After the peak of March (in the meantime I have added more records to the previous timeline bringing the total to 150), the level of activity continues to be pretty high. In the first half of April, I have collected 118 events, and the reason of such high numbers is obviously the extension of the conflict in Ukraine into the cyberspace. This asymmetric war is characterizing the threat landscape from at least three perspectives.
From an hacktivism standpoint, the Anonymous and their affiliates continue to leak data from Russian organizations; from a cyber espionage standpoint, Ukraine continues to be the target of multiple campaigns conducted by threat actors primarily from Russia, Belarus, and China. Finally, the wave of attacks carried out deploying destructive malware is not over yet, and April has seen the appearance of ‘Industroyer2’, a new wiper deployed in an apparently unsuccessful attack against a large Ukrainian energy provider. And this is not the only aspect characterized by cyber warfare: the social media are also an important playground, seeing a proliferation of misinformation campaigns and Coordinated Inauthentic Behavior (CIB) linked to Ukraine (and not only…).
Welcome to the last cyber attacks timeline of 2022! A timeline that marks a sharp decline in the number of recorded events after four consecutive increases…
This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected…
Similarly to what I have done in 2021, I am collecting all the mega breaches (with more than 1 million records leaked). The information is derived from the cyber attacks timelines…
The war in Ukraine is obviously characterizing the threat landscape, and hence is overshadowing the rest. Ransomware attacks continue to be relevant, most of all ‘thanks’ to the contribution of the Conti and BlackCat ransomware gangs that even in this fortnight have hit several high-profile targets, however their percentage continues to slide reaching a new low at 11.86%. On the other hand, even in this timeline, the exploitation of vulnerabilities continue to be an important trend with 12.7% of the events characterized by the exploitation of a flaw.
And similarly, another interesting trend of this 2022 is the growing number of massive attacks against fintech and decentralized finance companies. Even in this fortnight, three organizations were hit for a total loss of nearly $27M worth of crypto assets.
As usual, besides the events related to Ukraine, the cyber espionage front is equally quite crowded, this timeline sports many well-known threat actors such as APT10 (tied to China and targeting various entities in government, legal, religious activities, and NGOs), APT-C-23 (tied to Hamas and targeting individuals in Israel), and the North-Korean Lazarus Group (targeting chemical and IT organizations in South Korea.)
Expand for details
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
01/04/2022
Since at least February 2022
-
Threat actors from China
Defence ministry and other institutions in Ukraine
According to the Ukrainian Security Service (SBU), China staged a huge cyberattack on Ukraine’s military and nuclear facilities in the build-up to Russia’s invasion.
Targeted Attack
Public admin and defence, social security
CE
UA
Ukrainian Security Service, SBU, China, Ukraine
2
01/04/2022
During March 2022
During March 2022
UAC-0056
Several entities in Ukraine, including ICTV, a private TV channel.
Researchers from Malwarebytes reveal that the cyberespionage actor UAC-0056, also known as SaintBear, UNC2589 and TA471, is using a macro-embedded Excel document to target several entities in Ukraine, including ICTV, a private TV channel.
Yandex blames one of its employees for the hacking and subsequent leak of data from Yandex Food, a popular food delivery service in Russia.
Unknown
Accommodation and food service
H
RU
Yandex, Yandex Food
4
01/04/2022
-
01/04/2022
Anonymous
Russian Orthodox Church
In name of #OpRussia, the Anonymous leak 15GB of data stolen from the Russian Orthodox Church's charitable wing and release roughly 57,500 emails.
Unknown
Other service activities
H
RU
#OpRussia, Anonymous, Russian Orthodox Church
5
01/04/2022
-
Between February and March 2022
Beastmode (aka B3astmode)
Multiple organizations
Researchers from Fortinet observe that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits, adding five new exploits within a month, with three targeting various models of TOTOLINK routers.
Multiple vulnerabilities
Multiple Industries
CC
>1
Fortinet, Beastmode, B3astmode, Mirai, TOTOLINK
6
01/04/2022
-
-
?
Android users
Researchers from Lab52 identify a malicious APK named “Process Manager”, using the same infrastructure exploited by the Turla group, acting as Android spyware, uploading information to the threat actors.
Malware
Individual
CC
>1
Lab52, APK, Process Manager, Turla, Android
7
01/04/2022
End of February 2021
End of February 2021
?
Individuals
Researchers at McAfee Labs discover a campaign where attackers launched a crypto donation scam in support of Ukraine, setting up phishing websites and emails that contain cryptocurrency wallets asking for donations.
Malicious spam
Individual
CC
>1
McAfee Labs, Ukraine
8
02/04/2022
31/03/2022
31/03/2022
Conti
Nordex
The Conti ransomware operation claims responsibility for a cyberattack on wind turbine giant Nordex, which was forced to shut down IT systems and remote access to the managed turbines.
Malware
Manufacturing
CC
DE
Nordex, Conti, Ransomware
9
02/04/2022
02/04/2022
02/04/2022
?
