The second cyber attacks timeline of November 2021 is finally out (you can find the first one here or in the link below.) In the second half of this month I have collected 96 events, with a daily average slightly decreasing to 6.4 events/day from 6,9 events/day. Ransomware continues to dominate the threat landscape with a percentage of events directly or indirectly characterized similar to the previous timeline (22%)
Even the impact of vulnerabilities is similar to the previous timeline (10.4% vs 12%), and once again threat actors continue to exploit the ProxyShell and Zoho’s ManageEngine ADSelfService Plus vulnerabilities.
Welcome to the last cyber attacks timeline of 2022! A timeline that marks a sharp decline in the number of recorded events after four consecutive increases…
This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected…
Similarly to what I have done in 2021, I am collecting all the mega breaches (with more than 1 million records leaked). The information is derived from the cyber attacks timelines…
The first cyber attacks timeline of November 2021 is out! In the first two week of this month I have collected 100 events, which means a rough 10% decrease compared with the second half of October. And guess what? …
The season of the mega breaches continue and multiple organizations suffered multi-million breaches (browse the timeline for details.) The good news is that, at least in this timeline, I did not record any mega hack of a fintech platform (but I have the feeling that this will change in the next timeline).
Threat actors motivated by cyber espionage were quite active in November characterizing a record of 22% of events in this timeline. The list is really too crowded this timeline so I encourage you to browse it and discover the old acquaintances and the new comers that characterized this period.
Expand for details
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
Researchers from Microsoft Threat Intelligence Center (MSTIC) reveal the details of multiple ransomware campaign carried out by the Iranian threat actor PHOSPHORUS
Malware
Multiple Industries
CC
>1
Microsoft Threat Intelligence Center, MSTIC, PHOSPHORUS, ransomware, Iran
2
16/11/2021
Since 2021
-
CURIUM
Multiple organizations
CURIUM is another Iranian threat actor exposed by the Microsoft Threat Intelligence Center (MSTIC) and using a network of fictitious social media accounts
Targeted Attack
Multiple Industries
CE
>1
CURIUM, Iran, Microsoft Threat Intelligence Center, MSTIC
3
16/11/2021
Since at least May 2021
-
Multiple threat actors
Multiple organizations
The Federal Bureau of Investigation (FBI) warns of an advanced persistent threat (APT) compromising FatPipe router clustering and load balancer products to breach targets' networks.
Targeted Attack
Multiple Industries
CE
>1
Federal Bureau of Investigation, FBI, APT, FatPipe
4
16/11/2021
02/10/2021 and 01/11/2021
-
?
125 TikTok Influencers
Researchers from Abnormal Security discover a new phishing campaign targeting the TikTok accounts of influencers, brand consultants, production studios, and influencers' managers.
Account Takeover
Individual
CC
>1
Abnormal Security, TikTok
5
16/11/2021
Between April and August 2021
During August 2021
SideCopy
People who were connected to the previous Afghan government, military, and law enforcement in Kabul
Facebook takes down a network of fake profiles orchestrated by the Pakistani group SideCopy aimed to trick people connected to the previous Afghan government to download malware.
Fake Social Accounts
Individual
CE
AF
SideCopy, Pakistan, Afghanistan, Facebook
6
16/11/2021
-
During October 2021
Syrian Electronic Army AKA APT-C-27
Human rights activists, journalists and other groups opposing the Syrian regime
Facebook takes down a network of fake profiles orchestrated by the Syrian Electronic Army aimed to trick opposers to the Syrian government to download malware.
Fake Social Accounts
Individual
CE
SY
Syrian Electronic Army, APT-C-27, Facebook
7
16/11/2021
-
During October 2021
APT-C-37
People linked to the Free Syrian Army and former military personnel
Facebook takes down a network of fake profiles orchestrated by APT-C-37 aimed to trick opposers to the Syrian government to download malware.
