The second timeline of April 2022 is finally out (you can find the first one at this link.) In this fortnight I have collected 97 events, that is an average of 6.47 events/day, despite this corresponds to a noticeable drop compared to the 123 events of the previous timeline, the average level continues to be quite high and, easily predictable, an important part on this is played by the war in Ukraine that is inevitably having implications even in the cyber space.
A consolidated trend since the start of the Russian invasion, is the cyber war declared by the Anonymous collective and their affiliates against the Russian government: the hacktivists continue to leak data from Russian organizations. But this is not the only way the situation in Ukraine is affecting the cyber space: the country continues to be the target of multiple operations, especially DDoS attacks against local targets, and targeted cyber espionage operations.
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July…
Ransomware attacks continue to be relevant, with Conti, BlackCat, and Quantum, the new kid on the block, being the most active ransomware gangs The attacks to high-profile targets continue and the percentage of events related to ransomware is now 18.56% (up from 11.86% of the previous timeline.) Similarly, 10.3% of the events were characterized by the exploitation of a vulnerability.
Massive attacks against fintech and decentralized finance companies continue. Even in this fortnight, at least three organizations were hit for a total loss of nearly a staggering $140M worth of crypto assets.
And we are used to see quite a complicated cyber espionage landscape. Similarly to the previous months, this timeline reports many well-known threat actors (and not necessarily related to the events in Ukraine) such as Mustang Panda, DarkSeoul, APT29, and the Lazarus Group.
Expand for details
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
17/04/2022
-
17/04/2022
?
Beanstalk
The decentralized, credit-based finance system Beanstalk discloses that it suffered a security breach that resulted in financial losses of $182 million, the attacker stealing $80 million in crypto assets.
Flash loan
Fintech
CC
N/A
Beanstalk
2
17/04/2022
15/04/2022
15/04/2022
?
MetaMask users
MetaMask publishes a warning for their iOS users about the seeds of cryptocurrency wallets being stored in Apple's iCloud if app data backup is active, after at least one user loses over $655k as a result of a phishing attack.
Account Takeover
Fintech
CC
>1
MetaMask
3
17/04/2022
-
-
?
Rideau Hall
Rideau Hall discloses a "sophisticated computer breach.
Unknown
Public admin and defence, social security
CC
CA
Rideau Hall
4
18/04/2022
During April 2022
During April 2022
?
State organizations of Ukraine
The Ukraine CERT-UA warns of phishing attacks on state organizations of Ukraine using the topic “Azovstal” and Cobalt Strike Beacon.
Malware
Public admin and defence, social security
CE
UA
Ukraine, CERT-UA, Azovstal, Cobalt Strike
5
18/04/2022
-
-
NB65
PSCB Petersburg Social Commercial Bank (JSC Bank "PSCB")
In name of #OpRussia, NB65, a group affiliated to the Anonymous, leaks 229,000 emails and 630,000 files from the Petersburg Social Commercial Bank (JSC Bank "PSCB"), one of the top 100 Russian banks.
Unknown
Finance and insurance
H
RU
#OpRussia, Anonymous, PSCB, Petersburg Social Commercial Bank, JSC, NB65
6
18/04/2022
During April 2022
During April 2022
?
Single Individuals
An ongoing campaign relies on poisoning search results to push a website mimicking Microsoft's promotional page for Windows 11 to deliver an infostealer able to steal browser data and cryptocurrency wallets.
Malware
Individual
CC
>1
Windows 11
7
18/04/2022
Between 2017 and 2020
-
?
65 Catalan politicians, journalists, and activists
Researchers from Citizen Lab discover a new zero-click iMessage exploit used to install the NSO Group Pegasus, and Candiru, spyware on iPhones belonging to Catalan politicians, journalists, and activists exploiting CVE-2019-3568, CVE-2021-31979, and CVE-2021-33771.
Official UK networks including the Prime Minister’s Office and the Foreign and Commonwealth Office
Researchers from Citizen Lab reveal that in 2020 and 2021 they observed and notified the government of the United Kingdom of multiple suspected instances of Pegasus spyware infections within official UK networks including the Prime Minister’s Office and the Foreign and Commonwealth Office.
