It’s time to post the second timeline of June, where I have collected 84 events (including 4 that were published in the first half of the month). This number confirms a decreasing trend, likely due to the diminishing impact of the COVID-19-themed attacks.
Unfortunately the same cannot be said for ransomware: new samples emerge on a regular basis and the list of high-profile victims continues to grow. It looks like double extortion attacks are paying off, and even in this timeline, nearly one event out of four is related to a ransomware attack. Netwalker, Sodinokibi, Maze, and newcomers such as WastedLocker are a constant presence throughout the timeline.
In terms of cyber crime, other interesting events of this timeline include the discovery of a new Android spyware downloaded 32 million times, and three massive DDoS attacks against AWS, an undisclosed European bank, and an undisclosed ISP.
As usual even the cyber espionage front is quite crowded with multiple operations carried out by well-known actors, such as the Lazarus Group, APT33, a joint operation by Gamaredon and InvisiMole, and StrongPity.
Finally, the racial protests in the US have caused a comeback of the Anonymous collective through the so-called BlueLeaks: a 269-gigabyte collection of police data.
As usual, the details of each event are in the following timeline, Feel free to share it to support my work and spread the risk awareness across the community. And don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
06/08/2020
?
Preen.Me
Researchers from Risk Based Security reveal that personal data of an estimated 350,000 social media influencers has been accessed and partially leaked following a breach at social media marketing firm Preen.Me.
Unknown
M Professional scientific and technical activities
CC
IL
Preen.Me, Risk Based Security
2
06/09/2020
?
South Africa’s Life Healthcare
South Africa’s Life Healthcare says its southern African operation is hit by a cyber attack affecting its admissions systems, business processing systems and email servers.
Unknown
Q Human health and social work activities
CC
ZA
Life Healthcare
3
06/10/2020
?
Multiple organizations
Researchers from Cofense discover a massive keylogger distribution campaign dubbed Mass Logger.
Malware
Y Multiple Industries
CC
>1
Cofense, Mass Logger
4
06/11/2020
?
University of the Philippines Visayas
The University of the Philippines Visayas confirmed on its official Facebook page that its website, upv.edu.ph, was defaced on Thursday, June 11.
Defacement
P Education
CC
PH
University of the Philippines Visayas, upv.edu.ph
5
01/01/1970
?
Countries across Europe and North America
Social media research group Graphika publishes a report unmasking a new Russian information operation codenamed Secondary Infektion, active since 2014, relying on fake news articles, fake leaks, and forged documents to generate political scandals in countries across Europe and North America.
Fake Social Network accounts
O Public administration and defence, compulsory social security
CW
>1
Graphika, Russia, Secondary Infektion
6
01/01/1970
?
Single Individuals
Researchers from Morphisec discover a new campaign exploiting a DLL hijacking vulnerability in Apple’s Push Service (APSDaemon) to install a cryptocurrency miner and avoid detection.
The New Zealand's national computer emergency response team warns of a crime gang seeking "ransomware attack opportunities" against NZ organizations that use unpatched or poorly secured Citrix remote-access technology.
Misconfigured Citrix devices
Y Multiple Industries
CC
NZ
New Zealand's national computer emergency response team, Citrix ransomware
8
01/01/1970
China
India
China launches DDOS attacks against information websites and the country’s financial payments system, amid growing tensions over border disputes in the Kashmir region.
DDoS
O Public administration and defence, compulsory social security
CW
IN
China, India
9
01/01/1970
?
Amazon
Amazon reveals that its AWS Shield service mitigated the largest DDoS attack ever recorded, stopping a 2.3 Tbps attack in mid-February this year.
DDoS
M Professional scientific and technical activities
CC
US
Amazon
10
01/01/1970
Lazarus Group
European aerospace and military companies
Security researchers from ESET disclose a new operation orchestrated by the Lazarus Group codenamed "Operation In(ter)ception," targeting victims for both cyber-espionage and financial theft.
Targeted Attack
O Public administration and defence, compulsory social security
CE
>1
ESET, Lazarus Group, Operation In(ter)ception, North Korea
11
01/01/1970
Sodinokibi (AKA REvil)
Light S.A.