Fake Social Accounts
Individual
CE
SY
APT-C-37, Facebook
8
16/11/2021
-
During October 2021
Unknown group related to Syria
Minority groups, activists, opposition in Southern Syria
Facebook takes down a network of fake profiles aimed to trick opposers to the Syrian government to download malware.
Fake Social Accounts
Individual
CE
SY
Syria, Facebook
9
16/11/2021
Between December 2020 and March 2021
24/6/2021
?
Sea Mar Community Health Centers
Sea Mar Community Health Centers notifies 688,000 Individuals that their personal health information was compromised in a hack.
Unknown
Human health and social work
CC
US
Sea Mar Community Health Centers
10
16/11/2021
13/11/2021
13/11/2021
?
Frontier Software
Frontier Software is hit with a ransomware attack.
Malware
Professional, scientific and technical
CC
AU
Frontier Software, ransomware
11
17/11/2021
Since at least March 2021
-
Iranian government-sponsored APT actors
Multiple organizations
US (CISA and FBI), UK (NCSC), and Australian (ACSC) cybersecurity agencies warned today of ongoing exploitation of Microsoft Exchange ProxyShell (CVE-2021-34473) and Fortinet vulnerabilities linked to an Iranian-backed hacking group (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591).
Researchers from IBM Trusteer reveal the details of the Android banking trojan BrazKing.
Malware
Finance and insurance
CC
>1
IBM Trusteer, Android, BrazKing
13
17/11/2021
5/10/2021
5/10/2021
?
True Health New Mexico
The personally identifiable information of more than 62,000 US citizens may have been compromised following a cyber-attack against True Health New Mexico, a New Mexico-based healthcare insurer.
Unknown
Human health and social work
CC
US
True Health New Mexico
14
17/11/2021
-
-
?
Netflix users
Researchers from Kaspersky discover multiple phishing campaigns exploiting Netflix.
Account Takeover
Individual
CC
>1
Kaspersky, Netflix
15
17/11/2021
29/5/2021
During June 2021
?
NorthCare
NorthCare, a mental health clinic, notifies it was the victim of a ransomware attack in June 2021 in which patients protected health information may have been compromised.
Malware
Human health and social work
CC
US
NorthCare, ransomware
16
17/11/2021
Between 16/07/2021 and 18/07/2021
18/7/2021
?
Putnam County Memorial Hospital
Putnam County Memorial Hospital notifies 6,916 individuals about a July 2021 ransomware attack in which protected health information was potentially compromised.
Malware
Human health and social work
CC
US
Putnam County Memorial Hospital, ransomware
17
17/11/2021
-
7/7/2021
?
Lakeshore Bone & Joint Institute
Lakeshore Bone & Joint Institute, an orthopedic practice notifies it experienced a breach of its Microsoft Office 365 environment, which included emails and attachments that contained the protected health information of certain patients.
Account Takeover
Human health and social work
CC
US
Lakeshore Bone & Joint Institute
18
18/11/2021
Since at least 2018
-
RedCurl
30 businesses in Russia, Ukraine, Canada, Norway, the UK, and Germany
Researchers from Group-IB reveal the details of a new campaign carried out by the RedCurl group.
Policy experts, journalists and nongovernmental organizations (NGOs).
Researchers From Proofpoint reveal the details carried out by the threat actor TA406.
Targeted Attack
Multiple Industries
CE
>1
Proofpoint, TA406, Thallium, Kimsuky
20
18/11/2021
During July 2021
-
DEV-0228
Israel-based IT company
Researchers from Microsoft disclose the details of a campaign carried out by a threat actor dubbed DEV-0228 targeting an Israel-based IT company.
Targeted Attack
Information and communication
CE
IL
Microsoft, DEV-0228
21
18/11/2021
During September 2021
-
DEV-0056'
Bahrain-based IT integration company
Researchers from Microsoft disclose the details of a campaign carried out by a threat actor dubbed DEV-0056 targeting a Bahrain-based IT integration company.
