It’s time to publish the second timeline of July covering the main cyber attacks occurred in the second half of the same month. A timeline where I have collected 86 events (including 6 occurred outside the considered interval), which is a value substantially in line with the previous list (89).
Unsurprisingly, ransomware continues to dominate the threat landscape with 19 events (corresponding to roughly 22% of the total), while COVID-themed campaigns are progressively losing momentum (just 2 events). However an old trend re-emerged in the second half of July, and it’s the occurrence of multiple mega-breaches (targeting primarily startups) fueled by a threat actor calling themselves ShinyHunters.
Double extortion attacks are now the new normal, and are now the modus operandi adopted by every ransomware gang (such as REvil, Netwalker, WastedLocker, Ragnarlocker, and Nefilim). Unfortunately the list of high-profile targets hit by these attacks continues to grow and this fortnight is no exception.
And even if COVID-themed attacks are decreasing, the rush to the vaccine remains a hot front for cyber espionage. It’s no coincidence that the UK National Cyber Security Centre issued an alert on the malicious activities of an old acquaintance: APT 29 (AKA Cozy Bear). Despite the most important event regarding cyber espionage, that’s not the only one: APT 28 (AKA Fancy Bear), OilRig, Hidden Cobra (AKA the Lazarus Group that, by the way, also started to launch ransomware attacks) are well-known names populating the list.
But even the Cyber Warfare front has some interesting surprises: two cyber attacks against agricultural water pumps in Israel, and the discovery of operation Ghostwriter, a widespread long-lasting influence campaign (allegedly orchestrated by Russia), leveraging compromised websites to discredit the NATO.
As usual, it’s impossible to summarize everything in a few lines: the details of each event are in the timeline, so feel free to share it to support my work and spread the risk awareness across the community. And don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
01/01/1970
?
M.J. Brunner
M.J. Brunner is hit with a Maze ransomware attack.
Malware
M Professional scientific and technical activities
CC
US
M.J. Brunner, Maze, Ransomware
2
01/01/1970
?
New Mexico State University Foundation
New Mexico State University Foundation is another victim of the Blackbaud hack.
Malware
P Education
CC
US
New Mexico State University Foundation, Blackbaud, ransomware
3
01/01/1970
?
Multiple targets
Researchers from Bad Packets report that threat actors have been scanning the Internet for SAP systems affected by RECON vulnerability, tracked as CVE-2020-6287.
CVE-2020-6287 Vulnerability
Y Multiple Industries
CC
>1
CVE-2020-6287, SAP
4
01/01/1970
?
Tax Collector’s Office for Polk County
Tax Collector’s Office for Polk County blames malware found on an employee's computer for a data breach that affected around 450,000 residents of Polk County. The breach occurred in June.
Malware
O Public administration and defence, compulsory social security
CC
US
Tax Collector’s Office for Polk County
5
01/01/1970
?
Air travelers in the US
The Federal Bureau of Investigation issues a warning to air travelers to be wary of bogus US airport websites when booking flights online.
Account Hijacking
H Transportation and storage
CC
US
FBI
6
01/01/1970
?
Gravitas
An Auckland research firm, Gravitas, suffers a hack and loses the information provided by the NZ Police. As a consequence the police decides to close the contract.
Unknown
M Professional scientific and technical activities
CC
NZ
Gravitas
7
01/01/1970
APT29 (AKA Cozy Bear, The Dukes, and Yttrium)
Organizations involved in coronavirus vaccine development in Canada, UK, and the US
The National Cyber Security Centre (NCSC) in UK, warns of an ongoing campaign, carried out by Russian malicious actors, targeting organizations involved in coronavirus vaccine development.
Targeted Attack
Q Human health and social work activities
CE
>1
National Cyber Security Centre, NCSC, APT29, Cozy Bear, The Dukes, Yttrium, COVID-19
8
01/01/1970
?
Android users
Researchers from ThreatFabric discover a new Android banking trojan dubbed BlackRock.
Malware
K Financial and insurance activities
CC
>1
ThreatFabric, Android, BlackRock
9
01/01/1970
?
Apple macOS users
Researchers from ESET reveal that Apple macOS users are targeted in a fresh campaign aiming to pilfer cryptocurrency from their wallets via the Gmera trojan.