Inverse Finance
An attack on decentralized finance (DeFi) protocol Inverse Finance leads to the theft of more than $15 million in cryptocurrency.
Vulnerability
Fintech
CC
N/A
Inverse Finance, Crypto
10
03/04/2022
-
26/03/2022
?
MailChimp
Email marketing firm MailChimp disclosed that they had been hit by hackers who gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks.
Account Takeover
Professional, scientific and technical
CC
US
MailChimp, Crypto, Trezor
11
03/04/2022
Between 06/12/2021 and 03/012022
07/02/2022
?
Wellstar Health System
Wellstar Health System notifies individuals of a data security incident that occurred when an unauthorized party gained access to two Wellstar email accounts.
Account Takeover
Human health and social work
CC
US
Wellstar Health System
12
04/04/2022
During April 2022
During April 2022
Armageddon (AKA Gamaredon)
Multiple organizations in Ukraine
The Computer Emergency Response Team of Ukraine (CERT-UA) discover a new phishing campaign attributed to the Russian threat group tracked as Armageddon (Gamaredon) targeting organizations in Ukraine.
Targeted Attack
Multiple Industries
CE
UA
Computer Emergency Response Team of Ukraine, CERT-UA, Armageddon, Gamaredon, Ukraine
13
04/04/2022
During April 2022
During April 2022
Armageddon (AKA Gamaredon)
Government agencies in the European Union
The Computer Emergency Response Team of Ukraine (CERT-UA) discover a new phishing campaign attributed to the Russian threat group tracked as Armageddon (Gamaredon) targeting government agencies in the European Union.
Targeted Attack
Public admin and defence, social security
CE
UA
Computer Emergency Response Team of Ukraine, CERT-UA, Armageddon, Gamaredon, Ukraine
14
04/04/2022
-
04/04/2022
Anonymous
Russian military stationed in Bucha
The Anonymous collective leakes personal details of the Russian military stationed in Bucha.
Unknown
Public admin and defence, social security
H
RU
Anonymous, Russia, Ukraine, Bucha
15
04/04/2022
Until early 2022
Early 2022
FIN7 (a.k.a. Carbanak)
Multiple organizations
Researchers from Mandiant reveal the details of the latest campaigns carried out by the FIN7 group using a new PowerShell backdoor called PowerPlant.
Malware
Multiple Industries
CC
>1
Mandiant, FIN7, Carbanak, PowerPlant
16
04/04/2022
During March 2022
During March 2022
Multiple threat actors
Multiple organizations
Microsoft reveals that it's currently tracking a "low volume of exploit attempts" targeting the critical Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability (tracked as CVE-2022-22965) across its cloud services.
Researchers from Armorblox discover a new WhatsApp phishing campaign impersonating WhatsApp's voice message feature attempting to spread information-stealing malware to at least 27,655 email addresses.
Malware
Individual
CC
>1
WhatsApp, Armorblox
18
04/04/2022
-
-
?
Emma The Sleep
Emma The Sleep confirms it suffered a Magecart attack which enabled the attackers to skim customers' credit or debit card data from its website.
Malicious script injection
Manufacturing
CC
DE
Emma The Sleep, Magecart
19
04/04/2022
31/03/2022
31/03/2022
?
Individuals in the UK
Cyber-criminals are impersonating the confectioner Cadbury online to steal personal data.
UK
Individual
CC
UK
Cadbury
20
05/04/2022
From mid-2021 to at least February 2022
-
Cicada (AKA menuPass, Stone Panda, Potassium, APT10, Red Apollo)
Various entities in government, legal, and religious activities, and NGOs
Researchers from Broadcom Symantec uncover a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader and the Sodamaster backdoor.
Targeted Attack
Multiple Industries
CE
>1
Broadcom, Symantec uncover, VLC Media Player, Sodamaster, Cicada, menuPass, Stone Panda, Potassium, APT10, Red Apollo
21
05/04/2022
Early April 2022
Early April 2022
Multiple threat actors
Multiple organizations
Researchers from CheckPoint reveal that roughly one out of six organizations worldwide that are impacted by the Spring4Shell zero-day vulnerability have already been targeted by threat actors (about 37,000 attacks only in the first weekend after the disclosure).
UK retail chain The Works announces it was forced to shut down several stores due to till issues caused by a cyber-security incident involving unauthorized access to its computer systems.
Unknown
Wholesale and retail
CC
UK
The Works
23
05/04/2022
-
-
?
The Guidance Center
The Guidance Center reveals to have discovered that unauthorized individuals gained access to several employee email accounts. 23,104 individuals are affected.
Account Takeover
Human health and social work
CC
US
Guidance Center
24
05/04/2022
05/12/2021
-
?
Four Jordanian human rights defenders
An investigation by Front Line Defenders and Citizen Lab reveals that the iPhone of Jordanian journalist Suhair Jaradat was hacked with Pegasus, the spyware of the NSO group.