Targeted Attack
Public admin and defence, social security
CE
UK
Citizen Lab, United Kingdom, Pegasus, Prime Minister’s Office, Foreign and Commonwealth Office
9
18/04/2022
-
-
Lazarus Group AKA APT38
Organizations in the cryptocurrency and blockchain industries
CISA, the FBI, and the US Treasury Department issues a warning about TraderTraitor, a campaign carried out by the North Korean Lazarus group, targeting organizations in the cryptocurrency and blockchain industries with trojanized cryptocurrency applications.
Malware
Fintech
CC
US
CISA, FBI, US Treasury Department, TraderTraitor, Lazarus group, APT38
10
18/04/2022
-
-
?
Lilin security camera DVR devices
Researchers from Nozomi Networks discover Lilin Scanner, a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices.
Vulnerability
Multiple Industries
CC
>1
Nozomi Networks, Lilin Scanner, BotenaGo, Lilin
11
18/04/2022
Between 30/08/2021 and 02/09/2021
-
?
Optima Dermatology Holdings
Optima Dermatology Holdings announces it has experienced an email security incident that resulted in the exposure of the protected health information of patients of The Dermatology Center of Indiana and Advanced Dermatology & Skin Cancer Center.
Account Takeover
Human health and social work
CC
US
Optima Dermatology Holdings, The Dermatology Center of Indiana, Advanced Dermatology & Skin Cancer Center.
12
19/04/2022
-
-
Anonymous
Tendertech
In name of #OpRussia, the Anonymous collective leaks 426,000 emails (160 GB) from Tendertech, a firm specializing in processing financial and banking documents on behalf of businesses and entrepreneurs.
Unknown
Professional, scientific and technical
H
RU
#OpRussia, Anonymous,Tendertech
13
19/04/2022
-
-
Anonymous
General Department of Troops and Civil Construction
In name of #OpRussia, the Anonymous leak more than 15,000 emails from the Russian General Department of Troops and Civil Construction
Unknown
Public admin and defence, social security
H
RU
Anonymous, Russian General Department of Troops and Civil Construction, #OpRussia
14
19/04/2022
-
-
Anonymous
Neocom Geoservice
In name of #OpRussia, the Anonymous leak 87,500 emails (107GB) from Neocom Geoservice, an engineering firm specializing in exploring oil and gas fields and providing drilling support.
Unknown
Professional, scientific and technical
H
RU
#OpRussia, Anonymous, Neocom Geoservice
15
19/04/2022
-
-
Conti
Government of Costa Rica
Several systems operated by the government of Costa Rica are hit by a Conti ransomware attack.
Malware
Public admin and defence, social security
CC
CR
Costa Rica, Conti, ransomware
16
19/04/2022
During March 2022
During March 2022
Emotet
Multiple organizations
Multiple security researchers observe a sharp rise in the Emotet activity from February to March.
Malware
Multiple Industries
CC
>1
Emotet
17
19/04/2022
.
.
Multiple threat actors
Multiple organizations
The Cybersecurity and Infrastructure Security Agency (CISA) warns of attackers now exploiting Windows Print Spooler bug CVE-2022-22718.
CVE-2022-22718 vulnerability
Multiple Industries
N/A
US
Cybersecurity and Infrastructure Security Agency, CISA, Windows Print Spooler, CVE-2022-22718
18
19/04/2022
'Recently'
'Recently'
Hive
Vulnerable Microsoft Exchange servers
Researchers from Varonis reveal that a Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.
ProxyShell vulnerability
Multiple Industries
CC
>1
Varonis, Hive, Ransomware, Microsoft Exchange, Cobalt Strike
19
19/04/2022
During April 2022
During April 2022
?
Individuals in the US
Researchers from Resecurity discover a phishing campaign impersonating the IRS, and one of the industry vendors who provide solutions to government agencies.
Account Takeover
Individual
CC
US
Resecurity, IRS
20
19/04/2022
Since 11/04/2022
-
DragonForce Malaysia
Multiple entities in Israel
Researchers from Radware reveal the details of the resurgence of OpsBedilReloaded targeting multiple entities in Israel.
Defacement
Multiple Industries
H
IL
DragonForce Malaysia, OpsBedilReloaded
21
19/04/2022
14/04/2022
14/04/2022
?
