.
Unknown
M Professional scientific and technical activities
CC
IN
Cyble
36
01/01/1970
?
Multiple organizations
Researchers from Malwarebytes and HYAS publish a new report related to a new botnet, derived from Zeus, dubbed Silent Night Zeus.
Malware
Y Multiple Industries
CC
>1
Malwarebytes, HYAS, Zeus, Silent Night Zeus.
37
01/01/1970
DoubleGun
Multiple organizations in China
Researchers from NetLab 360 dismantle the infrastructure built by the DoubleGun Group, which had amassed hundreds of thousands of bots controlled via public cloud services, including Alibaba and Baidu Tieba.
Malware
Y Multiple Industries
CC
CN
NetLab 360, DoubleGun Group, Alibaba, Baidu Tieba
38
01/01/1970
?
Multiple Crypto wallets
The hacker that breached the Ethereum.org forum is allegedly selling the databases of several popular crypto hard wallets, including: Ledger, Trezor, and KeepKey.
Account Hijacking
V Fintech
CC
>1
Ethereum.org, Ledger, Trezor, KeepKey, Crypto
39
01/01/1970
?
Discord users
A new version of the AnarchyGrabber Discord malware is released that modifies the Discord client files so that it can evade detection and steal user accounts every time someone logs into the chat service.
Malware
X Individual
CC
>1
AnarchyGrabber, Discord
40
01/01/1970
?
Three hacking forums Nulled.ch, Sinfulsite.com, and suxx.to leaked online
Researchers from Cyble discover the databases of three hacking forums Nulled.ch, Sinfulsite.com, and suxx.to leaked online
Unknown
S Other service activities
CC
N/A
Nulled.ch, Sinfulsite.com, suxx.to, Cyble
41
01/01/1970
[F]Unicorn
Single individuals in Italy
The Agency for Digital Italy (AgID) discovers a new ransomware threat called [F]Unicorn, encrypting computers in Italy by tricking victims into downloading a fake COVID-19 contact tracing app.
Malware
X Individual
CC
IT
Agency for Digital Italy (AgID), [F]Unicorn, COVID-19
42
01/01/1970
?
More than two dozen SQL databases
More than two dozen SQL databases stolen from online shops in various countries are being offered for sale on a public website (over 1.5 million rows).
Unknown
Y Multiple Industries
CC
>1
SQL
43
01/01/1970
Turla
Three high-profile entities, such as a national parliament in the Caucasus and two Ministries of Foreign Affairs in Eastern Europe
Security researchers from ESET have discovered new attacks carried out by Turla via the ComRAT backdoor, taking place in January 2020. The attacks targeted three high-profile entities, such as a national parliament in the Caucasus and two Ministries of Foreign Affairs in Eastern Europe.
Targeted Attack
O Public administration and defence, compulsory social security
CE
>1
ESET, Turla
44
01/01/1970
?
Arbonne International
Arbonne International exposes the personal information and credentials of thousands after its internal systems were breached by an unauthorized party.
Account Hijacking
M Professional scientific and technical activities
CC
US
Arbonne International
45
01/01/1970
?
Banking users in Portugal
A new version of the Grandoreiro malware is discovered In Portugal.
Malware
K Financial and insurance activities
CC
PT
Grandoreiro
46
01/01/1970
NetWalker
City of Weiz
The Austrian City of Weiz is hit by the NetWalker Ransomware.
Malware
O Public administration and defence, compulsory social security
CC
AT
City of Weiz, ransomware, NetWalker
47
01/01/1970
PonyFinal
Multiple Organizations
Microsoft's security team issues an advisory warning organizations around the globe to deploy protections against PonyFinal a new strain of ransomware that has been in the wild over the past two months.
Malware
Y Multiple Industries
CC
>1
Microsoft, PonyFinal
48
01/01/1970
?
LiveJournal
Blogging platform LiveJournal appears to have suffered a security breach in 2014, and multiple hackers are selling the company's user database on the dark web and on hacking forums (26 million users).
Unknown
J Information and communication
CC
RU
LiveJournal
49
01/01/1970
?
Undisclosed Target
Researchers from Abnormal Security reveal the details of a new campaign impersonating AWS notifications.
Account Hijacking
Z Unknown
CC
N/A
AWS, Abnormal Security
50
01/01/1970
?
47.5 million Indian Truecaller users
Researchers from Cyble discover the data of 47.5 million Indian users, apparently leaked on the dark web allegedly originated from the famous caller-ID app, Truecaller.
Unknown
X Individual
CC
IN
Cyble, Truecaller
51
01/01/1970
"Hack-for-hire" groups operating in India
Employees at financial services, consulting and healthcare firms around the world
"Hack-for-hire" groups operating in India are spoofing World Health Organization emails to steal credentials from employees at financial services, consulting and healthcare firms around the world, according to Google's Threat Analysis Group.
Account Hijacking
Y Multiple Industries
CC
>1
Google's Threat Analysis Group
52
01/01/1970
?
Cisco Systems
Cisco discloses a security breach that impacted a small part of its backend infrastructure: hackers used a vulnerability in the SaltStack software package, which Cisco bundles with some products, to gain access to six servers:
Salt vulnerability (CVE-2020-11651 and CVE-2020-11652)
Nippon Telegraph & Telephone (NTT discloses a security breach. Hackers gained access to its internal network from Singapore and stole information on 621 customers from its communications subsidiary, NTT Communications.