Targeted Attack
Individual
CE
JO
Front Line Defenders, Citizen Lab, NSO Group, Ahmed Al-Neimat, Malik Abu Orabi, Suhair Jaradat
25
05/04/2022
14/03/2022
14/03/2022
Conti
Parker Hannifin
The Conti ransomware group leaks several gigabytes of files allegedly stolen from US industrial components giant Parker Hannifin.
Malware
Manufacturing
CC
US
Conti, ransomware, Parker Hannifin
26
05/04/2022
'Recently'
'Recently'
?
Multiple targets
Researchers from Malwarebytes discover a new Colibri Loader campaign delivering the Mars Stealer as final payload.
Malware
Multiple Industries
CC
>1
Malwarebytes, Colibri, Mars Stealer
27
05/04/2022
-
-
UAC-0094
Telegram users in Ukraine
The State Service of Special Communication and Information Protection (SSSCIP) of Ukraine discovers a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts.
Targeted Attack
Individual
CE
UA
State Service of Special Communication and Information Protection, SSSCIP, Ukraine, Telegram, UAC-0094
28
05/04/2022
-
05/04/2022
Conti
I-SEC
Conti threat actors add I-SEC, one of the main providers in the field of aviation security, to their leak site and have provided some proof of claim.
Malware
Professional, scientific and technical
CC
DE
Conti, I-SEC, ransomware
29
05/04/2022
-
11/03/2022
?
Whitefish School District
Whitefish School District reports a data breach after an investigation discovered that an employee’s computer had been accessible to an attacker after the employee had fallen for a social engineering scam.
Account Takeover
Education
CC
US
Whitefish School District
30
05/04/2022
During February 2022
During February 2022
Conti
Panasonic Canada
Panasonic Canada discloses a Conti ransomware attack.
Malware
Manufacturing
CC
CA
Panasonic Canada, Conti, Ransomware
31
06/04/2022
'Recently'
'Recently'
APT-C-23
Israeli individuals including a group of high-profile targets working for sensitive defense, law enforcement, and emergency services organizations.
Researchers from Cybereason reveal the details of Operation Bearded Barbie', a new elaborate campaign targeting Israeli individuals, among them, a group of high-profile targets working for sensitive defense, law enforcement, and emergency services organizations.
Targeted Attack
Public admin and defence, social security
CE
IL
APT-C-23, Cybereason, Operation Bearded Barbie
32
06/04/2022
-
-
FFDroider
Single Individuals
Researchers from Zscaler discover a new information stealer named FFDroider, stealing credentials and cookies stored in browsers to hijack victims' social media accounts.
Malware
Individual
CC
>1
Zscaler, FFDroider
33
06/04/2022
-
-
?
Android users
Researchers from AppCensus warn about a set of applications available on the Google Play Store, which collected sensitive user data from over 45 million installs of the apps.
Malware
Individual
CC
>1
AppCensus, Android, Google Play Store
34
06/04/2022
Early April 2022
05/04/2022
LOSPELAOSBRO
Vevo
Multinational video hosting service Vevo says it is investigating a recent incident where someone took over the YouTube pages for several high-profile artists and either uploaded music videos or changed the names of popular videos.
Account Takeover
Arts entertainment, recreation
CC
US
Vevo, YouTube, LOSPELAOSBRO
35
06/04/2022
Late 2021
Late 2021
?
Mobile Banking users in Malaysia
Researchers at ESET reveal to have discovered three malicious Android apps targeting the customers of eight different Malaysian banks in a campaign that began late last year.
Malware
Finance and insurance
CC
MY
ESET, Android, Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, Hong Leong Bank
36
06/04/2022
Since at least September 2021
Since at least September 2021
TAG-38
At least 7 Indian electricity grid centers
Researchers from Recorded Future reveal to have observed network intrusions targeting at least 7 Indian electricity grid centers by a Chinese state-sponsored actor dubbed TAG-38.
Targeted Attack
Electricity, gas steam, air conditioning
CE
IN
Recorded Future, China
37
06/04/2022
-
-
?
Central Vermont Eye Care
Central Vermont Eye Care reports a hacking incident affecting 30,000 patients.
Unknown
Human health and social work
CC
US
Central Vermont Eye Care
38
06/04/2022
-
-
The Black Rabbit World
Kremlin CCTV system
Hacktivists from the Black Rabbit World claim to have gained access to the Kremlin CCTV system.
Unknown
Public admin and defence, social security
H
RU
Black Rabbit World, Ukraine
39
06/04/2022
-
06/04/2021
?
Bernards Township School District
Bernards Township School District notifies that personal information may have been breached through the school computer data system last year.
Unknown
Education
CC
US
Bernards Township School District
40
07/04/2022
SInce February 2022
SInce February 2022
APT28 AKA Strontium, Fancy Bear
Multiple Ukrainian targets
Microsoft disrupts attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains used as attack infrastructure.
American automotive tools manufacturer Snap-on announces a data breach exposing associate and franchisee data after the Conti ransomware gang began leaking the company's data in March.