Malware
V Fintech
CC
>1
ESET, Apple macOS, Gmera, crypto
10
01/01/1970
?
Targets across the US and Europe in the professional, healthcare, IT, manufacturing, logistics, and travel sector
Researchers from Cybereason discover a new backdoor, dubbed Bazar, linked to the threat actors behind Trickbot.
Malware
Y Multiple Industries
CC
>1
Cybereason, Bazar, Trickbot
11
01/01/1970
?
Multiple targets
Emotet, 2019's most active cybercrime operation and malware botnet, returns to life with new attacks.
Malicious Spam
Y Multiple Industries
CC
>1
Emotet
12
01/01/1970
Netwalker
Lorien Health Services
Lorien Health Services announces that it was the victim of a ransomware incident in early June. Data was stolen and then encrypted during the incident.
Malware
Q Human health and social work activities
CC
US
Lorien Health Services, Netwalker, ransomware
13
01/01/1970
?
Agricultural water pumps in upper Galilee
Local news outlet in Israel report that the agricultural water pumps in upper Galilee were hit by a cyber attack back in June
Unknown
E Water supply, sewerage waste management, and remediation activities
CW
IL
Agricultural water pumps in upper Galilee
14
01/01/1970
?
Water pumps in the province of Mateh Yehuda
Also the agricultural water pumps in upper Galilee were hit by a cyber attack back in June.
Unknown
E Water supply, sewerage waste management, and remediation activities
CW
IL
Water pumps in the province of Mateh Yehuda
15
01/01/1970
?
Office 365 Users
Researchers from Abnormal Security discover two phishing campaigns using the bait of an Office 365 subscription renewal.
Account Hijacking
Y Multiple Industries
CC
>1
Abnormal Security, Microsoft Office 365
16
01/01/1970
REvil AKA Sodinokibi
Telecom Argentina
The REvil ransomware gang infects the internal network of Telecom Argentina, and asks for a $7.5 million ransom demand to unlock encrypted files.
Malware
J Information and communication
CC
AR
REvil, Sodinokibi, Telecom Argentina, ransomware
17
01/01/1970
?
Multiple targets
A new phishing campaign uses a trio of enterprise cloud services, Microsoft Azure, Microsoft Dynamics, and IBM Cloud.
Account Hijacking
Y Multiple Industries
CC
>1
Microsoft Azure, Microsoft Dynamics, IBM Cloud
18
01/01/1970
?
GEDMatch
More than a million DNA profiles are available to search on GEDMatch after the genealogy portal is hacked.
Account Hijacking
S Other service activities
CC
US
GEDMatch
19
01/01/1970
?
Multiple financial targets
After awakening last week and starting to send spam worldwide, Emotet is now once again installing the TrickBot trojan on infected Windows computers.
Malware
K Financial and insurance activities
CC
>1
Emotet, TrickBot
20
01/01/1970
?
UK Consumers
UK consumers are targeted by a new phishing scam falsely purporting to be from UK supermarket Tesco.
Account Hijacking
X Individual
CC
UK
Tesco
21
01/01/1970
?
Single Individuals
Researchers from Area 1 Security discover an email phishing campaign impersonating the Bill & Melinda Gates Foundation with messages demanding Bitcoin being sent out.
Account Hijacking
X Individual
CC
>1
Area 1 Security, Bill & Melinda Gates Foundation, Bitcoin
22
01/01/1970
?
University of Utah Health
University of Utah Health notifies 10,000 patients after it suffered a phishing attack.
Account Hijacking
Q Human health and social work activities
CC
US
University of Utah Health
23
01/01/1970
?
Multiple financial targets
Researchers tracking Emotet botnet notice that, after the comeback, the malware is starting to push QakBot banking trojan at an unusually high rate, replacing the longtime TrickBot payload.
Malware
K Financial and insurance activities
CC
>1
Emotet, QakBot, TrickBot
24
01/01/1970
?
DeepSource
DeepSource resets the user logins after an employee falls for the Sawfish phishing campaign.
Account Hijacking
M Professional scientific and technical activities
CC
US
DeepSource, Sawfish
25
01/01/1970
?
