The second timeline of April is finally out! In this timeline I have collected 123 events, with an average rate of 8 events per day. A daily value slightly higher than the previous timeline (7.7 events per day). The average values are still pretty high, despite the peek of February seem to be flattening.
Similarly to the previous one, ransomware is still the top threat with nearly 32% of events (but as I always point out they could be many more since too many organizations still do not completely disclose the reason of some unspecified “outages”).
Another trend that is characterizing this period is the growing impact of vulnerabilities for attacks motivated by both cyber crime and cyber espionage. Even in this fortnight the list of exploited technologies, whether they are on-prem hardware appliances or software platforms is pretty long.
Welcome to the last cyber attacks timeline of 2022! A timeline that marks a sharp decline in the number of recorded events after four consecutive increases…
This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected…
Similarly to what I have done in 2021, I am collecting all the mega breaches (with more than 1 million records leaked). The information is derived from the cyber attacks timelines…
And the growing impact of vulnerabilities is fueling the impact of cyber espionage accordingly: the Lazarus Group, APT29, Tick, Ghostwriter, Naikon, UNC2630, UNC2717, and UNC2682 are few examples of the threat actors that made the headlines in this timeline.
Expand for details
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
16/04/2021
-
-
Babuk
Phone House Spain
Phone House Spain is hit with a Babuk ransomware attack. The criminals demand a $6M ransom.
Malware
G Wholesale and retail trade
CC
ES
Phone House Spain, Babuk, ransomware
2
16/04/2021
3/9/2020
-
?
Planned Parenthood of Metropolitan Washington, D.C
Planned Parenthood of Metropolitan Washington, D.C., on Friday reveals it had a breach of patient information last fall.
Unknown
Q Human health and social work activities
CC
US
Planned Parenthood of Metropolitan Washington, D.C
3
16/04/2021
16/4/2021
16/4/2021
?
Sectors in public administration, telecommunications, energy and the IT in Slovakia
Multiple targets in Slovakia are hit with a ransomware attack.
Malware
Y Multiple Industries
CC
SK
Slovakia, ransomware
4
16/04/2021
-
-
?
Undisclosed OTP-generating company
A hacker appears to be selling sensitive data they claim to have stolen from an OTP-generating company.
Unknown
M Professional scientific and technical activities
CC
N/A
OTP
5
17/04/2021
-
17/4/2021
?
WhatsApp users
A WhatsApp malware dubbed WhatsApp Pink is able to automatically reply to victims’ Signal, Telegram, Viber, and Skype messages, spreading link to distribute the malware.
The cliniques of Fondation santé des étudiants de France are paralyzed by a cyber attack.
Malware
Z Unknown
CC
FR
Fondation santé des étudiants de France
7
18/04/2021
-
-
NitroRansomware
Multiple targets
A new ransomware called NitroRansomware demands a Discord Nitro gift code to decrypt files.
Malware
Y Multiple Industries
CC
>
Ransomware, NitroRansomware
8
18/04/2021
-
-
?
Domino's India
A threat actor claims to have hacked Domino's India, stealing 13TB worth of data.
Unknown
I Accommodation and food service activities
CC
IN
Domino's India
9
18/04/2021
11/4/2021
11/4/2021
?
Biblioteca Nacional
The Brazilian Biblioteca Nacional reveals to have been hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
BR
Biblioteca Nacional, ransomware
10
18/04/2021
16/4/2021
16/4/2021
?
Matthew Clark Bibendum (MCB)
Matthew Clark Bibendum (MCB), a distributor of alcoholic beverages and soft drinks in the UK and Ireland, says it’s working to restore IT systems following a cybersecurity incident.
Unknown
N Administrative and support service activities
CC
UK
Matthew Clark Bibendum, MCB
11
19/04/2021
From 31/01/2021
1/4/2021
?
Multiple targets
According to federal investigators, Codecov attackers deployed automation to use the collected customer credentials to tap into hundreds of client networks, thereby expanding the scope of this system breach beyond just Codecov's systems.
Malware
Y Multiple Industries
CE
>1
Codecov
12
19/04/2021
-
-
?
Single individuals
Researchers from ESET issue a warning about sites impersonating the Microsoft Store, Spotify, and FreePdfConvert, an online document converter that distribute malware to steal credit cards and passwords saved in web browsers.
Malware
Y Multiple Industries
CC
>1
ESET, Microsoft Store, Spotify, FreePdfConvert
13
19/04/2021
11/4/2021
-
?
?
Researchers from KELA reveal that the popular hacking forum OGUsers has been hacked for its fourth time in two years, with hackers now selling the site's database containing user records and private messages.