Targeted Attack
Professional, scientific and technical
CE
BH
Microsoft, DEV-0056
22
18/11/2021
During September 2021
-
DEV-0056'
Partially government-owned organization in the Middle East
Researchers from Microsoft disclose the details of a campaign carried out by a threat actor dubbed DEV-0056 targeting a partially government-owned organization in the Middle East.
Targeted Attack
Public admin and defence, social security
CE
N/A
Microsoft, DEV-0056
23
18/11/2021
Since at least 30/07/2021
-
?
Multiple targets
Researchers from DomainTools reveal that phishing actors are actively abusing the Glitch platform to host short-lived credential-stealing URLs for free while evading detection and takedowns.
Account Takeover
Multiple Industries
CC
>1
DomainTools, Glitch
24
18/11/2021
Late October 2021
Late October 2021
Memento
Multiple targets
Researchers from Sophos discover a new Python-based ransomware dubbed Memento, using WinRAR to encrypt the victims.
Malware
Multiple Industries
CC
>1
Sophos, Python, ransomware, Memento, WinRAR
25
18/11/2021
-
-
?
Multiple eCommerce servers
Researchers from Sansec reveal that attackers are deploying linux_avp, a Linux backdoor on compromised e-commerce servers after injecting a credit card skimmer into online shops' websites.
Malicious Script Injection
Wholesale and retail
CC
>1
Sansec, linux_avp, Linux
26
18/11/2021
Since at least March 2021
During November 2021
?
Single Individuals
Researchers from Abnormal Security reveal a surge in TSA Precheck scams.
Account Takeover
Individual
CC
US
Abnormal Security, TSA Precheck
27
18/11/2021
"Recently"
-
?
Python developers
Researchers from Jfrog discover 11 malicious Python packages downloaded and installed more than 30,000 times and able to steal Discord Tokens and install shells.
Malware
Multiple Industries
CC
>1
Jfrog, Python
28
18/11/2021
Since November 2021
-
?
Multiple organizations
Researchers from Avanan discover a credential harvesting attack in which attackers spoof the United States Postal Service to notify users of an undelivered package.
Account Takeover
Multiple Industries
CC
US
Avanan, United States Postal Service
29
18/11/2021
Since 2017
-
PerSwaysion
Multiple organizations
Researchers from SeclarityIO reveal that the PerSwaysion, widespread phishing campaign exploiting Microsoft Sway, SharePoint, and OneNote, is still active.
Researchers from Venafi reveal that the Chinese APT41 group is actively managing a library of compromised code-signing digital certificates to support cyber-espionage attacks targeting supply chain vendors.
Malware
Multiple Industries
CC/CE
>1
APT41, Venafi
31
18/11/2021
15/8/2021
-
?
MNG Kargo
MNG Kargo is hacked and has some information stolen by the attackers.
Unknown
Transportation and storage
CC
TR
MNG Cargo
32
18/11/2021
-
-
?
Indonesian Police
A suspected Brazilian hacker claims to have stolen the data of 28,000 Indonesian police officers.
Unknown
Public admin and defence, social security
CC
ID
Indonesia, Brazil
33
18/11/2021
11/9/2021
27/10/2021
?
Spotswood Public Schools
Spotswood Public Schools discloses a ransomware attack.
Malware
Education
CC
US
Spotswood Public Schools, ransomware
34
18/11/2021
-
-
?
DeKalb County School District
A Zoom meeting in the DeKalb County School District is hacked with obscene images.
Zoom Bombing
Education
CC
US
Zoom, DeKalb County
35
19/11/2021
Since September 2021
-
?
Organizations in Middle East
Researchers from Trend Micro discover a new campaign distributing the Squirrelwaffle loader via vulnerable Exchange servers compromised through the ProxyLogon and ProxyShell exploits.
The Securities and Exchange Commission (SEC) warns US investors of scammers impersonating SEC officials in government impersonator schemes via phone calls, voicemails, emails, and letters.