Multiple targets
Researchers from Check Point discover a new phishing campaign using Google Cloud Services to steal Office 365 logins.
Account Hijacking
Y Multiple Industries
CC
>1
Check Point, Google Cloud Services, Office 365
26
01/01/1970
?
MyHeritage
MyHeritage, a genealogy website based in Israel, announces that some of its users had been subjected to a phishing attack to obtain their log-in details for the site, apparently targeting email addresses obtained in the attack on GEDmatch just two days before.
Account Hijacking
S Other service activities
CC
IL
MyHeritage, GEDMatch
27
01/01/1970
?
Multiple targets
The FBI sends out an alert warning about the discovery of new network protocols abused to launch large-scale distributed denial of service (DDoS) attacks. The list includes CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software.
DDoS
Y Multiple Industries
CC
US
FBI, DDoS, CoAP, Constrained Application Protocol, WS-DD, Web Services Dynamic Discovery, ARMS, Apple Remote Management Service,Jenkins
28
01/01/1970
Suspected Chinese APT
Political entities and individuals in India and Hong Kong.
Researchers from Malwarebytes discover an uptick in the spread of a new MgBot malware variant across India and Hong Kong by a suspected Chinese advanced persistent threat (APT) group.
Targeted Attack
O Public administration and defence, compulsory social security
CE
IN
HK
Malwarebytes, MgBot, India, Hong Kong, China
29
01/01/1970
?
UFO VPN
UFO VPN database is destroyed by a 'meow' attack.
Misconfiguration
M Professional scientific and technical activities
CC
HK
UFO VPN, meow
30
01/01/1970
?
Unsecured databases
Hundreds of unsecured databases exposed on the public web are the target of an automated 'meow' attack that destroys data without any explanation.
Misconfiguration
Y Multiple Industries
CC
>1
meow
31
01/01/1970
?
Twilio
Twilio discloses that its TaskRouter JS SDK was compromised by attackers after they gained access to one of its misconfigured Amazon AWS S3 buckets which left the SDK's path publicly readable and writable for roughly five years, since 2015.
Cloud Misconfiguration
J Information and communication
CC
US
Twilio, TaskRouter JS SDK, Amazon, AWS, S3
32
01/01/1970
?
Multiple organizations
Research from Cisco Talos reveal the details of Prometei, a new cryptojacking botnet spreading across compromised networks via multiple methods including the EternalBlue exploit for Windows SMB. The s goal is to mine Monero (XMR) cryptocurrency.
Researches from Kaspersky reveal the details of MATA, a recently discovered malware framework used in attacks targeting corporate entities from multiple countries since April 2018 for ransomware deployment and data theft.
Malware
Y Multiple Industries
CC
>1
Kaspersky, MATA, The Lazarus Group. HIDDEN COBRA
34
01/01/1970
OilRig APT
A telecom company in the Middle East
Researchers from Palo Alto Networks discover a series of cyberattacks on a telecom company in the Middle East signaling the return of the OilRig APT. The attacks also revealed a revised backdoor tool in the group’s arsenal, called RDAT.
Targeted Attack
J Information and communication
CE
N/A
Palo Alto Networks, OilRig APT
35
01/01/1970
?
SUNY Erie Community College
About 50 computers at SUNY Erie Community College are disabled by a malware attack.
Malware
P Education
CC
US
SUNY Erie Community College
36
01/01/1970
REvil AKA Sodinokibi
Administrador de Infraestructuras Ferroviarias (ADIF)
Administrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastructure manager is hit by REvil ransomware operators.
Malware
H Transportation and storage
CC
ES
REvil, Sodinokibi, Administrador de Infraestructuras Ferroviarias, ADIF
37
01/01/1970
?
Sports organizations and teams, including Premier League football clubs
The UK National Cyber Security Centre (NCSC) highlight the increasing risks posed by ransomware attacks, phishing campaigns, and Business Email Compromise (BEC) fraud schemes targeting sports organizations and teams, including Premier League football clubs.
>1
R Arts entertainment and recreation
CC
UK
UK National Cyber Security Centre, NCSC, Business Email Compromise, BEC, Premier League
38
01/01/1970
?