Malware
Manufacturing
CC
US
Snap-on, Conti, ransomware
42
07/04/2022
'During the recent months'
'During the recent months'
Parrot TDS
Users in multiple countries
Researches from Avast discover FakeUpdate, a campaign relying on 'Parrot TDS', a traffic direction system (TDS) exploiting servers that host 16,500 websites of universities, local governments, adult content platforms, and personal blogs, and redirecting users to malicious sites.
Traffic redirection
Individual
CC
>1
Avast, FakeUpdate, Parrot TDS
43
07/04/2022
-
-
?
Multiple organizations
Researchers from Cado Security discover Denonia, the first malware specifically developed to target Amazon Web Services (AWS) Lambda cloud environments with cryptominers.
Malware
Multiple Industries
CC
>1
Cado Security, Denonia, Amazon Web Services, AWS, Lambda, Crypto
44
07/04/2022
-
During April 2022
UNC788
Multiple people in several countries including military, dissidents and human rights
activists
Meta, the company behind Facebook, removes a campaign carried out by an Iranian group known as UNC788 targeting multiple people in several countries including military, dissidents and human rights
activists.
Account Takeover
Individual
CE
>1
Meta, Iran, UNC788
45
07/04/2022
07/04/2022
07/04/2022
?
WonderHero
The operators of cryptocurrency play-to-earn game WonderHero disable the service after hackers stole about $320,000 worth of Binance Coin (BNB).
Vulnerability
Fintech
CC
N/A
WonderHero, Crypto
46
07/04/2022
-
During April 2022
Previously unreported group linked to Iran
Multiple organizations worldwide
Meta takes action against a previously unreported hacking group from Iran that targeted or spoofed companies in multiple industries around the world.
Targeted Attack
Multiple Industries
CE
>1
Meta, Iran
47
07/04/2022
-
During April 2022
Azeri Ministry of Internal Affairs?
People from Azerbaijan, including democracy activists, opposition, journalists, and government critics abroad
Meta disrupts a complex network in Azerbaijan that engaged in both cyber espionage and coordinated inauthentic behavior.
Fake Social/Web pages
Individual
CE
AZ
Meta, Azerbaijan
48
07/04/2022
Shortly before the Russian invasion in Ukraine
During April 2022
Government-linked actors from Russia and Belarus
Government-linked actors from Russia and Belarus
Meta removes an influence operation targeting the Ukrainian telecom industry, the Ukrainian defense and energy sectors, tech platforms and journalists and
activists in Ukraine, Russia, and abroad.
Fake Social/Web pages
Multiple Industries
CW
UA
Meta, Ukraine, Russia, Belarus
49
07/04/2022
-
-
Ghostwriter
Members of the Ukrainian military
Meta detects a spike in compromise attempts aimed at members of the Ukrainian military by Ghostwriter,
Targeted Attack
Public admin and defence, social security
CE
UA
Meta, Ghostwriter, Ukraine, Belarus
50
07/04/2022
Late 2021 and January 2022
January 2022
Russian Internet Research Agency (IRA)
Facebook users in multiple countries
Meta takes down an attempt to come back by a network inked to individuals associated with past activity by the Russian Internet Research Agency (IRA).
Fake Social/Web pages
Individual
CW
>1
Meta, IRA, Internet Research Agency, Russia, Ukraine
51
07/04/2022
-
-
Facebook network linked to people in the Luhansk region of Ukraine.
Facebook users in Ukraine
Meta takes down an attempt to come back by a network removed in December 2020 and linked to people in the Luhansk region of Ukraine.
Fake Social/Web pages
Individual
CW
UA
Meta, Ukraine, Luhansk
52
07/04/2022
During 2021
During 2021
?
Social media users in Brazil (Facebook, Instagram, and Twitter)
Meta removes a network of Facebook and Instagram pages and account targeting domestic audiences in Brazil.
Fake Social/Web pages
Individual
CC
BR
Meta, Facebook, Instagram, Twitter, Brazil
53
07/04/2022
-
-
?
Social media users in Costa Rica and El Salvador
Meta removes Facebook accounts, pages, and Groups, plus some Instagram accounts targeting primarily users in Costa Rica and El Salvador.
Fake Social/Web pages
Information and communication
CC
CR
SV
Meta, Facebook, Instagram, Costa Rica, El Salvador
54
07/04/2022
-
-
SharkBot
Android users primarily in Italy and UK
Researchers from Check Point discover six malicious antivirus apps, subsequently removed from the Google Play app store, used to deliver the SharkBot malware to steal passwords, bank details and other personal information from Android users.
Malware
Individual
CC
>1
Check Point, Android, SharkBot
55
07/04/2022
During March 2022
During March 2022
?
Individuals
Researchers from Avast discover a scam campaign pretending to collect funds for Ukraine and impersonating Russian opposition leader Alexei Navalny to drain victims’ wallets.
Malicious spam
Individual
CC
>1
Avast, Alexei Navalny, Ukraine
56
07/04/2022
-
-
BlackCat (AKA ALPHV)
ERP provider in the Middle East
Researchers from Kaspersky provide an analysis of a BlackCat ransomware attack targeting an undisclosed ERP provider in the Middle East.