Funky Pigeon
The British retailer Funky Pigeon announces that it had experienced a “cyber incident.”
Unknown
Wholesale and retail
CC
UK
Funky Pigeon
22
19/04/2022
-
-
?
Undisclosed airline systems provider
An undisclosed airline systems provider is breached and as a consequence, thousands of passengers of Canadian low-cost airline, Sunwing Airlines Inc, face flight delays.
Unknown
Professional, scientific and technical
CC
CA
Sunwing Airlines Inc,
23
19/04/2022
16/04/2022
16/04/2022
?
Unified Government of Wyandotte County and Kansas City
The Unified Government of Wyandotte County and Kansas City is hit by a cyber attack.
Unknown
Public admin and defence, social security
CC
US
Unified Government of Wyandotte County and Kansas City
24
20/04/2022
-
-
Anonymous
Worldwide Invest
In name of #OpRussia, the Anonymous release 250,000 emails (130 GB) from Worldwide Invest, an investment firms with ties to Estonia and Russian railways.
Unknown
Finance and insurance
H
RU
#OpRussia, Anonymous, Worldwide Invest
25
20/04/2022
-
-
Anonymous
Sawatzky
In name of #OpRussia, the Anonymous release 575,000 emails (432 GB) from Sawatzky, a property management company.
Unknown
Real estate
H
RU
#OpRussia, Anonymous, Sawatzky
26
20/04/2022
'Recently'
'Recently'
Gamaredon (AKA Armageddon/Shuckworm)
Organizations in Ukraine
Researchers from Symantec Broadcom report that the Russian state-sponsored threat group known as Gamaredon (a.k.a. Armageddon/Shuckworm) is launching attacks against targets in Ukraine using new variants of the custom Pteredo backdoor.
Targeted Attack
Multiple Industries
CE
UA
Symantec Broadcom, Gamaredon, Armageddon, Shuckworm, Ukraine, Pteredo, Russia
27
20/04/2022
-
-
GhostSec
Metrospetstekhnika
In name of #OpRussia, the group GhostSec, affiliated to the Anonymous collective, claims to have breached Metrospetstekhnika, provider of 'every metro in Russia.
Unknown
Transportation and storage
H
RU
#OpRussia, GhostSec, Anonymous, Russia
28
20/04/2022
August 2020
-
Anonymous
Synesis Surveillance System
In name of #OpRussia the Anonymous collective leaks 1.2 GB of data from Synesis Surveillance System.
Unknown
Professional, scientific and technical
H
RU
#OpRussia, Anonymous, Synesis Surveillance System
29
20/04/2022
-
-
Anonymous
Gazregion
In name of #OpRusiia, the Anonymous collective leaks 222 GB of data from Gazregion, a construction company specializing in gas pipelines and facilities
Unknown
Professional, scientific and technical
H
RU
#OpRusiia, Anonymous, Gazregion
30
20/04/2022
Starting from 18/04/2022
Starting from 18/04/2022
Killnet
Multiple websites in Czech Republic, including the Czech railways, the Karlovy Vary and Pardubice airports, and the public administration portal.
The pro-Russian collective Killnet takes down multiple websites in Czech Republic.
DDoS
Multiple Industries
H
CZ
Killnet, Czech Republic, Czech railways, Karlovy Vary airport, Pardubice airport, public administration portal
31
20/04/2022
-
-
REvil
Undisclosed organization
REvil ransomware’s servers in the TOR network are back up after months of inactivity and redirecting to a new operation that launched recently.
Malware
Unknown
CC
N/A
REvil
32
20/04/2022
During March 2022
-
?
Facebook users
Researchers at Abnormal Security reveal the detail of a phishing campaign leveraging the Facebook infrastructure.
Account Takeover
Individual
CC
>1
Abnormal Security, Facebook
33
20/04/2022
Between 19/10/2021 and 21/10/2021
-
?
Los Angeles County Department of Mental Health
The Los Angeles County Department of Mental Health reveals to have suffered a “malicious cyberattack” that compromised client information of 5,129 individuals.
Malware
Human health and social work
CC
US
Los Angeles County Department of Mental Health
34
20/04/2022
24/11/2021
-
?
Healthplex Inc.
Healthplex Inc. announces that the email account of an employee was compromised in a phishing attack on November 24, 2021.