Account Takeover
Finance and insurance
CC
US
Securities and Exchange Commission, SEC
37
19/11/2021
7/11/2021
7/11/2021
?
Premier Property Lawyers (PPL)
Premier Property Lawyers (PPL) is hit with a ransomware attack.
Malware
Professional, scientific and technical
CC
UK
Premier Property Lawyers, PPL, ransomware
38
19/11/2021
-
-
?
Online banking users in the US
A new phishing campaign uses Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions to drain the victim's fund.
Account Takeover
Finance and insurance
CC
US
Zelle
39
19/11/2021
24/09/2021 and 22/10/2021
24/09/2021 and 22/10/2021
Groove?
Episcopal Retirement Services
Episcopal Retirement Services reveals to have been hit by two ransomware attacks.
Malware
Human health and social work
CC
US
Episcopal Retirement Services, ransomware
40
21/11/2021
21/11/2021
21/11/2021
?
Mahan Air
Mahan Air, one of Iran's largest privately-owned airlines announces a cybersecurity incident that has resulted in its website going offline and potentially data loss.
Unknown
Transportation and storage
CC
IR
Mahan Air
41
21/11/2021
-
-
?
Punjab National Bank
Punjab National Bank has 180 million customers' data compromised, despite the bank denies the claims.
Unknown
Finance and insurance
CC
IN
Punjab National Bank
42
21/11/2021
-
-
?
Yemeksepeti
Yemeksepeti, a Turkish online food delivery company, is apparently hacked.
Unknown
Accommodation and food service
CC
TR
Yemeksepeti
43
21/11/2021
-
-
?
Moline
Moline paid $420,000 in a Business Email Compromise scam.
Business Email Compromise
Public admin and defence, social security
CC
US
Moline
44
21/11/2021
-
-
?
LeClaire
LeClaire paid $420,000 in a Business Email Compromise scam.
Business Email Compromise
Public admin and defence, social security
CC
US
LeClaire
45
21/11/2021
-
-
?
Rock Island County
Rock Island County paid $115,000 in a Business Email Compromise scam.
Business Email Compromise
Public admin and defence, social security
CC
US
Rock Island County
46
22/11/2021
19/11/2021
-
?
Vestas Wind Systems
Vestas Wind Systems, a leader in wind turbine manufacturing reveals to have shut down its IT systems after suffering a cyberattack (probably ransomware)
Malware
Manufacturing
CC
US
Vestas Wind Systems
47
22/11/2021
Since at least 06/09/2021
17/11/2021
?
GoDaddy
GoDaddy reveals that the data of up to 1.2 million of its customers was exposed after hackers gained access to the company's Managed WordPress hosting environment.
Account Takeover
Professional, scientific and technical
CC
US
GoDaddy
48
22/11/2021
Up to September 2021
-
Magecart
4,151 online shops in the UK
The UK's National Cyber Security Centre (NCSC) says it warned the owners of more than 4,000 online stores that their sites were compromised in Magecart attacks to steal customers' payment info.
Malicious Script Injection
Wholesale and retail
CC
UK
UK's National Cyber Security Centre, NCSC, Magecart
49
22/11/2021
Since at least Spring 2021
During October 2021
Tardigrade
Biomanufacturing facilities
An advisory published by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) reveals that an advanced hacking group is actively targeting biomanufacturing facilities with a new custom malware called 'Tardigrade.'
Malware
Professional, scientific and technical
CE
N/A
Bioeconomy Information Sharing and Analysis Center, BIO-ISAC, Tardigrade
50
22/11/2021
Since at least mid September 2021
-
Multiple threat actors
Multiple organizations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) shared new details on in-the-wild attacks targeting CVE-2021-40539, a recently patched flaw in Zoho’s ManageEngine ADSelfService Plus product.