Sodinokibi ransomware (aka REvil) operators breach the Brazilian-based electrical energy company Light S.A. and demanding a $14 million worth ransom.
Malware
D Electricity gas steam and air conditioning supply
CC
BR
Sodinokibi, REvil, Light S.A.
12
01/01/1970
?
Russian Organizations
Researchers from Palo Alto Unit 42 discover a new malware, dubbed AcidBox, employed in targeted attacks against Russian organizations, and that leverages an exploit previously associated with the Russian-linked Turla APT group.
Targeted Attack
Z Unknown
CE
RU
Palo Alto Unit 42, AcidBox, Turla
13
01/01/1970
?
Unnamed Web host
An unnamed webhost was is hit with one of the largest DDoS attacks ever registered by Akamai (1.44 terabit-per-second)
DDoS
Z Unknown
CC
N/A
Akamai, DDoS
14
01/01/1970
?
City of Lexington
A Zoom meeting regarding issues surrounding police discipline is interrupted by callers shouting racist and homophobic remarks.
Zoom bombing
O Public administration and defence, compulsory social security
CC
US
Lexington, Zoom
15
01/01/1970
?
Cebu Normal University (CNU)
Subdomains of the Cebu Normal University (CNU) website, particularly the Library and Journal for Higher Education (JHE), are hacked by unknown entities.
Unknown
P Education
CC
PH
Cebu Normal University, CNU
16
01/01/1970
Pinoy Grayhats
Far Eastern University (FEU)
1,000 student accounts from the Far Eastern University (FEU) are made public, with details such as names, student numbers, and passwords exposed.
Unknown
P Education
CC
PH
Far Eastern University, FEU, Pinoy Grayhats
17
01/01/1970
InvisiMole and Gamaredon
High-profile organizations in Eastern Europe
Researchers from ESET discover a new campaign carried out by the InvisiMole group in cooperation with Gamaredon (two groups linked to Russia).
Targeted Attack
O Public administration and defence, compulsory social security
CE
>1
ESET, InvisiMole, Gamaredon, Russia
18
01/01/1970
?
Android users
Researchers at Awake Security reveal that a newly discovered spyware attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser. Google immediately removes 70 of the malicious extensions
Malware
X Individual
CC
>1
Google, Android, Awake Security
19
01/01/1970
Holmium AKA APT33, StoneDrill and Elfin
Aerospace, defence, chemical, mining, and petrochemical companies
Researchers from Microsoft reveal the details of a new campaign by Holmium, a group targeting exposed Exchange servers.
Account Hijacking
Y Multiple Industries
CE
>1
Microsoft, Holmium, APT33, StoneDrill, Elfin
20
01/01/1970
?
Wells Fargo customers
Researchers from Abnormal Security discover a phishing campaign impersonating the Wells Fargo Security Team and luring potential victims to phishing pages with the help of calendar invites.
Account Hijacking
K Financial and insurance activities
CC
US
Abnormal Security, Wells Fargo
21
01/01/1970
?
European, Asian, and Middle Eastern targets
Researchers from Check Point discover a phishing campaign abusing an Adobe Campaign redirection mechanism, and using a Samsung domain to redirect victims to an O365 themed phishing website. The attackers also hijacked an Oxford email server to deliver the malicious emails.
Account Hijacking
Y Multiple Industries
CC
>1
Check Point, Adobe Campaign, Samsung, Office 365, Oxford
22
01/01/1970
?
Bank of America customers
Researchers from Armorblox discover a phishing campaign against Bank of America customers able to bypass security filters.
Account Hijacking
K Financial and insurance activities
CC
US
Armorblox, Bank of America
23
01/01/1970
?
Banking users
Researchers from Juniper discover a new version of the IcedID banking trojan employed in COVID-19 themed attacks exploiting FMLA.
Malware
K Financial and insurance activities
CC
US
Juniper, IcedID, COVID-19, FMLA
24
01/01/1970
?
Lion
Australian beverage giant Lion is hit by a second cyber attack.
Unknown
I Accommodation and food service activities
CC
AU
Lion
25
01/01/1970
?
RBX.Place
Hackers steal data from RBX.Place, a grey marketplace where players of the massively popular online game Roblox can sell in-game items for real money.