Unknown
S Other service activities
CC
N/A
OGUsers, KELA
14
19/04/2021
-
13/4/2019
Lazarus Group AKA Hidden Cobra
Targets in South Korea
Researchers from Malwarebytes reveal the details of a phishing campaign by the Lazarus Group abusing image files.
Targeted Attack
Y Multiple Industries
CE
KR
Lazarus Group, Hidden Cobra, Malwarebytes
15
19/04/2021
Since 2020
Since 2020
Tag Barnakle
Single individuals
Researchers from Confiant reveal that the Tag Barnakle malvertising operation is still active and continues to operate, compromising more than 120 ad servers over the past year.
Malvertising
X Individual
CC
>1
Confiant, Tag Barnakle
16
19/04/2021
-
-
?
WeChat users in China
Researchers from Qingteng Cloud Security reveal that a recent Chrome exploit is being used to target WeChat users in China.
Vulnerability
X Individual
CC
CN
Qingteng Cloud Security, Chrome, WeChat
17
19/04/2021
Since February 2021
During February 2021
?
Android users in Southwest Asia and the Arabian Peninsula
Researchers from McAfee discover a new wave of 700,000 fraudulent apps into the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula.
Malware
X Individual
CC
>1
McAfee, Google Play Store, Android
18
19/04/2021
-
7/4/2021
?
Douglas Elliman
Thousands of New York residents who live in buildings run by Douglas Elliman’s property management arm may have had their personal information compromised after the company’s IT network is breached.
Unknown
L Real estate activities
CC
US
Douglas Elliman
19
19/04/2021
-
-
?
Universidad de Castilla-La Mancha
Universidad de Castilla-La Mancha suffers a ransomware attack.
Malware
P Education
CC
ES
Universidad de Castilla-La Mancha, ransomware
20
19/04/2021
-
-
?
City of Kammeltal
The Bavarian city of Kammeltal is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
DE
Kammeltal, ransomware
21
19/04/2021
-
-
?
Partit Nazzjonalista (Nationalist Party of Malta).
The Partit Nazzjonalista (Nationalist Party of Malta) is hit with an Avaddon ransomware attack.
Malware
S Other service activities
CC
MA
Partit Nazzjonalista, Nationalist Party of Malta, Avaddon, ransomware
22
20/04/2021
-
-
UNC2630 and UNC2717 (linked to China?)
US Defense Industrial base (DIB) networks
Pulse Secure shares mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure SSL VPN appliance actively exploited in attacks against worldwide organizations and focused on US Defense Industrial base (DIB) networks.
SonicWall urges customers to patch a set of three zero-day vulnerabilities affecting both its on-premises and hosted Email Security products. In at least one known case, these vulnerabilities have been observed to be exploited 'in the wild.
Ransomware group REvil claims in a blog post published to have stolen blueprints for Apple's latest products after the supplier Quanta is hacked.
Malware
C Manufacturing
CC
TW
Ransomware, REvil, Quanta Computer, Sodinokibi
25
20/04/2021
Since 2016
Since 2016
Tick, AKA Tonto Team and TA428
More than 200 Japanese companies and organizations
Japanese law enforcement believes a group of hackers linked to the Chinese military are behind a broad cyber-espionage campaign that has breached more than 200 Japanese companies.
Targeted Attack
Y Multiple Industries
CE
JP
Tick, Tonto Team, TA428
26
20/04/2021
-
-
?
Undisclosed target(s)
Google ships another urgent security patch for its Chrome browser and warns that attackers are exploiting one of the zero-days in active attacks (CVE-2021-21224).
CVE-2021-21224 Vulnerability
Y Multiple Industries
N/A
>1
Google, Chrome, CVE-2021-21224
27
20/04/2021
-
-
?
Android users
Google removes eight apps from the Google Play Store infected with a malware dubbed Android/Etinu and downloaded 700,000 times, after security researchers discover they steasl users’ text messages and make unauthorized purchases.
Malware
X Individual
CC
>1
Google, Google Play Store, Android/Etinu
28
20/04/2021
Since January 2021
-
?
Facebook Messenger users
Researchers from security firm Group-IB discover a large-scale scam campaign targeting Facebook Messenger users all over the world.
Account Takeover
X Individual
CC
>1
Group-IB, Facebook Messenger
29
20/04/2021
Since 2015
-
Multiple Hostile States
At least 10,000 UK nationals
The MI5 reveals that at least 10,000 UK nationals have been approached by fake profiles linked to hostile states, on the professional social network LinkedIn, over the past five years.