Malware
Professional, scientific and technical
CC
N/A
Kaspersky, BlackCat, ALPHV
57
07/04/2022
-
-
BlackCat (AKA ALPHV)
Oil, gas, mining and construction company in South America
Researchers from Kaspersky provide an analysis of a BlackCat ransomware attack targeting an undisclosed oil, gas, mining and construction company in South America via a data exfiltration tool called Fendr and ExMatter.
Malware
Electricity, gas steam, air conditioning
CC
N/A
Kaspersky, BlackCat, ALPHV, Fendr, ExMatter
58
07/04/2022
-
-
IT ARMY of Ukraine
Rossgram
The IT ARMY of Ukraine claims to have breached Rossgram, a Russian version of Instagram. The group of hacktivists also claims to have created a fake Rossgram app.
Unknown
Information and communication
H
RU
IT ARMY of Ukraine, Rossgram, Instagram
59
07/04/2022
-
-
SPM55
Users of popular services, tech companies and financial institutions, including Coinbase, Netflix, Amazon and Ebay
Researchers from DomainTools reveal a marked uptick in activity for Indonesian phishing-as-a-service group SPM55.
Ballad Health discloses a phishing incident that potentially led to protected health information (PHI) exposure.
Account Takeover
Human health and social work
CC
US
Ballad Health
65
08/04/2022
-
-
Anonymous
Petrovsky Fort
The Anonymous collective leaks 300,000 emails inside 244 GB of data from Petrovsky Fort.
Unknown
Real estate
H
RU
Anonymous, Petrovsky Fort
66
08/04/2022
-
-
Anonymous
Aerogas
The Anonymous collective leaks 100,000 emails inside 145 GB of data from Aerogas.
Unknown
Electricity, gas steam, air conditioning
H
RU
Anonymous, Aerogas
67
08/04/2022
-
-
Anonymous
Forest
The Anonymous collective leaks 100,000 emails inside 145 GB of data from Forest.
Unknown
Mining and quarrying
H
RU
Anonymous, Forest
68
08/04/2022
.
.
SolarMarker
Multiple organizations
Researchers from Palo Alto Networks disclose a new version of the SolarMarker malware that implements new features to avoid detection.
Malware
Multiple Industries
CC
>1
Palo Alto Networks, SolarMarker, Jupyter
69
08/04/2022
08/04/2022
08/04/2022
?
Finnish ministries of Defense and Foreign Affairs
A DDoS attack takes down the websites of the Finnish ministries of Defense and Foreign Affairs, while Ukrainian President Volodymyr Zelenskyy addressed Finland’s members of parliament (MPs).
DDoS
Public admin and defence, social security
H
FI
DDoS Finnish Ministry of Defense, Finnish Ministry of Foreign Affairs, Volodymyr Zelenskyy, Ukraine, Russia
70
08/04/2022
08/04/2022
08/04/2022
?
Black River Falls School District
Black River Falls School District cancels all classes because of an incident involving unauthorized access to the district’s IT network.
Unknown
Education
CC
US
Black River Falls School District
71
09/04/2022
Since March 2022
Since March 2022
NB65
Multiple organizations in Russia
A hacking group dubbed NB65 is using the Conti's leaked ransomware source code to create their own ransomware to use in cyberattacks against Russian organizations.
Malware
Multiple Industries
CW
RU
NB65, Conti, ransomware, Russia, Ukraine
72
09/04/2022
Since at least January 2022
32/01/2022
Octo
Android users
Researchers from ThreatFabric discover Octo, a new Android banking malware featuring remote access capabilities that allow malicious operators to perform on-device fraud.
Malware
Individual
CC
>1
ThreatFabric, Octo, Android
73
10/04/2022
-
-
?
Multiple organizations
A new malspam campaign has been found distributing the new META malware, a new info-stealer malware that appears to be rising in popularity among cybercriminals.
Malware
Multiple Industries
CC
>1
META Stealer
74
11/04/2022
During 2021
During 2021
?
Senior officials at the European Commission
Reuters reveals that senior officials at the European Commission were targeted last year with the NSO spy software.
Targeted Attack
Public admin and defence, social security
CE
EU
Reuters, NSO
75
11/04/2022
Since March 2022
Since March 2022
Multiple threat actors
Organizations in the US
The Cybersecurity and Infrastructure Security Agency (CISA) orders federal civilian agencies and urges all US organizations to patch CVE-2022-23176, an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances.
CVE-2022-23176 Vulnerability
Multiple Industries
CE
US
Cybersecurity and Infrastructure Security Agency, CISA, CVE-2022-23176, WatchGuard, Firebox, XTM
76
11/04/2022
During 2021
During 2021
?
Users in South Korea
Researchers from Kaspersky reveal the details of Fakecalls, a banking trojan for Android with a powerful capability that enables it to take over calls to a bank’s customer support number and connect the victim directly with the cybercriminals operating the malware.
Malware
Finance and insurance
CC
KR
Kaspersky, Fakecalls, Android
77
11/04/2022
During April 2022
During April 2022
Qbot
Multiple organizations
The Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages.