Unknown
S Other service activities
CC
N/A
RBX.Place
26
01/01/1970
China?
Australian Organizations
Australian Prime Minister Scott Morrison calls a press conference to reveal that Australian organizations (government and private sector) are currently being targeted by a sophisticated state-based cyber actor. Fingers are pointed to China.
Targeted Attack
O Public administration and defence, compulsory social security
CE
AU
Scott Morrison, China
27
01/01/1970
Anonymous
US Police
A leak-focused activist group known as Distributed Denial of Secrets publishes BlueLeaks, a 269-gigabyte collection of police data, allegedly received from the Anonymous collective, which includes emails, audio, video, and intelligence documents, with more than a million files in total.
Unknown
O Public administration and defence, compulsory social security
H
US
Distributed Denial of Secrets, BlueLeaks, Anonymous
28
01/01/1970
NetWalker
Crozer-Keystone Health System
Crozer-Keystone Health System suffers a ransomware attack by the NetWalker ransomware gang. The gang auctions the stolen data through its darknet website.
Malware
Q Human health and social work activities
CC
US
Crozer-Keystone Health System, NetWalker
29
01/01/1970
?
Blaze Angel Roberts Instagram account
Popular Australian surfer Blaze Angel Roberts has her Instagram account hacked, posting sexually explicit images.
Account Hijacking
X Individual
CC
AU
Blaze Angel Roberts, Instagram
30
01/01/1970
?
Bitcoin users
A new bitcoin scam allows attackers to steal more than $2 million in two months from Elon Musk's name. The trick involves the use of Bitcoin vanity addresses in order to give the scam more credibility.
Bitcoin vanity addresses
X Individual
CC
>1
Bitcoin, Elon Musk, Crypto
31
01/01/1970
?
Mid-Michigan College
An attacker breaks into the Mid-Michigan College’s email system, compromising the accounts of 10 employees and compromising personal data of potentially up to 16,000 people.
Account Hijacking
P Education
CC
US
Mid-Michigan College
32
01/01/1970
?
Florida Orthopedic Institute
The Florida Orthopedic Institute warns of a ransomware attack suffered on April 9.
Malware
Q Human health and social work activities
CC
US
Florida Orthopedic Institute, Ransomware
33
01/01/1970
?
Multiple organizations
Multiple ConnectWise have their customers hit with ransomware through a software flaw.
Malware
Y Multiple Industries
CC
>1
ConnectWise, ransomware
34
01/01/1970
?
Discord users
A new malware dubbed NitroHack is distributed in disguise of the premium Discord Nitro service.
Malware
X Individual
CC
>1
Discord, NitroHack
35
01/01/1970
?
Tallapoosa County Probate Office
Tallapoosa County Probate Office is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
Tallapoosa County Probate Office
36
01/01/1970
?
Over 230.000 Indonesian COVID-19 patient
Security researchers from Cyble discover over 230.000 Indonesian COVID-19 patients records leaked in the darknet.
Unknown
Z Unknown
CC
ID
Cyble, COVID-19
37
01/01/1970
?
University of California, Davis
A racist cyberattack email is delivered to thousands of University of California, Davis email accounts, prompting the university to block most of the emails, officials said Tuesday.
Malicious Spam
P Education
CC
US
University of California, Davis
38
01/01/1970
CLOP
Indiabulls Group
Indian conglomerate Indiabulls Group is allegedly hit with a cyberattack from the CLOP Ransomware operators who have leaked screenshots of stolen data.
Malware
M Professional scientific and technical activities
CC
IN
Indiabulls Group, CLOP, ransomware
39
01/01/1970
?
Misconfigured Docker clusters
Security researchers from Trend Micro discover what appears to be the first organized and persistent series of attacks against Docker servers that infect misconfigured clusters with DDoS malware (XORDDoS AKA Backdoor.Linux.XORDDOS.AE and Kaiji DDoS AKA DDoS.Linux.KAIJI.A).
Several dozen e-commerce sites using Google Analytics.
Researchers from Sansec reveals they discovered a Magecart campaign using Google Analytics to bypass Content Security Policies.