Account Takeover
O Public administration and defence, compulsory social security
CE
UK
MI5, LinkedIn
30
20/04/2021
15/4/2021
15/4/2021
?
Cegos Group
Cegos Group, a distance learning and training provider, is hit with a cyber attack.
Unknown
N Administrative and support service activities
CC
FR
Cegos Group
31
21/04/2021
-
-
Astro Team
Hoya Vision Care US
Hoya Vision Care US is hit with a ransomware attack. The attackers steal about 300 gigabytes of confidential corporate data.
Malware
C Manufacturing
CC
US
Hoya Vision Care US, Ransomware, Astro Team
32
21/04/2021
Since 19/04/2021
21/4/2021
Qlocker AKA eCh0raix
QNAP devices worldwide
A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives.
Malware
Y Multiple Industries
CC
>1
QNAP, Qlocker, 7zip, eCh0raix
33
21/04/2021
Since March 2020
During February 2021
Fajan
Bloomberg customers
Researchers from Cisco Talos discover a new email-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg’s industry-based services.
Malware
X Individual
CC
>1
Cisco Talos, Fajan, Bloomberg
34
21/04/2021
-
-
?
Multiple targets
Security firm Trend Micro reveals that a threat actor is exploiting CVE-2020-24557 in its antivirus products to gain admin rights on Windows systems.
CVE-2020-24557 vulnerability
Y Multiple Industries
N/A
>1
Trend Micro, CVE-2020-24557
35
21/04/2021
-
-
Pareto
Compromised Android devices
Security researchers at Human Security discover Pareto, a massive botnet of Android devices being used to conduct fraud in the connected TV advertising ecosystem.
Malware
X Individual
CC
>1
Human Security, Pareto
36
21/04/2021
-
-
UAS
Multiple targets
The login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials.
Misconfiguration
Y Multiple Industries
CC
>1
UAS, RDP
37
21/04/2021
-
-
Multiple attackers
Single individuals
The FBI warns that cyber criminals are using fake job listings to target applicants’ personally identifiable information.
Account Takeover
X Individual
CC
US
FBI
38
21/04/2021
During March 2021
During March 2021
?
Undisclosed target
Researchers from Cofense discover a phishing campaign that steals tax-filing information by posing as an IRS email related to the much needed stimulus check.
Account Takeover
Z Unknown
CC
US
Cofense, IRS
39
22/04/2021
During April 2021
During April 2021
Prometei
Multiple targets
Researchers from Cybereason reveal that unpatched Microsoft Exchange servers are being targeted by the Prometei botnet and added to its operators' army of Monero (XMR) cryptocurrency mining bots.
CVE-2021-27065 and CVE-2021-2685 vulnerabilities
Y Multiple Industries
CC
>1
Cybereason, Microsoft Exchange, Prometei, Monero, XMR, CVE-2021-27065, CVE-2021-2685
40
22/04/2021
During April 2021
During April 2021
?
Single individuals
An ongoing phishing campaign is impersonating Michael Page consultants to push Ursnif data-stealing malware capable of harvesting credentials and sensitive data from infected computers.
Malware
Y Multiple Industries
CC
>1
Michael Page, Ursnif
41
22/04/2021
Between 20/04/2021 and 22/04/2021
22/4/2021
?
Click Studios
Click Studios, the company behind the Passwordstate enterprise password manager, notifies customers that attackers compromised the app's update mechanism to deliver malware in a supply-chain attack after breaching its networks.
Malware
M Professional scientific and technical activities
CE
AU
Click Studios, Passwordstate
42
22/04/2021
-
-
Arid Viper
Government officials, student groups, and security forces
Researchers from Facebook reveal the details of Arid Viper, a group linked to the cyber arm of Hamas, running cyberespionage campaigns against government officials, student groups, and security forces.
Targeted Attack
X Individual
CE
PS
Facebook, Arid Viper, Hamas
43
22/04/2021
-
-
Palestinian Preventive Security Service (PSS)
Various groups, including people opposing the Fatah-led government, journalists, human rights activists, and military groups including the Syrian opposition and Iraqi military.
Resarchers from Facebook discover a new operation carried out by the PSS, using social engineering to coerce their targets into installing Android and Microsoft malware.
Researchers from Check Point reveal the details of ToxicEye, a RAT that abuses Telegram as part of command-and-control (C2) infrastructure.
Malware
Y Multiple Industries
CC
>1
Check Point, Toxic Eye
45
22/04/2021
20/4/2021
20/4/2021
?
Radixx
A malware attack on Radixx trigger a dayslong outage causing reservations systems to crash at about 20 low-cost airlines around the world.