Account Takeover
Human health and social work
CC
US
Healthplex Inc.
35
20/04/2022
Between 06/06/2020 and 12/06/2020
17/07/2020
?
La Casa de Salud
La Casa de Salud discloses an email account breach that was detected on July 17, 2020.
Account Takeover
Human health and social work
CC
US
La Casa de Salud
36
20/04/2022
09/04/2022
09/04/2022
?
Tehama County Social Services Department
Tehama County Social Services Department continues its investigation into a technical disruption to the operations of systems within its computer network on April 9.
Unknown
Human health and social work
CC
US
Tehama County Social Services Department, Quantum, ransomware
37
20/04/2022
December 2021
-
?
Eye Care Leaders
Eye Care Leaders is hit by multiple ransomware attacks.
Malware
Professional, scientific and technical
CC
US
Eye Care Leaders, ransomware
38
21/04/2022
-
-
Anonymous
Accent Capital
In name of #OpRussia the Anonymous leak 365.000 emails (211 GB) from the Russian real-estate investment firm Accent Capital.
Unknown
Real estate
H
RU
#OpRussia, Anonymous, Accent Capital
39
21/04/2022
Between November 2021 and March 2022
Between November 2021 and March 2022
BlackCat (AKA ALPHV)
60 organizations worldwide
The Federal Bureau of Investigation (FBI) says the Black Cat ransomware gang, also known as ALPHV, has breached the networks of at least 60 organizations worldwide between November 2021 and March 2022.
Malware
Multiple Industries
CC
>1
Federal Bureau of Investigation, FBI, BlackCat, ALPHV, ransomware
40
21/04/2022
-
-
Lemon_Duck
Misconfigured Linux servers
Researchers from Crowdstrike reveal that Docker APIs on Linux servers are being targeted by a large-scale Monero crypto-mining campaign from the operators of the Lemon_Duck botnet.
Misconfiguration
Multiple Industries
CC
>1
Crowdstrike, Docker, Linux, Lemon_Duck
41
21/04/2022
'Recently'
'Recently'
?
Multiple organizations
Security researchers at Cyble reveal the details of Prynt Stealer, an infostealer offering powerful capabilities and extra keylogger and clipper modules.
Malware
Multiple Industries
CC
>1
Cyble, Prynt Stealer
42
21/04/2022
During March 2022
During March 2022
?
Single individuals
Researchers from Avanan reveal the details of a phishing campaign spoofing the credit unions.
Account Takeover
Finance and insurance
CC
US
Avanan, credit unions
43
21/04/2022
Early December 2021
Early December 2021
?
Lincoln College
Lincoln College is hit by a ransomware attack and is forced to shut down the operations.
Malware
Education
CC
US
Lincoln College
44
21/04/2022
20/04/2022
20/04/2022
Altahrea Team
Israel Airports Authority
A pro-Iran hacking group named Altahrea Team hits the website of the Israel Airports Authority.
DDoS
Transportation and storage
H
IL
Altahrea Team, Israel Airports Authority
45
22/04/2022
22/04/2022
22/04/2022
?
Ukraine's national postal service (Ukrposhta)
Ukraine's national postal service Ukrposhta is hit with a DDoS attack.
DDoS
Public admin and defence, social security
CW
UA
Ukraine, National Postal Service, Ukrposhta
46
22/04/2022
-
-
Anonymous
Enerpred
In name of #OpRussia the Anonymous leak 645,000 emails (432 GB) from Enerpred, the largest producer of hydraulic tools in Russia specializing in the energy, petrochemical, coal, gas and construction industries.
Unknown
Manufacturing
H
RU
#OpRussia, Anonymous, Enerpred
47
22/04/2022
'Several weeks ago'
'Several weeks ago'
Lapsus$
T-Mobile
T-Mobile confirms that the Lapsus$ extortion gang breached its network "several weeks ago" using stolen credentials and gained access to internal systems.
Account Takeover
Information and communication
CC
US
T-Mobile, Lapsus$
48
22/04/2022
-
21/04/2022
LockBit
Secretary of State for Finance of Rio de Janeiro
The Secretary of State for Finance of Rio de Janeiro confirms that it was dealing with a ransomware attack on its systems.