Targeted Attack
J Information and communication
CE
JP
NTT, NTT Communications
54
01/01/1970
?
Github users
GitHub issues a security alert warning about Octopus Scanner, a new malware strain that's been spreading on its site via 26 boobytrapped Java projects.
Malware
Y Multiple Industries
CC
>1
GitHub, Octopus Scanner
55
01/01/1970
Sandworm AKA BlackEnergy
Multiple organizations
The US National Security Agency (NSA publishes a security alert warning of a new wave of cyberattacks against Exim email servers, exploiting CVE-2019-10149, conducted by Sandworm.
Targeted Attack
Y Multiple Industries
CE
US
US National Security Agency, NSA, Exim, CVE-2019-10149, Sandworm, BlackEnergy
56
01/01/1970
?
Multiple organizations
Researchers from Cybereason discover a new variant of the Valak malware targeting Microsoft Exchange.
Malware
Y Multiple Industries
CC
>1
Valak, Cybereason, Microsoft Exchange
57
01/01/1970
Netwalker
Michigan State University
The operators of the NetWalker (Mailto) ransomware announce that they've infected the network of Michigan State University
Malware
P Education
CC
US
NetWalker, Mailto, ransomware, Michigan State University
58
01/01/1970
?
Multiple organizations
Researchers at Palo Alto reveal the details of a new version of the Trickbot malware, providing a better method of evading detection.
Malware
Y Multiple Industries
CC
>1
Palo Alto Networks, Unit 42, Trickbot
59
01/01/1970
?
Valorant Players
Researchers from Dr.Web discover fake Android and iOS Valorant apps, promoting scams.
Malware
R Arts entertainment and recreation
CC
>1
Valorant, Dr.Web, iOS, Android
60
01/01/1970
?
Undisclosed Target
Researchers from Abnormal Security reveal the details of a new campaign impersonating the World Health Organization.
Account Hijacking
Z Unknown
CC
N/A
COVID-19, Abnormal Security, WHO, World Health organization
61
01/01/1970
?
City government systems in Minneapolis
City government systems in Minneapolis are taken down by a DDoS attack.
DDoS
O Public administration and defence, compulsory social security
H
US
Minneapolis
62
01/01/1970
?
Single Individuals in India
Security researchers from SonicWall discover fake malicious versions of Aarogya Setu, the Indian government’s coronavirus contact tracing mobile application.
Malware
X Individual
CC
IN
SonicWall, Aarogya Setu, COVID-19
63
01/01/1970
?
Amtrak
The National Railroad Passenger Corporation (Amtrak) discloses a data breach that may have resulted in the compromise of customer personally identifiable information (PII). The data breach was discovered on April 16, 2020 and was carried out via compromised credentials.
Account Hijacking
H Transportation and storage
CC
US
Amtrak
64
01/01/1970
?
Organizations in Japan, Italy, Germany and the UK
Researchers from Kaspersky identify a series of attacks on organizations in Japan, Italy, Germany and the UK. Up to 50% of the attackers’ targets are organizations in various industrial sectors.
Targeted Attack
M Professional scientific and technical activities
CC
>1
Kaspersky
65
01/01/1970
?
Multiple organizations
Researchers at ZLab discover a new campaign using COVID-19 lures (FMLA: Family and Medical Leave Act) to spread Himera and Absent-Loader.
Malware
Y Multiple Industries
CC
>1
ZLab, COVID-19, FMLA, Family and Medical Leave Act, Himera, Absent-Loader.
66
01/01/1970
Toogod
Department of Household Registration (Taiwan)
Researchers from Cyble discover in the dark web a database containing details of over 20 Million Taiwanese citizens.
Unknown
O Public administration and defence, compulsory social security
CC
TW
Cyble, Department of Household Registration, Toogod
67
01/01/1970
?
Emirates customers
Emirates airline warned passengers about the latest phishing email scam warning that flights have been cancelled because of COVID-19.
Account Hijacking
H Transportation and storage
CC
UAE
Emirates
68
01/01/1970
?
Unpatched Wordpress sites
Researchers from Wordfence reveal that Hackers launched a massive campaign against WordPress websites, attacking old vulnerabilities in unpatched plugins to download configuration files.
Vulnerable Wordpress Plugins
Y Multiple Industries
CC
>1
Wordfence, Wordpress
69
01/01/1970
Anonymous
Minneapolis Police Department
Anonymous takes down the Minneapolis Police Department website in retaliation for the murder of George Floyd.
DDoS
O Public administration and defence, compulsory social security
H
US
Anonymous, Minneapolis Police Department, George Floyd
70
01/01/1970
?
Single individuals in Italy
Researchers from D3Lab uncover a new COVID-19-themed phishing campaign targeting the users of the Italian National Institute for Social Security (INPS) and exploiting the COVID-19 measures.
Account Hijacking
X Individual
CC
IT
D3Lab, COVID-19, INPS
71
01/01/1970
Sekhmet
Excis
Sekhmet ransomware operators claim to have hit an international IT firm, Excis.
Malware
M Professional scientific and technical activities
CC
UK
Excis, Sekhmet, ransomware
72
01/01/1970
?
Coincheck
Japanese cryptocurrency exchange Coincheck says hackers took control over its account at Oname.com, a local domain registrar and hijacked one of its domain names, which they later used to contact some of its customers.