Malware
M Professional scientific and technical activities
CC
US
Radixx
46
22/04/2021
Between 16/02/2021 and 22/02/201
21/02.2021
?
Gyrodata
Oilfield services company Gyrodata admits it suffered a ransomware attack which may have led to the compromise of data belonging to current and former employees.
Malware
M Professional scientific and technical activities
CC
US
Gyrodata, ransomware
47
22/04/2021
From at least March 2020 to February 2021
During December 2020
Undisclosed APT
US Entities
The U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) raises an alarm for a new campaign in which both a Pulse Secure VPN appliance and the SolarWinds Orion platform were abused for malicious purposes.
A cyberattack targets the Santa Clara Valley Transportation Authority and forces a days-long shutdown of many of the agency’s computer systems.
Unknown
H Transportation and storage
CC
US
Santa Clara Valley Transportation Authority
49
22/04/2021
22/4/2021
22/4/2021
?
Canac
The Quebec hardware store Canac is the target of a cyber attack, causing computer failures for nearly two weeks.
Unknown
G Wholesale and retail trade
CC
CA
Canac
50
23/04/2021
-
-
?
Android users
Multiple agencies including UK's National Cyber Security Centre (NCSC) and the Germany’s Federal Office for Information Security (BSI) issue a security guidance about the FluBot malware.
Malware
X Individual
CC
>1
UK's National Cyber Security Centre, NCSC, FluBot, Android, Germany’s Federal Office for Information Security, BSI
51
23/04/2021
-
-
?
Single individuals
Researchers from Kaspersky discover a phishing campaign exploiting the Oscar-nominated movies to steal the victim's credentials.
Account Takeover
X Individual
CC
>1
Kaspersky, Oscar
52
23/04/2021
-
-
?
Municipality of Jijona/Xixona
The municipality of Jijona/Xixona in Spain issues a notice about a cyberattack, but there are not many details.
Malware
O Public administration and defence, compulsory social security
CC
ES
Municipality of Jijona/Xixona
53
23/04/2021
23/4/2021
23/4/2021
?
Madsack Media Group
A suspected ransomware attack hits the publishing company Madsack Media Group.
Malware
J Information and communication
CC
DE
Madsack Media Group, ransomware
54
23/04/2021
16/4/2021
16/4/2021
?
Nieuwegein
Nieuwegein, a managed service provider, is hacked and 96 notary offices are impacted.
Unknown
M Professional scientific and technical activities
CC
NL
Nieuwegein
55
24/04/2021
-
-
?
Linux servers
Researchers from Trend Micro discover a new Linux botnet employing multiple emerging techniques among cyber-criminals, including the use of Tor proxies, the abuse of legitimate DevOps tools, and the removal or deactivation of competing malware.
Malware
Y Multiple Industries
CC
>1
Trend Micro, Linux, DevOps
56
24/04/2021
23/4/2021
23/4/2021
?
Nordlo
Nordlo, a provider of digitalization and managed IT services in Norway and Sweden, is hit with a ransomware attack.
Malware
M Professional scientific and technical activities
CC
NO
Nordlo
57
24/04/2021
24/4/2021
24/4/2021
?
Laurent-Perrier
The French champagne group Laurent-Perrier suffers a cyber attack.
Unknown
I Accommodation and food service activities
CC
FR
Laurent-Perrier
58
25/04/2021
-
25/4/2021
ShinyHunters
BigBasket
ShinyHunters leaks approximately 20 million BigBasket user records containing personal information and hashed passwords on a popular hacking forum.
Malicious Spam
Q Human health and social work activities
CC
US
MacKenzie Bezos-Scott Foundation, Ironscale
59
25/04/2021
-
-
?
Multiple targets
Threat actors are exploiting two vulnerabilities in Soliton's file-sharing FileZen appliance to breach corporate and government systems and steal sensitive data as part of a global hacking campaign that has already hit a major target in the Japanese Prime Minister’s Cabinet Office.
CVE-2020-5639 and CVE-2021-20655 vulnerabilities
Y Multiple Industries
CE
JP
Soliton, FileZen, Japanese Prime Minister’s Cabinet Office, CVE-2020-5639, CVE-2021-20655
60
25/04/2021
-
-
Avaddon
Unione di Comuni Colli del Monferrato
The Avaddon ransomware group publishes screenshots of some data stolen during the cyber attack on the Unione di Comuni Colli del Monferrato
Malware
O Public administration and defence, compulsory social security
CC
IT
Avaddon, ransomware, Unione di Comuni Colli del Monferrato
61
25/04/2021
-
-
?