CVE-2021-40539 Vulnerability
Multiple Industries
CE
US
U.S. Cybersecurity and Infrastructure Security Agency, CISA, Federal Bureau of Investigation, FBI, Coast Guard Cyber Command, CGCYBER, CVE-2021-40539, Zoho, ManageEngine ADSelfService Plus
51
22/11/2021
20/11/2021
20/11/2021
?
Bureau Veritas
Bureau Veritas is hit with a cyber attack.
Unknown
Administration and support service
CC
FR
Bureau Veritas
52
22/11/2021
-
20/4/2021
PYSA
One Community Health
One Community Health reports a cyber attack occurred in April.
Malware
Education
CC
US
PYSA, One Community Health, ransomware
53
23/11/2021
"Recently"
-
Multiple threat actors
Customers of "brand-name companies"
The Federal Bureau of Investigation (FBI) warns of recently detected spear-phishing email campaigns targeting customers of "brand-name companies" in attacks known as brand phishing.
Account Takeover
Individual
CC
US
Federal Bureau of Investigation, FBI
54
23/11/2021
-
-
-
Undisclosed organization
Researchers from Dr.Web discover Android.Cynos.7.origin, an Android malware hidden in over 190 different apps on Huawei's AppGallery and downloaded more than nine million times.
Researchers from Cisco Talos reveal that malware creators have already started testing a proof-of-concept exploiting the recently discovered CVE-2021-4137 Microsoft vulnerability.
CVE-2021-41379 vulnerability
Unknown
CC
N/A
Cisco Talos, Microsoft, CVE-2021-4137.
56
23/11/2021
During 2021
-
RATDispenser
Multiple targets
Researchers from HP reveal the details of a new stealthy JavaScript loader named RATDispenser is being used to infect devices with a variety of remote access trojans (RATs) in phishing attacks.
Malware
Multiple Industries
CC
>1
HP, JavaScript, RATDispenser
57
23/11/2021
-
-
?
Crypto, NFT, and DeFi communities.
Researchers from Morphisec discover a new malware campaign from Discord using the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities.
Malware
Fintech
CC
>1
Morphisec, Discord, Babadeda, Crypto, NFT, DeFi
58
23/11/2021
23/11/2021
23/11/2021
?
Cannazon
Cannazon, one of the largest dark web marketplaces, shuts down after suffering a DDoS attack.
DDoS
Other service activities
CC
N/A
Cannazon
59
23/11/2021
-
-
APT C-23 (AKA GnatSpy, FrozenCell, or VAMP)
Individuals in Middle East
Researchers from Sophos discover a new wave of attacks via a new Android spyware against targets in the Middle East.
Researchers from Inky discover a widespread phishing campaign using phone scams.
Targeted Attack
Multiple Industries
CC
>1
Inky, Microsoft 365, Google Workspace
61
24/11/2021
Since July 2021
During September 2021
Iranian Threat Actor
Google and Instagram credentials belonging to Farsi-speaking targets worldwide
Researchers from SafeBreach reveal that a newly discovered Iranian threat actor is stealing Google and Instagram credentials belonging to Farsi-speaking targets worldwide using a new PowerShell-based stealer dubbed PowerShortShell exploiting the Microsoft MSHTML CVE-2021-40444 vulnerability.
Malware
Individual
CE
IR
SafeBreach, Google, Instagram, Farsi, PowerShell, PowerShortShell, MSHTML CVE-2021-40444, Microsoft
62
24/11/2021
-
-
?
Multiple online stores, among them a nation’s largest outlet.
Researchers from Sansec discover CronRAT, a new remote access trojan (RAT) for Linux that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st.
Malware
Wholesale and retail
CC
>1
Sansec, CronRAT, Linux
63
24/11/2021
Since at least 16/09/2021
-
Multiple threat actors
Vulnerable Cisco devices
Cisco reveals that the Apache CVE-40438 is currently under exploitation on its unpatched products.