10 universities in the UK, US and Canada
At least 10 universities in the UK, US and Canada have had data stolen about students and/or alumni after hackers attacked Blackbaud a cloud computing provider with ransomware.
Malware
P Education
CC
>1
University of York, Oxford Brookes University, Loughborough University, University of Leeds, University of London, University of Reading, University College Oxford, Ambrose University in Alberta, Canada Human Rights Watch, Young Minds, Rhode Island School of Design in the US, University of Exeter
39
01/01/1970
?
CouchSurfing
CouchSurfing, an online service that lets users find free lodgings, investigates a security breach after hackers began selling the details of 17 million users on Telegram channels and hacking forums.
Unknown
I Accommodation and food service activities
CC
US
CouchSurfing
40
01/01/1970
China
US companies in the healthcare, chemical, and
finance sectors
The Federal Bureau of Investigation issues an alert to inform organizations in the United States of the risk associated with the use of Chinese tax software.
Malware
Y Multiple Industries
CE
US
FBI, China, GoldenSpy
41
01/01/1970
?
Critical infrastructure across the U.S
The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of cyber attacks targeting critical infrastructure across the U.S.
>1
D Electricity gas steam and air conditioning supply
CC
US
National Security Agency, NSA, Cybersecurity and Infrastructure Security Agency, CISA
42
01/01/1970
?
Instacart
Online shopping service Instacart says reused passwords are to blame for a recent spate of account breaches, which saw personal data belonging to hundreds of thousands of Instacart customers stolen and put up for sale on the dark web.
Password-spraying
I Accommodation and food service activities
CC
US
Instacart
43
01/01/1970
?
?
Researchers from White Ops expose Chartreuse Blur. a malicious cyber-operation involving 29 fraudulent photo-editing apps downloaded 3.5 million times.
Malware
Y Multiple Industries
CC
>1
White Ops, Chartreuse Blur
44
01/01/1970
WastedLocker
Garmin
Garmin is hit by a WastedLocker ransomware attack.
Malware
C Manufacturing
CC
US
Garmin, WastedLocker, ransomware
45
01/01/1970
APT28 AKA Fancy Bear
US Government and Energy Targets
From December 2018 until at least May of this year, APT28 AKA Fancy Bear carried out a broad hacking campaign against US targets, according to an FBI notification sent to victims of the breaches in May.
Targeted Attack
Y Multiple Industries
CE
US
APT28, Fancy Bear, FBI
Multiple Entries
46
01/01/1970
?
Multiple organizations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) publishes a warning confirming the active exploitation of the unauthenticated remote code execution (RCE) CVE-2020-5902 vulnerability affecting F5 Big-IP ADC devices.
CVE-2020-5902 vulnerability
Y Multiple Industries
CC
>1
Cybersecurity and Infrastructure Security Agency, CISA, RCE, CVE-2020-5902,F5, Big-IP
47
01/01/1970
?
Multiple targets
Cisco fixes a high severity and actively exploited vulnerability affecting the web services interface of two of its firewall products (CVE-2020-3452).
CVE-2020-3452 Vulnerability
Y Multiple Industries
CC
>1
Cisco, CVE-2020-3452
48
01/01/1970
?
Emotet botnet
Someone is taking fun at the Emotet botnet and disrupting its operations by hacking into the malware's distribution sites and replacing malicious payloads with memes and GIFs.
Account Hijacking
S Other service activities
H
N/A
Emotet
49
01/01/1970
?
Aberystwyth University
The Aberystwyth University is an additional university hit with ransomware after the Blackbaud hack.
Malware
P Education
CC
UK
Aberystwyth University, Blackbaud
50
01/01/1970
?
Sheldon Independent School District
Sheldon Independent School District notifies current and former staff and students of an unauthorized access on its network occurred on June 15, 2020.
Unknown
P Education
CC
US
Sheldon Independent School District
51
01/01/1970
RagnarLocker
Carlson Wagonlit Travel (CWT)
US corporate travel management firm Carlson Wagonlit Travel (CWT) suffers an intrusion and it is believed to have paid a $4.5m ransom to get its data back.
Beaumont Health, Michigan's largest healthcare provider warns around 6,000 patients that their data may have been exposed following a phishing attack occurred between January 3, 2020, and January 29, 2020.