Some Spanish agencies
A number of Spanish agencies are hit in what appears to be a synchronized attack involving malware
Malware
O Public administration and defence, compulsory social security
CC
ES
Spain
62
26/04/2021
During April 2021
During April 2021
SVR aka APT29, the Duke, Cozy Bear
US and foreign organizations
The FBI, the US Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) warn today of continued attacks coordinated by the Russian Foreign Intelligence Service (SVR aka APT29) against US and foreign organizations.
Targeted Attack
Y Multiple Industries
CE
>1
SVR, APT29, FBI, US Department of Homeland Security, DHS, Cybersecurity and Infrastructure Security Agency, CISA, Duke, Cozy Bear
63
26/04/2021
-
-
Babuk
Metropolitan Police Department of the District of Columbia
The Metropolitan Police Department of the District of Columbia confirms that they suffered a cyberattack after the Babuk ransomware gang leaked screenshots of stolen data.
Malware
O Public administration and defence, compulsory social security
CC
US
Metropolitan Police Department of the District of Columbia, Babuk, ransomware
64
26/04/2021
Since 2019
-
Naikon
Military organizations from Southeast Asia
Researchers from Bitdefender discover a new campaign by the Chinese speaking threat actor Naikon targeting military organizations from Southeast Asia using the RainyDay and Nebulae backdoors.
Targeted Attack
O Public administration and defence, compulsory social security
CE
>1
Bitdefender, Naikon, Nebulae, RainyDay
65
26/04/2021
26/4/2021
26/4/2021
?
Single individuals
Cybercriminals target Rogers customers with a new SMS phishing campaign pretending to be refunds for last week's Canada-wide wireless outage.
Account Takeover
X Individual
CC
CA
Rogers
66
26/04/2021
26/4/2021
26/4/2021
?
Guilderland Central School District
The Guilderland Central School District is hit with a ransomware attack.
Malware
P Education
CC
US
Guilderland Central School District, ransomware
67
26/04/2021
-
-
?
Elekta
Several US hospitals are thought to have been affected after a security breach at Elekta, a specialist provider of equipment for cancer treatments last week.
Unknown
M Professional scientific and technical activities
CC
SE
Elekta
68
26/04/2021
Earlier in April 2021
Earlier in April 2021
Babuk
Zambon
Zambon, an Italian pharmaceutical company is hit with a Babuk ransomware attack.
Malware
M Professional scientific and technical activities
CC
IT
Zambon, Babuk, ransomware
69
26/04/2021
26/4/2021
26/4/2021
?
Centennial School District
Centennial School District is hit with a ransomware attack.
Malware
P Education
CC
US
Centennial School District, ransomware
70
26/04/2021
25/4/2021
25/4/2021
?
Nissan Securities
Nissan Securities issues a statement disclosing that it experienced unauthorized access.
Unknown
K Financial and insurance activities
CC
JP
Nissan Securities
71
26/04/2021
-
-
REvil AKA Sodinokibi
Mipharm SPA
Mipharm SPA is hit by a REvil ransomware attack.
Malware
M Professional scientific and technical activities
CC
IT
Mipharm SPA, ransomware, Sodinokibi, Revil
72
26/04/2021
-
-
Avaddon
Mspharma
Mspharma joins the list of the Avaddon ransomware victims.
Malware
M Professional scientific and technical activities
CC
JO
Mspharma, Avaddon, ransomware
73
26/04/2021
-
-
?
Tegut
The supermarket chain Tegut suffers a cyberattack.
Unknown
G Wholesale and retail trade
CC
DE
Tegut
74
26/04/2021
18/2/2021
18/2/2021
?
Sapphire Community Health
Sapphire Community Health notifies 4,000 patients about a ransomware attack.
Malware
Q Human health and social work activities
CC
UK
Sapphire Community Health, ransomware
75
26/04/2021
-
22/4/2021
Pompompurin
Unknown company
A hacker going by the online handle of Pompompurin leaked a database containing personal and sensitive household data of over 250 million (250,807,711) American citizens and residents.
Unknown
Z Unknown
CC
US
Pompompurin
76
26/04/2021
1/4/2021
1/4/2021
?
Office of the Public Defender
The Office of the Public Defender in southwestern Florida says malware attackers may have compromised the personally identifiable information of its staff and clients.
Malware
O Public administration and defence, compulsory social security
CC
US
Office of the Public Defender
77
27/04/2021
25/4/2021
25/4/2021
?
UnitingCare Queensland
UnitingCare Queensland confirms it has fallen victim to a ransomware cyber incident, rendering some of its systems inaccessible.
Malware
Q Human health and social work activities
CC
AU
UnitingCare Queensland, ransomware
78
27/04/2021
-
-
?