Malware
Multiple Industries
CC
>1
Qbot
78
11/04/2022
17/03/2022
-
Viktor Mukhachev aka Yaffle
npm users
A third protestware appears: the 'event-source-polyfill' is modified to show anti-war messages in Russian, 15 seconds after its execution.
The BlackCat (ALPHV) ransomware group claims to have breached the Florida International University, stealing 1.2 TB of data.
Malware
Education
CC
US
BlackCat, ALPHV), ransomware, Florida International University
80
11/04/2022
From 16/10/2021
04/11/2021
?
Signature Healthcare Corporation (SHC)
Signature Healthcare Corporation (SHC) reveals to have suffered a data breach that potentially resulted in personal information exposure, when an unauthorized individual had temporarily accessed clinician employees’ email accounts.
Account Takeover
Human health and social work
CC
US
Signature Healthcare Corporation, SHC
81
11/04/2022
17/10/2021
-
?
Adaptive Health Integrations
Adaptive Health Integrations discloses to have suffered a hacking incident that impacted 510,574 individuals.
Unknown
Human health and social work
CC
US
Adaptive Health Integrations
82
12/04/2022
08/04/2022
08/04/2022
Sandworm
Large Ukrainian energy provider
Researchers from ESET and the Computer Emergency Team of Ukraine (CERT-UA) reveal that the Russian state-sponsored hacking Sandworm, tried to to take down a large Ukrainian energy provider via a new wiper malware called Industroyer2.
Malware
Electricity, gas steam, air conditioning
CW
UA
ESET, Computer Emergency Team of Ukraine, CERT-UA, Sandworm, Industroyer2, Ukraine, Russia
83
12/04/2022
-
-
LockBit
Undisclosed U.S. Government Agency
Researchers from Sophos reveal that a regional U.S. government agency compromised with LockBit ransomware had the threat actor in its network for at least five months before the payload was deployed.
Malware
Public admin and defence, social security
CC
US
Sophos, LockBit, ransomware
84
12/04/2022
Since at least mid-march 2022
Mid-march 2022
Keksec
Vulnerable devices
Researchers from Fortinet discover a new Mirai-based botnet malware named Enemybot, growing its army of infected devices through vulnerabilities in modems, routers, and IoT devices.
Multiple vulnerabilities
Multiple Industries
CC
>1
Fortinet, Mirai, Enemybot, Keksec
85
12/04/2022
Early 2022
Early 2022
?
African Banking Sector
Researchers from HP discover a campaign targeting the African Banking Sector via the RemcosRAT.
Malware
Finance and insurance
CC
>1
HP, RemcosRAT
86
12/04/2022
12/04/2022
?
Elephant Money
Elephant Money, the decentralized finance (DeFi) protocol behind the ELEPHANT token and the TRUNK stablecoin, announces that hackers stole $11.2 million worth of Binance Coin.
Price manipulation
Fintech
CC
N/A
Elephant Money, ELEPHANT, TRUCK
87
12/04/2022
-
-
Anonymous
Ministry of Culture of the Russian Federation
The Ministry of Culture of the Russian Federation suffers a leak of 446 GB containing 230,000 emails.
Unknown
Public admin and defence, social security
H
RU
Ministry of Culture of the Russian Federation, Anonymous
88
12/04/2022
-
-
Anonymous
City of Blagoveshchensk
The City of Blagoveshchensk suffers a leak of 150 GB containing 230,000 emails.
Unknown
Public admin and defence, social security
H
RU
City of Blagoveshchensk, Anonymous
89
12/04/2022
-
-
Anonymous
Governor's office of the Tver region
The Governor's office of the Tver region suffers a leak of 116 GB containing 130,000 emails.
Unknown
Public admin and defence, social security
H
RU
Governor's office of the Tver region, Anonymous
90
12/04/2022
From August 2021 to February 2022
-
HAFNIUM
Entities in the United States across multiple industries
Researchers from Microsoft reveal that the China-backed HAFNIUM cyberespionage group is likely behind a piece of a new malware, dubbed Tarrask, used to maintain persistence on compromised Windows systems.
Targeted Attack
Multiple Industries
CE
US
Microsoft, HAFNIUM; Tarrask
91
12/04/2022
During the first week of April 2022
During the first week of April 2022
?
Unnamed telecommunication company in Honolulu
Federal agents in Honolulu disrupt an apparent cyberattack on an unnamed telecommunication company’s servers associated with an underwater cable responsible for internet, cable service and cell connections in Hawaii and the region.
Unknown
Information and communication
CC
US
Honolulu, Hawaii
92
12/04/2022
12/04/2022
12/04/2022
?
Currency.com
Hours after Currency.com, a global cryptocurrency exchange, announces that it was halting operations in Russia, it faces a distributed denial-of-service attack.