Malicious Script Injection
G Wholesale and retail trade
CC
>1
Sansec, Google Analytics, Content Security Policies, Magecart
41
01/01/1970
?
Undisclosed technology company
Researchers from Darktrace discover a phishing campaign spoofing QuickBooks, a product commonly being used in advance of the July 15 tax deadline.
Account Hijacking
Z Unknown
CC
US
Darktrace, QuickBooks
42
01/01/1970
?
Stalker Online
More than one million players of the video game Stalker Online are at risk after a database containing over 1.2 million user records is being sold on hacking forums. Separately, another database which is said to contain more than 136,000 records from the game’s forums are also being offered for sale.
Unknown
R Arts entertainment and recreation
CC
RU
Stalker Online
43
01/01/1970
?
Government and military orgs in South Asia
Researchers from Cisco Talos discover a military-themed malware campaign targeting military and government organizations in South Asia, using the Cobalt Strike toolset, and distributing a RAT via the IndigoDrop malware dropper.
Targeted Attack
O Public administration and defence, compulsory social security
CE
>1
Cisco Talos, Cobalt Strike, IndigoDrop
44
01/01/1970
?
Mid-level employees across Austria, Switzerland and Germany
Researchers from Proofpoint discover a campaign spreading the Hakbit ransomware using malicious Microsoft Excel attachments and the GuLoader dropper.
Malware
Y Multiple Industries
CC
>1
Proofpoint, Hakbit, ransomware, GuLoader
45
01/01/1970
UK Police
Encrochat
The encrypted chat Encrochat shuts down after a police hack.
Unknown
M Professional scientific and technical activities
N/A
N/A
Encrochat
46
01/01/1970
?
Iowa State University
Iowa State University officials announce hat nearly 4,900 Iowa State University-affiliated email accounts were the recipients of a racist cyberattack from an email sender claiming to be Equity Prime Mortgage.
Malicious Spam
P Education
CC
US
Iowa State University
47
01/01/1970
?
CHI St. Luke’s Health-Memorial Lufkin
CHI St. Luke’s Health-Memorial Lufkin notifies of a phishing incident occurred on April 23, 2020.
Account Hijacking
P Education
CC
US
CHI St. Luke’s Health-Memorial Lufkin
48
01/01/1970
?
K12 Schools
The US Federal Bureau of Investigation sends out a security alert to K12 schools about the increase in ransomware attacks during the COVID-19 pandemic, and especially about ransomware gangs that abuse RDP connections to break into school systems.
Malware
P Education
CC
US
FBI, K12, Ransomware, COVID-19
49
01/01/1970
Evil Corp
Multiple organizations
Researchers from Fox-IT reveal that the malicious actor Evil Corp is now deploying the WastedLocker ransomware.
Malware
Y Multiple Industries
CC
>1
Fox-IT, Evil Corp, WastedLocker
50
01/01/1970
Sodinokibi (AKA REvil)
Multiple organizations
Researchers from Symantec discover a new variant of the Sodinokibi ransomware scanning networks for PoS systems.
Malware
Y Multiple Industries
CC
>1
Symantec, Sodinokibi, REvil, ransomware
51
01/01/1970
?
Choice Health Management Services
Choice Health Management Services notifies an unspecified number of individuals of a phishing attack occurred in late 2019.
Account Hijacking
M Professional scientific and technical activities
CC
US
Choice Health Management Services
52
01/01/1970
?
Five cryptocurrency exchanges in United States, Japan, and the Middle East
Researchers from ClearSky reveal the details of CryptoCore, an organized hacker group believed to be operating out of Eastern Europe, which has stolen around $200 million from online cryptocurrency exchanges
Account Hijacking
V Fintech
CC
>1
ClearSky, CryptoCore, Crypto
53
01/01/1970
?
Multiple organizations
Researchers from Sophos reveal the details of Glupteba, an evasive malware that creates a backdoor providing full access to compromised Windows machines, while adding them to a growing botnet.
Malware
Y Multiple Industries
CC
>1
Sophos, Glupteba
54
01/01/1970
?
Multiple organizations
Researchers from Palo Alto Unit 42 reveal the details of a new variant of Lucifer, a powerful cryptojacking and DDoS malware exploiting severe vulnerabilities in order to infect Windows machines.