Chase Bank customers
Researchers from Armorblox discover two phishing campaigns targeting Chase Bank customers.
Account Takeover
K Financial and insurance activities
CC
US
Armorblox, Chase Bank
79
27/04/2021
27/4/2021
27/4/2021
DarkSide
Banca di Credito Coperativo (BCC)
Banca di Credito Coperativo (BCC) is hit with a DarkSide ransomware attack.
Malware
K Financial and insurance activities
CC
IT
Banca di Credito Coperativo, BCC, DarkSide, ransomware
80
27/04/2021
-
-
?
Undisclosed target
Researchers at Cofense discover a phishing campaign targeting Office 365 users and including a convincing SharePoint document claiming to require an email signature…urgently.
Account Takeover
Z Unknown
CC
N/A
Cofense, Office 365, SharePoint
81
27/04/2021
24/4/2021
24/4/2021
?
City of Bourg-Saint-Maurice
The city of Bourg-Saint-Maurice is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
FR
Bourg-Saint-Maurice, ransomware
82
27/04/2021
12/4/2021
12/4/2021
?
Fiji Government
A cyber attack disrupts some of the Fiji Government’s online services and networks.
Unknown
O Public administration and defence, compulsory social security
CC
FJ
Fiji
83
27/04/2021
During February 2021
During February 2021
?
Undisclosed target
Researchers from Cofense discover a phishing campaign that targets Office 365 users and includes a convincing SharePoint document claiming to require an urgent email signature.
Account Takeover
Z Unknown
CC
US
Cofense, SharePoint
84
28/04/2021
Between 09/04/2021 and 22/04/2021
-
?
DigitalOcean
DigitalOcean emails customers warning of a data breach involving customers’ billing data.
Misconfiguration
M Professional scientific and technical activities
CC
US
DigitalOcean
85
28/04/2021
-
-
Lockbit
Merseyrail
UK rail network Merseyrail confirms a cyberattack after the Lockbit ransomware gang use their email system to email employees and journalists about the attack.
Malware
H Transportation and storage
CC
UK
Merseyrail, ransomware, Lockbit
86
28/04/2021
End of April 2021
28/4/2021
?
Single individuals
Click Studios, the software company behind the Passwordstate enterprise password manager, is warning customers of ongoing phishing attacks targeting them with updated Moserpass malware.
Malware
X Individual
CC
>1
Click Studios, Passwordstate
87
28/04/2021
Since 2019
25/3/2021
RotaJakiro
Linux servers
Researchers from Qihoo 360 discover a new backdoor called RotaJakiro targeting Linux servers and undetected for years.
Malware
Y Multiple Industries
CC
>1
Qihoo 360, RotaJakiro
88
28/04/2021
28/4/2021
28/4/2021
?
Resort Municipality of Whistler (RMOW)
The Resort Municipality of Whistler (RMOW) suffers a ransomware attack and has 800Gb leaked.
Malware
R Arts entertainment and recreation
CC
CA
Resort Municipality of Whistler, RMOW
89
28/04/2021
28/4/2021
28/4/2021
REvil AKA Sodinokibi
Tribunal de Justiça do Estado do Rio Grande do Sul
Brazil's Tribunal de Justiça do Estado do Rio Grande do Sul is hit with a REvil ransomware attack that forces the courts to shut down their network.
Malware
O Public administration and defence, compulsory social security
CC
BR
Tribunal de Justiça do Estado do Rio Grande do Sul, REvil, Sodinokibi, ransomware
90
28/04/2021
Earlier in April 2021
Earlier in April 2021
?
First Horizon Corporation
Bank holding company First Horizon Corporation discloses that some of its customers had their online banking accounts breached by unknown attackers earlier this month.
Unknown
K Financial and insurance activities
CC
US
First Horizon Corporation
91
28/04/2021
-
-
?
MacOS users
Apple issues some security fixes resolving issues including CVE-2021-30657, an actively exploited zero-day flaw and a separate Gatekeeper bypass vulnerability.
CVE-2021-30657 Vulnerability
X Individual
N/A
>1
Apple, CVE-2021–30657, Gatekeeper, macOS
92
28/04/2021
Since early 2021
Since early 2021
Hello AKA WickrMe
SharePoint servers
Microsoft SharePoint servers join the list of network devices abused as an entry vector into corporate networks by ransomware gangs.