CVE-40438 vulnerability
Multiple Industries
CC
>1
Cisco. Apache, CVE-40438
64
24/11/2021
24/11/2021
24/11/2021
Hive
Supernus Pharmaceuticals
Biopharmaceutical company Supernus Pharmaceuticals confirms it fell victim to a ransomware attack that resulted in a large amount of data being exfiltrated from its network.
Malware
Professional, scientific and technical
CC
US
Supernus Pharmaceuticals, Hive, Ransomware
65
24/11/2021
-
-
?
S&R
The personal data of 22,000 S&R members is compromised following a recent cyber attack.
Unknown
Wholesale and retail
CC
PH
S&R
66
24/11/2021
Between 29/07/2021 and 10/08/2021
23/8/2021
?
Educators Mutual Insurance Association (EMIA)
Educators Mutual Insurance Association (EMIA) discovers that an unauthorized individual had access to its computer network between July 29, 2021, and August 10, 2021, and may have viewed or obtained the protected health information of some of its members.
Unknown
Finance and insurance
CC
US
Educators Mutual Insurance Association, EMIA
67
25/11/2021
-
-
Cl0p AKA TA505 and FIN11, Evil Corp
Swire Pacific Offshore (SPO)
Marine services giant Swire Pacific Offshore (SPO) has suffered a Clop ransomware attack that allowed threat actors to steal company data.
charts.dft.gov.uk, a UK Department for Transport (DfT) website is caught serving porn today.
DNS hijacking
Public admin and defence, social security
CC
UK
charts.dft.gov.uk, UK Department for Transport, DfT
69
25/11/2021
25/11/2021
25/11/2021
?
Headwaters Health Care Centre
Headwaters Health Care Centre shuts down COVID-19 assessment centre amid suspicious email activity.
Account Takeover
Human health and social work
CC
US
Headwaters Health Care Centre
70
25/11/2021
29/7/2021
-
?
ACE Surgical Supply
ACE Surgical Supply reveals that its IT environment was accessed by an unauthorized individual who may have viewed or obtained the protected health information of 12,122 individuals.
Unknown
Manufacturing
CC
US
ACE Surgical Supply
71
25/11/2021
Between 18/07/2021 and 20/07/2021
20/7/2021
?
Three Rivers Regional Commission
Three Rivers Regional Commission, notifies that the protected health information of around 2,000 individuals may have been obtained by unauthorized individuals in a ransomware attack.
Malware
Public admin and defence, social security
CC
US
Three Rivers Regional Commission, ransomware
72
25/11/2021
During November 2021
-
?
Multiple organizations
Multiple employees share on Twitter and Reddit the images of anti-work messages sent to the printers of their organizations. The messages encourage workers to protect their rights and discuss their pay with coworkers and demand better pay.
Vulnerable printers
Multiple Industries
CC
US
Vulnerable printers
73
26/11/2021
-
-
?
IKEA
IKEA warns employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.
Account Takeover
Manufacturing
CC
SE
IKEA
74
26/11/2021
Between 22/06/2021 to 03/11/2021
11/11/2021
?
Panasonic
Japanese electronics giant Panasonic discloses a major security breach after an unidentified threat actor had gained access to its internal network.
Unknown
Manufacturing
CE
JP
Panasonic
75
26/11/2021
-
-
TrickBot
Multiple targets
A new variant of the TrickBot malware uses a new method to check the screen resolution of a victim system to evade detection.
Malware
Multiple Industries
CC
>1
TrickBot
76
26/11/2021
-
-
Flubot
Android Banking users in Finland
Finland's National Cyber Security Centre (NCSC-FI) issues a "severe alert" to warn of a massive campaign targeting the country's Android users with Flubot banking malware pushed via text messages sent from compromised devices.