Account Hijacking
Q Human health and social work activities
CC
US
Beaumont Health, Michigan
53
01/01/1970
?
Waydev
Hackers use a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens from other companies.
SQLi
M Professional scientific and technical activities
CC
US
GitHub, GitLab, OAuth, Waydev
54
01/01/1970
?
Dave.com
Loan app Dave.com has 7.5 million records leaked, blaming the breach to the OAuth tokens stolen by the attackers from Waydev.
OAuth token hijacking
K Financial and insurance activities
CC
US
Dave.com, Waydev
55
01/01/1970
?
Flood.io
Software testing service Flood.io suffers a breach blamed to the OAuth tokens stolen by the attackers from Waydev.
OAuth token hijacking
M Professional scientific and technical activities
CC
AU
Flood.io, Waydev
56
01/01/1970
ShinyHunters
Promo.com
Promo.com, an Israeli-based marketing video creation site, discloses a data breach after a database containing 22 million user records is leaked for free on a hacker forum.
Unknown
M Professional scientific and technical activities
CC
US
Promo.com, ShinyHunters
57
01/01/1970
ShinyHunters
Drizly
ShinyHunters leaks the database of Drizly, containing approximately 2.5 million records
Unknown
I Accommodation and food service activities
CC
IT
ShinyHunters, Drizly
58
01/01/1970
Ensiko
Systems running PHP
Researchers from Trend Micro discover Ensiko, a new feature-rich malware that can encrypt files on any system running PHP, making it a high risk for Windows, macOS, and Linux web servers.
Malware
Y Multiple Industries
CC
>1
Trend Micro, Ensiko, ransomware, PHP
59
01/01/1970
?
Office 365 Users
Researchers from Abnormal Security discover a new campaign targeting Microsoft Office 365 users, and making use of bait messages camouflaged as automated SharePoint notifications to steal their accounts.
Account Hijacking
Y Multiple Industries
CC
>1
Abnormal Security, Microsoft Office 365, SharePoint
60
01/01/1970
?
Sheffield Hallam University
The Sheffield Hallam University confirms that it is dealing with a data breach linked to the software provider Blackbaud.
Unknown
P Education
CC
UK
Sheffield Hallam University, Blackbaud
61
01/01/1970
?
Users in the UK
Users in UK are warned not to fall for yet another COVID-related lure after warnings of a new phishing campaign, this time promising the recipient a government-funded tax cut.
Account Hijacking
X Individual
CC
UK
COVID-19
62
01/01/1970
Netwalker
U.S. and foreign government organizations
The FBI issues a security alert about Netwalker ransomware operators targeting U.S. and foreign government organizations.
Malware
O Public administration and defence, compulsory social security
CC
>1
FBI, Netwalker, ransomware
63
01/01/1970
The Lazarus Group AKA HIDDEN COBRA
Multiple Enterprise Targets
Researchers from Kaspersky reveal that North Korean-backed hackers from the Lazarus Group have developed and are actively using VHD ransomware against enterprise targets.
Malware
Y Multiple Industries
CC
>1
The Lazarus Group, Kaspersky, VHD, ransomware, HIDDEN COBRA
64
01/01/1970
?
Misconfigured cloud-based docker instances
Researchers from Intezer Labs reveal the details of Doki, a malware part of the Ngrok Cryptominer Botnet targeting misconfigured cloud-based docker instances running on Linux.
Cloud Misconfiguration
Y Multiple Industries
CC
>1
Intezer Labs, Doki, Ngrok, Crypto, Linux
65
01/01/1970
Nefilim
Dresdner Kühlanlagenbau GmbH (DKA)
The Nefilim ransomware operation begins to publish unencrypted files stolen from a Dussmann Group subsidiary, Dresdner Kühlanlagenbau GmbH (DKA), during a recent attack.
Researchers from McAfee reveal the details of Operation North Star, a long-lasting spear-phishing campaign targeting U.S. defense and aerospace contractors between early April and mid-June 2020.
Targeted Attack
C Manufacturing
CE
US
McAfee, Operation North Star, Hidden Cobra
70
01/01/1970
Deceptikons
Law firms and fintech companies in Europe and Middle East.