CVE-2019-0604 Vulnerability
Y Multiple Industries
CC
>1
Microsoft SharePoint, CVE-2019-0604, ransomware, Hello, WickrMe
93
28/04/2021
Between October 2020 and January 2021
-
Ghostwriter
Audiences in Lithuania, Latvia, and Polan
Researchers from FireEye identified five new Ghostwriter operations conducted in both Polish and English, relying on compromised websites, spoofed emails, fake personas, and NATO-themed content.
Fake Social Networks Accounts
Y Multiple Industries
CW
>1
FireEye, Ghostwriter, NATO
94
28/04/2021
-
-
?
Multiple targets
Researchers from Inky discover a new phishing campaign able to evade detection by spoofing the Microsoft logo via an HTML table.
Account Takeover
Y Multiple Industries
CC
>1
Inky, Microsoft
95
28/04/2021
24/4/2021
24/4/2021
?
DLSY
DLSY, a Turkish joint venture responsible for the 1915 Çanakkale bridge is hit with a ransomware attack. Data of 20,000 individuals is involved.
Malware
M Professional scientific and technical activities
CC
TR
DLSY, ransomware
96
28/04/2021
21/4/2021
21/4/2021
?
Centre François Baclesse
The Centre François Baclesse cuts its internet connection to prevent the spread of a computer worm.
Malware
Q Human health and social work activities
CC
FR
Centre François Baclesse
97
28/04/2021
25/4/2021
25/4/2021
?
Invicta Group
Invicta Group, a French company specializing in wood heating is down after a cyber attack.
Unknown
S Other service activities
CC
FR
Invicta Group
98
28/04/2021
15/2/2021
15/2/2021
Avaddon
Capital Medical Center
Capital Medical Center is hit with an Avaddon ransomware attack.
Malware
Q Human health and social work activities
CC
US
Capital Medical Center, Avaddon, ransomware
99
28/04/2021
During December 2020
-
?
U.S. Agency for Global Media (USAGM)
The U.S. Agency for Global Media (USAGM) discloses that they suffered a data breach after falling for a phishing attack in December 2020.
Account Takeover
O Public administration and defence, compulsory social security
CC
US
U.S. Agency for Global Media, USAGM
100
28/04/2021
-
-
?
Employees of U.S. municipalities
KnowBe4 discovers a phishing campaign targeting employees of U.S. municipalities impersonating a legitimate pension found.
Account Takeover
X Individual
CC
US
KnowBe4
101
29/04/2021
-
-
Agelocker
QNAP devices worldwide
QNAP customers are urged to secure their Network Attached Storage (NAS) devices to defend against Agelocker ransomware attacks targeting their data.
Malware
Y Multiple Industries
CC
>1
QNAP, Agelocker, ransomware
102
29/04/2021
Earlier in April 2021
Earlier in April 2021
UNC2447
North American and European targets
UNC2447, a financially motivated threat actor exploited a zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy a new ransomware known as FiveHands on the networks of North American and European targets.
Malware
Y Multiple Industries
CC
>1
UNC2447, SonicWall SMA 100, VPN, FiveHands, ransomware,
103
29/04/2021
-
-
WeSupply
Fintech users
Researchers from Palo Alto Networks reveal the details of WeSteal, a commodity Cryptocurrency stealer
Malware
V Fintech
CC
>1
Palo Alto Networks, WeSteal, WeSupply
104
29/04/2021
10/4/2021
10/4/2021
DoppelPaymer
illinois Office of the Attorney General
The operators of the DoppelPaymer ransomware leak a large collection of files from the Illinois Office of the Attorney General.
Malware
O Public administration and defence, compulsory social security
CC
US
DoppelPaymer, ransomware, Illinois Office of the Attorney General
105
29/04/2021
Since April 2021
Since April 2021
DarkPath
Single individuals
Security researchers from the United Nations and security firm Group-IB take down 134 websites operated by a cybercrime group known as DarkPath since April 2021.
Account Takeover
Y Multiple Industries
CC
>1
United Nations, Group-IB, DarkPath, April 2021
106
29/04/2021
Earlier in the same week of April
Earlier in the same week of April
?
Colchester Institute
The Colchester Institute suffers a suspected ransomware attack.
Malware
P Education
CC
UK
Colchester Institute, ransomware
107
29/04/2021
18/4/2021
18/4/2021
Avaddon
Presque Isle Police Department
The Presque Isle Police Department suffers an Avaddon ransomware attack.
Malware
O Public administration and defence, compulsory social security
St. John’s Well Child and Family Center discloses a data security incident.
Unknown
Q Human health and social work activities
CC
US
St. John’s Well Child and Family Center
110
29/04/2021
From May 2020 to January 2021
During April 2020
?
Easy Ordering
Gemini Advisory reveals to have identified a malicious payload that infected Easy Ordering’s sites.