Malware
Y Multiple Industries
CC
>1
Lucifer, Palo Alto Unit 42
55
01/01/1970
?
Android users in Canada
Researchers from ESET discover a malicious Android app in disguise of Canada's official COVID-19 tracing app, but hiding the CryCryptor ransomware.
Malware
X Individual
CC
CA
ESET, Android, COVID-19, CryCryptor ransomware
56
01/01/1970
KelvinSecurity
Frost & Sullivan
U.S. business consulting firm Frost & Sullivan is breached after data from an unsecured backup folder exposed on the Internet is sold on a hacker forum.
Misconfiguration
M Professional scientific and technical activities
CC
US
Frost & Sullivan, KelvinSecurity
57
01/01/1970
Maze
LG Electronics
Maze ransomware operators claim on their website that they breached and locked the network of the South Korean multinational LG Electronics.
Malware
C Manufacturing
CC
KR
Maze, LG Electronics, ransomware
58
01/01/1970
Maze
Xerox Corporation
Maze ransomware operators update their list of victims adding Xerox Corporation.
Malware
C Manufacturing
CC
US
Maze, Xerox Corporation, ransomware
59
01/01/1970
?
Multiple e-commerce sites
Researchers from Malwarebytes discover a new Magecart campaign hiding the credit card skimmer inside images.
Malicious Script Injection
G Wholesale and retail trade
CC
>1
Malwarebyes, Magecart,
60
01/01/1970
?
Undisclosed bank in Europe
Akamai reveals that a bank in Europe was hit by a massive distributed denial-of-service (DDoS) attack that peaked a record 809 million packets per second (PPS).
DDoS
K Financial and insurance activities
CC
N/A
Akamai, DDoS
61
01/01/1970
?
Vulnerable Microsoft Exchange servers
Microsoft warns organizations of a spike of attacks against Microsoft Exchange servers trying to exploit CVE-2020-0688
CVE-2020-0688 Vulnerability
Y Multiple Industries
CE
>1
Microsoft, Microsoft Exchange, CVE-2020-0688
62
01/01/1970
Chinese Bank
UK-based technology/software vendor and a major financial institution
Researchers from Trustwave reveal that a Chinese bank has forced at least two western companies to install a tax software infected with the GoldenSpy malware on their systems.
Malware
K Financial and insurance activities
CE
N/A
Trustwave, China, GoldenSpy
63
01/01/1970
?
Multiple organizations
Researchers from Check Point detect a new campaign distributing phishing emails and malicious files disguised as COVID-19 training materials.
Account Hijacking
Y Multiple Industries
CC
>1
Check Point, COVID-19
64
01/01/1970
DarkCrewFriends
Vulnerable CMS servers
A report from Check Point reveals that the hackers-for-hire group DarkCrewFriends has resurfaced and is targeting content management systems to build a botnet.
CMS vulnerability
Y Multiple Industries
CC
>1
Check Point, DarkCrewFriends
65
01/01/1970
?
Windows and Linux machines
Researchers from Barracuda Networks discover a new variant of the cryptominer malware known as Golang, targeting both Windows and Linux machines.
Malware
Y Multiple Industries
CC
>1
Barracuda Networks, Golang, Crypto
66
01/01/1970
Anonymous Brazil
Senior Brazilian government officials including president Jair Bolsonaro.
The Brazilian federal investigates the leak of personal details of senior government officials including president Jair Bolsonaro.
Unknown
O Public administration and defence, compulsory social security
H
BR
Anonymous, Jair Bolsonaro.
67
01/01/1970
?
E27
Media firm E27 is hacked, and attackers ask for a small "donation" to provide information on the vulnerabilities used in the attack.
Unknown
J Information and communication
CC
SG
E27
68
01/01/1970
Ransom X
Government agencies and enterprises
A new ransomware called Ransom X is being actively used in human-operated and targeted attacks against government agencies and enterprises.
Malware
Y Multiple Industries
CC
>1
Ransom X, Malware, Ransomware
69
01/01/1970
?
France Télévisions
The France Télévisions group announces it was the victim of a cyber attack that targeted one of its broadcasting sites.