Malware
Finance and insurance
CC
FI
Finland, National Cyber Security Centre, NCSC-FI, Android, Flubot
77
26/11/2021
-
-
Attackers from North Korea (Zinc)
Employees at South Korean security companies
Researchers from Google reveal that North Korean state-sponsored hackers posed as Samsung recruiters and sent fake job offers to employees at South Korean security companies that sell anti-malware software.
Targeted Attack
Professional, scientific and technical
CE
KR
Google, North Korea, South Korea, Zinc
78
26/11/2021
Since at least 16/09/2021
-
Multiple threat actors
Vulnerable Apache HTTP servers in Germany
The German BSI reveals that the Apache CVE-40438 vulnerability is currently under active exploitation.
CVE-40438 vulnerability
Multiple Industries
CC
DE
BSI, Apache, CVE-40438
79
26/11/2021
"Recently"
-
Aberebot-2.0
Android Banking users
Researchers from Cyble discover a new variant of the Aberebot banking malware, targeting 213 banking apps and nine crypto wallet apps in 22 countries.
Malware
Finance and insurance
CC
>1
Aberebot-2.0, Cyble, Android
80
29/11/2021
Between 24/05/2021 and 28/07/2021
29/10/2021
?
DNA Diagnostics Center (DDC)
DNA Diagnostics Center (DDC), a DNA testing company, discloses a hacking incident affecting 2,102,436 persons.
Unknown
Human health and social work
CC
US
DNA Diagnostics Center, DDC
81
29/11/2021
-
-
APT37 AKA Reaper, ScarCruft, Group123. FreeMilk
South Korean journalists, defectors, and human rights activists
Researchers from Kaspersky reveal the details of the latest campaign of APT37 targeting South Korean journalists, defectors, and human rights activists with a new malware dubbed Chinotto.
Researchers from Kaspersky identify a stealthy hacking group named WIRTE, possibly part of the Gaza Cybergang, linked to a government-targeting campaign conducting attacks since at least 2019 using malicious Excel 4.0 macros.
Targeted Attack
Public admin and defence, social security
CE
>1
Kaspersky, WIRTE, Gaza Cybergang
83
29/11/2021
Since at least January 2021
During January 2021
Anatsa
Android Banking users
Researchers from ThreatFabric reveal the details of Anatsa, a campaign distributing an Android banking trojan.
Malware
Finance and insurance
CC
>1
ThreatFabric, Anatsa, Android
84
29/11/2021
Since 12/10/2021
.
?
Principality of Sealand
Researchers from Sansec reveal that a threat actor has hacked the website of the Principality of Sealand, a micronation in the North Sea, and planted malicious code on its web store, which the government is using to sell baron, count, duke, and other nobility titles.
Malicious Script Injection
Public admin and defence, social security
CC
N/A
Sansec, Principality of Sealand, Sansec
85
29/11/2021
7/11/2021
7/11/2021
?
Delta-Montrose Electric Association (DMEA)
Colorado's Delta-Montrose Electric Association (DMEA) notifies to have been hit by a devastating cyberattack (probably ransomware) that took down 90% of its internal systems and caused 25 years of historical data to be lost.
Malware
Electricity, gas steam, air conditioning
CC
US
Delta-Montrose Electric Association, DMEA, ransomware
86
29/11/2021
Since June 2021
During September 2021
UNC2190 AKA Arcane and Sabbath
Critical infrastructure including education, health, and natural resources in the United States and Canada
Researchers from Mandiant reveal the details of Sabbath, a ransomware operator targeting critical infrastructure.
Malware
Multiple Industries
CC
US
CA
UNC2190, Arcane, Sabbath, ransomware, Mandiant
87
29/11/2021
-
-
?
Multiple organizations
Researchers from Trend Micro share details of a new campaign distributing the SpyAgent malware by abusing legitimate tools including TeamViewer.
Malware
Multiple Industries
CC
>1
Trend Micro, SpyAgent, TeamViewer
88
29/11/2021
29/11/2021
29/11/2021
?
Lewis and Clark Community College
Lewis and Clark Community College is hit with a ransomware attack.