Researchers from Kaspersky discover a new hacker-for-hire mercenary group codenamed Deceptikons, and active for almost a decade.
Targeted Attack
K Financial and insurance activities
CE
>1
Kaspersky, Deceptikons
Multiple Entries
71
01/01/1970
ShinyHunters
Havenly
Havenly, discloses a data breach that impacted 1.3 million users.
Unknown
G Wholesale and retail trade
CC
US
Havenly, ShinyHunters
72
01/01/1970
China?
Vatican and the Holy See’s Study Mission to China’
Researchers from Recorded Future reveal that the Vatican’s computer networks have allegedly been infiltrated by Chinese hackers in the run up to sensitive talks between the Catholic Church and Beijing focusing on the religion’s status in China.
Targeted Attack
O Public administration and defence, compulsory social security
CE
VA
Recorded Future, Vatican and the Holy See’s Study Mission to China’
73
01/01/1970
?
European Bank for Reconstruction and Development (EBRD) Twitter account
The European Bank for Reconstruction and Development (EBRD) Twitter account is hijacked.
Account Hijacking
U Activities of extraterritorial organizations and bodies
CC
EU
European Bank for Reconstruction and Development, EBRD
74
01/01/1970
?
Ledger
Crypto-wallet firm Ledger reveals a major security breach of its e-commerce and marketing database, resulting in the compromise of one million customer email addresses and the personal details of thousands after the vulnerability was exploited in June 25, 2020.
Undisclosed Vulnerability
V Fintech
CC
FR
Ledger
75
01/01/1970
?
Athens ISD
Athens ISD pays a $50,000 ransom for school data that was taken in a ransomware attack.
Malware
P Education
CC
US
Athens ISD, ransomware
76
01/01/1970
?
Las Cruces Middle School
Las Cruces Middle School suffers a Zoom bombing attack.
Shentbird discloses the security breach after ShinyHunters leak their database.
Unknown
G Wholesale and retail trade
CC
US
Scentbird, ShinyHunters
79
01/01/1970
?
Multiple organizations
Researchers from Cofense discover an Office 365 phishing campaign abusing Google Ads to bypass secure email gateways, redirecting employees of targeted organizations to phishing landing pages and stealing their Microsoft credentials.
Account Hijacking
Y Multiple Industries
CC
>1
Cofense, Office 365, Google Ads
80
01/01/1970
?
High-impact targets with valuable financial information.
Researchers from Intezer Labs reveal that the TrickBot's Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels.
Malware
Y Multiple Industries
CC
>1
Intezer Labs, TrickBot, Anchor, Linux
81
01/01/1970
Russia?
Audiences in Lithuania, Latvia, and Poland
Researchers from FireEye discover Ghostwriter, a widespread long-lasting influence campaign using compromised websites to discredit the NATO.
Vulnerable CMS
O Public administration and defence, compulsory social security
CW
>1
FireEye, NATO, Ghostwriter, Russia
82
01/01/1970
?
Zello
The push-to-talk app, Zello, discloses a data breach that revealed user's email addresses and hashed passwords after discovering unauthorized activity on their systems on July 8, 2020.
Unknown
J Information and communication
CC
US
Zello
83
01/01/1970
?
Pivot Technology Solutions
Managed service provider Pivot Technology Solutions discloses that it was the victim of a failed ransomware attack that resulted in sensitive information being accessed by the hackers. The incident occurred last month.
Malware
M Professional scientific and technical activities
CC
CA
Pivot Technology Solutions, ransomware
84
01/01/1970
?
Multiple government websites
In an ongoing blackhat SEO campaign, scammers use open redirects found on government websites to redirect visitors to pornography sites.
Malicious SEO redirection
X Individual
CC
US
SEO
85
01/01/1970
?
2gether
2gether reveals a cyberattack in which roughly €1.2 million in cryptocurrency has been stolen from cryptocurrency investment accounts.
Unknown
V Fintech
CC
ES
2gether
86
01/01/1970
?
Elkins Rehabilitation & Care Center
Elkins Rehabilitation & Care Center notifies residents and employees of a phishing attack discovered in February 2019.