Unknown
J Information and communication
CC
FR
France Télévisions
70
01/01/1970
?
Eight cities across three states in the United States
Researchers from Trend Micro reveal that eight cities across three states in the United States have fallen victim to a Magecart card skimming attack. The sites all appear to have been built using Click2Gov.
Malicious Script Injection
O Public administration and defence, compulsory social security
CC
US
Trend Micro, Click2Gov, Magecart
71
01/01/1970
?
Israel Philharmonic Orchestra
The online Israel Philharmonic Orchestra concert, hosted by Helen Mirren, was disrupted by cyberattackers.
DDoS
R Arts entertainment and recreation
CC
IL
Israel Philharmonic Orchestra
72
01/01/1970
Maze
National Highway Authority of India (NHAI)
The National Highway Authority of India (NHAI) is attacked by a malware.
Malware
O Public administration and defence, compulsory social security
CC
IN
National Highway Authority of India, NHAI, Maze, ransomware
A data breach broker is selling databases containing user records for 14 different companies he claimed were breached by hackers in 2020 (four: - HomeChef, Minted, Tokopedia, and Zoosk - where already known).
In separate reports, researchers from Cisco Talos and BitDefender reveal new campaigns from the Promethium, AKA StrongPity APT.
Targeted Attack
O Public administration and defence, compulsory social security
CE
>1
Cisco Talos, BitDefender, Promethium, StrongPity
75
01/01/1970
Cl0ud SecuritY
Old LenovoEMC NAS devices
A hacker group going by the name of 'Cl0ud SecuritY' is breaking into old LenovoEMC (formerly Iomega) network-attached storage (NAS) devices, wiping files, and leaving ransom notes behind asking owners to pay between $200 and $275 to get their data back.
Misconfiguration
Y Multiple Industries
CC
>1
Cl0ud SecuritY, LenovoEMC
76
01/01/1970
?
Bloggers and website owners
Researchers from Sophos discover a new phishing campaign targeting bloggers and website owners with emails pretending to be from their hosting provider who wants to upgrade their domain to use secure DNS (DNSSEC).
Account Hijacking
X Individual
CC
>1
Sophos, DNSSEC
77
01/01/1970
?
945 websites
Researchers from Lucy Security discover a collection of SQL databases for sale on the Dark Web. The archived files were stolen from 945 websites around the world.
SQLi?
Y Multiple Industries
CC
>1
Lucy Security
78
01/01/1970
?
City of Duncannon
Duncannon reveals to have been hit with a ransomware attack in April, which left many municipal computer systems inoperable and caused the borough to pay out more than $40,000 to the hackers to restore systems.
Malware
O Public administration and defence, compulsory social security
CC
US
Duncannon, ransomware
79
01/01/1970
Evil Corp
Dozens of US newspaper websites
Researchers from Symantec reveal that the Evil Corp gang hacked into dozens of US newspaper websites owned by the same company to infect the employees of over 30 major US private firms with the WastedLocker ransomware.
Hackers use leaked credentials on pastebin to deface Roblox profiles to support Donald Trump in the forthcoming US presidential election.
Account Hijacking
R Arts entertainment and recreation
CC
US
Roblox, Donald Trump
81
01/01/1970
?
MacOS users
Multiple security researchers discover a new ransomware strain targeting macOS users, called OSX.ThiefQuest (or EvilQuest). The malware also installs a keylogger, a reverse shell, and steals cryptocurrency wallet-related files from infected hosts.
Malware
X Individual
CC
>1
MacOS, OSX.ThiefQuest, EvilQuest
82
01/01/1970
?
Android users
Google removes 25 Android applications from the Google Play Store that were caught stealing Facebook credentials.
Malware
X Individual
CC
>1
Google, Android, Google Play Store, Facebook
83
01/01/1970
?
Users from multiple countries
Researchers from Group-IB discover thousands of personal records of users from multiple countries exposed in a targeted multi-stage bitcoin scam.
Unknown
X Individual
CC
>1
Group-IB, crypto
84
01/01/1970
?
Self-employed people in the UK
A new campaign targets the passport details of self-employed people, along with other information including personal and bank details, exploiting COVID-19-related HMRC phishing scams.