Malware
Education
CC
US
Lewis and Clark Community College, ransomware
89
29/11/2021
Between 17/03/2020 and 14/06/2020
-
?
Evanston Township High School
Evanston Township High School is defrauded of $48,570 in a hack that exposed 1,139 identities.
Account Takeover
Education
CC
US
Evanston Township High School
90
29/11/2021
30/9/2021
Between 23/09/2021 to 12711/2021
?
Medsurant Health
Medsurant Health notified that 45,000 patients were impacted by a ransomware incident.
Malware
Human health and social work
CC
US
Medsurant Health, ransomware
91
29/11/2021
-
4/11/2021
?
Upstate Homecare
Upstate Homecare notifies 5,100 patients about a ransomware attack.
Malware
Human health and social work
CC
US
Upstate Homecare, ransomware
92
29/11/2021
Since at least 2017
KAX17
Tor users
A mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in an attempt to deanonymize Tor users.
Unknown
Individual
CC
>1
KAX17, Tor
93
30/11/2021
-
=
Yanluowang
U.S. organizations in the financial sector
Researchers from Broadcom discover an affiliate of the recently discovered Yanluowang ransomware operation, focusing its attacks on U.S. organizations in the financial sector using BazarLoader malware in the reconnaissance stage.
Malware
Finance and insurance
CC
US
Broadcom, Yanluowang, ransomware, BazarLoader
94
30/11/2021
Since 27/10/2021
27/10/2021
EwDoor
Unpatched AT&T Edgewater Networks' devices
Researchers from Qihoo 360's Netlab discover EwDoor, a botnet targeting unpatched AT&T enterprise network edge devices using exploits for CVE-2017-6079, a four-year-old critical severity vulnerability.
Researchers from Red Canary discover that the BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
Malware
Multiple Industries
CC
>1
Red Canary, BlackByte, ransomware, Microsoft Exchange, ProxyShell, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
96
30/11/2021
27/11/2021
27/11/2021
?
CS Energy
Queensland government-owned energy generator CS Energy is hit with a ransomware attack.
Malware
Electricity, gas steam, air conditioning
CC
AU
CS Energy, ransomware
97
30/11/2021
Since October 2021
-
?
Single Individuals
An Omicron COVID-19 campaign is spotted by UK authorities and the National Health Service (NHS) warns about the Omicron COVID-19-themed phishing attacks.
Account Takeover
Individual
CC
UK
NHS, COVID-19, Omicron
98
30/11/2021
"Recently"
-
?
Multiple organizations
Researchers from Vade Secure discover an ongoing campaign using fake Amazon and Apple invoices.
Account Takeover
Multiple Industries
CC
US
Vade Secure, Amazon. Apple
99
30/11/2021
-
-
?
Single Individuals
The Federal Trade Commission (FTC) issues a warning about fake job postings
Account Takeover
Individual
CC
US
Federal Trade Commission, FTC
100
30/11/2021
18/10/2021
18/10/2021
?
Conseil des écoles publiques de l’Est de l’Ontario (CEPEO)
The Conseil des écoles publiques de l’Est de l’Ontario (CEPEO) says it was the victim of a ransomware attack and it paid the hackers a ransom to secure the stolen data.
Malware
Education
CC
CA
Conseil des écoles publiques de l’Est de l’Ontario, CEPEO, ransomware
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
SUPPORT MY WORK!
BREACHOMETER
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
In September 2023, cyber crime continued to lead with 77.1% of total events, but showed a decrease. Cyber Espionage grew to 11.6%, while Hacktivism significantly dropped. Malware remains the leading attack technique and multiple organizations are the top targets.
Update May 12: TCP Split Handshake: Why Cisco ASA is not susceptible Update May 11: The Never Ending Story Update April 21: Other Considerations on TCP Split Handshake Few days ago, independent security research and testing NSS Labs, issued a comparative report among six network security ...