Malicious Script Injection
I Accommodation and food service activities
CC
CN
Gemini Advisory, Easy Ordering
111
29/04/2021
From April 2020 to December 2020
-
?
MenuSifu
Gemini Advisory reveals to have identified a malicious payload that infected MenuSifu’s sites.
Malicious Script Injection
I Accommodation and food service activities
CC
US
Gemini Advisory, MenuSifu
112
29/04/2021
From March 2020 to February 2021
-
?
E-Dining Express
Gemini Advisory reveals to have identified a malicious payload that infected E-Dining Express’s sites.
Malicious Script Injection
I Accommodation and food service activities
CC
US
Gemini Advisory, E-Dining Express
113
29/04/2021
From March 2020 to March 2021
-
?
Food Dudes Delivery
Gemini Advisory reveals to have identified a malicious payload that infected Food Dudes Delivery.
Malicious Script Injection
I Accommodation and food service activities
CC
US
Gemini Advisory, Food Dudes Delivery
114
29/04/2021
From August 2019 to December 2020
-
?
Grabull
Gemini Advisory reveals to have identified a malicious payload that infected Grabull.
Malicious Script Injection
I Accommodation and food service activities
CC
US
Gemini Advisory, Grabull
115
30/04/2021
-
-
?
At least five US federal agencies
The US Cybersecurity and Infrastructure Security Agency says that at least five US federal agencies may have experienced cyberattacks that targeted the recently discovered CVE-2021-22893 Pulse Secure VPN vulnerability.
CVE-2021-22893 Vulnerability
O Public administration and defence, compulsory social security
CE
>1
US Cybersecurity and Infrastructure Security Agency, CVE-2021-22893, Pulse Secure VPN
116
30/04/2021
-
-
Tick, AKA Tonto Team and TA428
Rubin Design Bureau
Researchers from Cybereason reveal that hackers suspected to work for the Chinese government have used a new malware called PortDoor to infiltrate the systems of Rubin Design Bureau, an engineering company that designs submarines for the Russian Navy.
The City of Toronto joins the list of the victims of the Accellion Breach.
Vulnerability
O Public administration and defence, compulsory social security
CC
CA
Toronto, Accellion, Clop
118
30/04/2021
29/4/2021
29/4/2021
?
Virgin Active South Africa
Virgin Active South Africa reveals to have been hit with a cyber attack and goes offline.
Unknown
R Arts entertainment and recreation
CC
ZA
Virgin Active South Africa
119
30/04/2021
29/4/2021
29/4/2021
?
Hotbit
Cryptocurrency trading platform Hotbit shuts down all services for at least a week after a cyberattack takes down several of its services.
Unknown
V Fintech
CC
EE
Hotbit
120
30/04/2021
27/4/2021
27/4/2021
?
Swiss Cloud Computing AG
Swiss Cloud Computing AG suffers a ransomware attack. The data of 6,500 customers is impacted.
Malware
M Professional scientific and technical activities
CC
CH
Swiss Cloud Computing AG
121
30/04/2021
29/4/2021
29/4/2021
?
Colis Privé
Colis Privé is the victim of a cyber attack.
Unknown
N Administrative and support service activities
CC
FR
Colis Privé
122
30/04/2021
30/4/2021
30/4/2021
?
Technische Universität Berlin (TU)
Technische Universität Berlin announces that they had become the victim of what sounds like a ransomware attack:
Malware
P Education
CC
DE
Technische Universität Berlin, TU
123
30/04/2021
From 30/07/2020 to 03/08/2020
2/3/2021
?
Achievement Center of LECOM Health
The Achievement Center of LECOM Health discloses a phishing attack occurred from July 30, 2020 to August 3, 2020.
Account Takeover
Q Human health and social work activities
CC
US
Achievement Center of LECOM Health
124
30/04/2021
Earlier in February 2021
-
?
Thrifty Drug Stores
Thrifty Drug Stores notifies customers about a security breach, after certain files on its system were accessed without authorization in February.
Unknown
G Wholesale and retail trade
CC
US
Thrifty Drug Stores
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
BREACHOMETER
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
After the cyber attacks timelines, it’s time to publish the statistics of June 2023 where I have collected and analyzed 384 events, yet another record number driven...
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July...
I have aggregated the statistics created from the cyber attacks timelines published in the second quarter of 2023. In total I have collected 1040 events...
It's time to publish the statistics derived from the cyber attacks timelines of August (Part I and Part II), a month particularly active from an Information Security perspective, despite the Summer time. As always, let’s start from the Daily Trend Chart, which shows obviously an ...