DDoS
Fintech
CC
GI
Currency.com
93
13/04/2022
-
-
Multiple threat actors
Multiple industrial devices
A joint cybersecurity advisory issued by CISA, NSA, FBI, and the Department of Energy (DOE) warns of government-backed hacking groups being able to hijack multiple industrial devices using a new ICS-focused malware toolkit dubbed Pipedream or Incontroller.
Malware
Electricity, gas steam, air conditioning
CE
US
CISA, NSA, FBI, Department of Energy, DOE, ICS, Pipedream, Incontroller
94
13/04/2022
13/04/2022
13/04/2022
Multiple threat actors
Vulnerable VMWare instances
Threat actors are actively scanning for vulnerable VMware Workspace ONE Access and VMware Identity Manager servers, trying to exploit CVE-2022-22954.
CVE-2022-22954 Vulnerability
Multiple Industries
CC
>1
VMware Workspace ONE Access, VMware Identity Manager, CVE-2022-22954
95
13/04/2022
-
-
Multiple threat actors
Multiple organizations in the U.S.
The Cybersecurity and Infrastructure Security Agency (CISA) warns organizations to patch the actively exploited CVE-2022-24521 targeting the Windows Common Log File System Driver.
CVE-2022-24521 Vulnerability
Multiple Industries
N/A
US
Cybersecurity and Infrastructure Security Agency, CISA, CVE-2022-24521, Windows Common Log File System Driver
96
13/04/2022
Between 29/03/2022 and 10/04/2022
-
Fodcha
Vulnerable devices
Researchers from Qihoo 360 reveal the details of Fodcha, a rapidly growing botnet enslaving routers, DVRs, and servers across the Internet to target more than 100 victims every day in distributed denial-of-service (DDoS) attacks.
Multiple vulnerabilities and brute-force
Multiple Industries
CC
>1
Qihoo 360, Fodcha
97
13/04/2022
-
13/04/2022
Anonymous
Technotec
In name of #OpRussia, the Anonymous collective leaks 495,000 new emails (440GB) from the Russian firm Technotec, which provides oil and gas field services to companies including Rosneft and Gazprom Neft.
Unknown
Professional, scientific and technical
H
RU
#OpRussia, Anonymous, Technotec, Rosneft, Gazprom Neft
98
14/04/2022
-
-
UAC-0041
Government Agencies in Ukraine
The Computer Emergency Response Team of Ukraine (CERT-UA) reveal the details of a campaign targeting organizations in Ukraine and distributing the IcedID (aka BankBot) malware.
Malware
Public admin and defence, social security
CE
UA
Computer Emergency Response Team of Ukraine, CERT-UA, Ukraine, IcedID, BankBot
99
14/04/2022
-
-
UAC-0097
Government Agencies in Ukraine
The Computer Emergency Response Team of Ukraine (CERT-UA) reveal the details of a campaign targeting organizations in Ukraine and exploiting the Zimbra CVE-2018-6882 vulnerability.
Zimbra, CVE-2018-6882
Public admin and defence, social security
CE
UA
Computer Emergency Response Team of Ukraine, CERT-UA, Ukraine, Zimbra, CVE-2018-6882
100
14/04/2022
22/03/2022 and 25/02/2022
-
OldGremlin
Organizations in Russia
Researchers from Group-IB discover two campaigns by the OldGremlin ransomware criminal group targeting organizations in Russia.
Malware
Multiple Industries
CC
RU
Group-IB, OldGremlin, Russia
101
14/04/2022
Since March 2022
'Recently'
Haskers Gang
Multiple Organizations
Researchers from Cisco Talos discover a new information stealer, called "ZingoStealer."
Malware
Multiple Industries
CC
>1
Cisco Talos, ZingoStealer, Haskers Gang
102
14/04/2022
Mid-April 2022
Mid-April 2022
?
Windows users
Windows 11 ToolBox, a popular script used to add the Google Play Store to the Android Subsystem is discovered to secretly infect users with malicious scripts, Chrome extensions, and potentially other malware.
Malware
Individual
CC
>1
Windows 11 ToolBox, Google Play Store, Android
103
14/04/2022
-
-
Multiple threat actors
Multiple organizations
Google releases Chrome 100.0.4896.127 for Windows, Mac, and Linux, to fix CVE-2022-1364, a high-severity zero-day vulnerability actively used by threat actors in attacks.
The FBI warns that cybercriminals are attempting to trick American users of digital payment apps into making instant money transfers in social engineering attacks using text messages with fake bank fraud alerts.
Account Takeover
Finance and insurance
CC
US
FBI
105
14/04/2022
-
-
?
T-;Mobile users in the U.S.
The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) issues a warning for an ongoing phishing campaign targeting T-Mobile customers with malicious links using unblockable texts sent via SMS (Short Message Service) group messages.
Account Takeover
Individual
CC
US
New Jersey Cybersecurity & Communications Integration Cell, NJCCIC, T-Mobile, SMS, Short Message Service
106
14/04/2022
'Recently'
'Recently'
Lazarus Group
Chemical and IT sector organizations in South Korea
Researchers from Symantec Broadcom reveal that the Operation Dream Job has now been expanded to target chemical and IT sector organizations in South Korea.
Targeted Attack
Multiple Industries
CE
KR
Symantec Broadcom, Operation Dream Job
107
14/04/2022
13/02/2022
13/02/2022
?
New Creation Counseling Center (NCCC)
New Creation Counseling Center (NCCC) reveals to have suffered a ransomware attack that impacted 24,029 individuals
Malware
Human health and social work
CC
US
New Creation Counseling Center, NCCC, ransomware
108
14/04/2022
-
14/04/2022
Anonymous
Gazprom Linde Engineering
In name of #OpRussia, the Anonymous leak 768,000 new emails (728GB) from Gazprom Linde Engineering, which specializes in designing gas and petrochemical processing facilities and oil refineries.
Unknown
Professional, scientific and technical
H
RU
#OpRussia, Anonymous, Gazprom Linde Engineering
109
14/04/2022
Since end of February 2022
During March 2022
BlueHornet (AKA APT49, AgainstTheWest)
Major organizations and APTs in Russia, China, Iran and North Korea
Researchers from CyberInt reveal the details of BlueHornet (AKA APT49, AgainstTheWest) a relatively new advanced persistent threat group that has compromised major organizations and APTs in Russia, China, Iran and North Korea, including APT28 (aka Fancy Bear), APT38 (aka The Lazarus Group) and APT40 (aka Kryptonite Panda).
Targeted Attack
Multiple Industries
>1
>1
CyberInt, BlueHornet. APT49, AgainstTheWest, APT28, Fancy Bear, APT38, The Lazarus Group, APT40, Kryptonite Panda
110
14/04/2022
-
-
?
Taiwanese singer and actor Jay Chou
Attackers exploit a design flaw in the Rarible NFT marketplace to steal a non-fungible token from Taiwanese singer and actor Jay Chou and sell it for about $500,000.
Vulnerability
Finance and insurance
CC
TW
Rarible, NFT, Jay Chou
111
14/04/2022
-
-
?
Dayton Independent School District
Dayton Independent School District in Texas notifies the Texas Attorney General’s Office of a data breach that involved names and Social Security Numbers of 841 Texans.`
Unknown
Education
CC
US
Dayton Independent School District
112
14/04/2022
-
-
?
Spanish football federation (RFEF)
The Spanish football federation (RFEF) says it was victim of a hacking attack which resulted in the loss of data belonging to president Luis Rubiales.
Unknown
Arts entertainment, recreation
CC
ES
Spanish football federation, RFEF
113
15/04/2022
-
-
?
Multiple organizations in the U.S.
The Cybersecurity and Infrastructure Security Agency (CISA) warns organizations about the active exploitation of CVE-2022-22960, a VMware privilege escalation flaw.
CVE-2022-22960 Vulnerability
Multiple Industries
CC
US
Cybersecurity and Infrastructure Security Agency, CISA, CVE-2022-22960, VMware
114
15/04/2022
12/04/2022
12/04/2022
?
Multiple organizations
GitHub reveals that an attacker is using stolen OAuth user tokens (issued to Heroku and Travis-CI) to download data from private repositories.
Account Takeover
Multiple Industries
CC
>1
GitHub, OAuth, Heroku, Travis-CI
115
15/04/2022
Between 26/01/2022 and 23/11/2021
14/03/2022
?
Newman Regional Health (NRH)
Newman Regional Health (NRH) notifies 52,224 patients that unauthorized individuals have gained access to certain employee email accounts that contained protected health information.
Account Takeover
Human health and social work
CC
US
Newman Regional Health, NRH
116
15/04/2022
Between 24/06/2021 and 12/08/2021
11/04/2022
?
Contra Costa County
Contra Costa County reveals a breach of employee email accounts and the exposure of sensitive personal information.
Account Takeover
Public admin and defence, social security
CC
US
Contra Costa County
117
15/04/2022
-
15/04/2022
NB65
Continent Express
In name of #OpRussia, the Anonymous-linked group NB 65 leaks nearly 400 GB of files and databases from Continent Express, Russia's largest independent travel agency.
Unknown
Arts entertainment, recreation
H
RU
NB65, Continent Express
118
15/04/2022
-
-
?
McDonald’s Costa Rica
A hacker accessed sensitive data belonging to McDonald’s Costa Rica customers through an exposed database managed by a third-party service provider.
Misconfiguration
Accommodation and food service
CC
CR
McDonald’s Costa Rica
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
SUPPORT MY WORK!
BREACHOMETER
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
In September 2023, cyber crime continued to lead with 77.1% of total events, but showed a decrease. Cyber Espionage grew to 11.6%, while Hacktivism significantly dropped. Malware remains the leading attack technique and multiple organizations are the top targets.
The second cyber attack timeline of September 2023 showed a decrease in events and a continuation of malware attacks. Massive hacks targeted fintech organizations like Mixin Network, and some breaches affected millions of individuals. The timeline also includes activities by various known and new threat ...
I have aggregated the statistics created from the cyber attacks timelines published in the second quarter of 2023. In total I have collected 1040 events...