Malware
Public admin and defence, social security
CC
BR
Secretary of State for Finance of Rio de Janeiro, Lockbit, ransomware
49
22/04/2022
During March 2022
During March 2022
BlackCat (AKA ALPHV)
Undisclosed organization
Researchers from Forescout reveal the detail of a BlackCat ransomware attack during an attack exploiting an Internet-exposed SonicWall firewall to gain initial access to the network and then moving to and encrypting a VMware ESXi virtual farm.
SonicWall vulnerability
Unknown
CC
N/A
BlackCat, ALPHV, Forescout, Sonicwall, ransomware
50
22/04/2022
-
-
?
Multiple organizations
Researchers from Rapid7 reveal that the vulnerability CVE-2022-29464, affecting the enterprise software development solutions provider WSO2 is currently exploited in the wild.
CVE-2022-29464 Vulnerability
Multiple Industries
CC
>1
Rapid7, CVE-2022-29464, WSO2
51
22/04/2022
21/02/2022
23/02/2022
?
Center for Life Management (CLM)
The Mental Health Center of Greater Manchester (MHCGM) in New Hampshire has announced that patient data was potentially compromised in a cyberattack at a third-party community mental health services partner, Center for Life Management (CLM), which was used for data storage.
Unknown
Human health and social work
CC
US
Mental Health Center of Greater Manchester, MHCGM, Center for Life Management, CLM
52
23/04/2022
-
22/10/2021
?
Illinois Gastroenterology Group (IGG)
Illinois Gastroenterology Group (IGG) discloses to have suffered a data security incident that potentially impacted 227,943 individuals.
Unknown
Human health and social work
CC
US
Illinois Gastroenterology Group, IGG
53
23/04/2022
27/11/2021
30/11/2021
?
Scott County
Scott County discloses a phishing attack.
Account Takeover
Public admin and defence, social security
CC
US
Scott County
54
24/04/2022
-
24/04/2022
Conti
Junta Administrativa del Servicio Eléctrico de Cartago (JASEC)
The Conti ransomware gang cripples the systems of the Junta Administrativa del Servicio Eléctrico de Cartago (JASEC).
Malware
Electricity, gas steam, air conditioning
CC
CR
Conti, ransomware, Junta Administrativa del Servicio Eléctrico de Cartago, JASEC
55
24/04/2022
'Recently'
'Recently'
?
Multiple targets in Iran
Iran’s state television says authorities have foiled a massive cyberattacks that sought to target public services, both government and privately owned.
Unknown
Multiple Industries
CW
>1
Iran
56
25/04/2022
-
-
Quantum
Undisclosed organization
Researchers at The DFIR Report disclose the technical details of a Quantum ransomware attack that lasted only 3 hours and 44 minutes from initial infection to the completion of encrypting devices.
Malware
Unknown
CC
N/A
The DFIR Report, Quantum, ransomware
57
25/04/2022
19/04/2022
19/04/2022
?
GHT Coeur Grand Est.
The GHT Coeur Grand Est. Hospitals and Health Care group disconnects all incoming and outgoing Internet connections after discovering they suffered a cyberattack that resulted in the theft of sensitive administrative and patient data.
Unknown
Human health and social work
CC
FR
GHT Coeur Grand Est.
58
25/04/2022
During April 2022
During April 2022
Emotet
Multiple organizations
The Emotet malware phishing campaign is up and running again after the threat actors fixed a bug preventing people from becoming infected when they opened malicious email attachments.
Malware
Multiple Industries
CC
>1
Emotet
59
25/04/2022
During April 2022
During April 2022
Multiple threat actors (including Rocket Kitten)
Multiple organizations
Researchers from Morphisec reveal that advanced hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2022-22954, that affects in VMware Workspace ONE Access (formerly called VMware Identity Manager).
Popular NFT company Bored Ape Yacht Club (BAYC) reveals that cybercriminals hacked its Instagram account and used the access to share fraudulent phishing sites that allowed the theft of dozens of NFTs worth millions of dollars.
Account Takeover
Fintech
CC
N/A
Bored Ape Yacht Club, BAYC
61
25/04/2022
Between 18/01/2022 and 24/02/2022
-
?
ARcare
ARcare notifies people whose personal and/or medical information may have been accessed or acquired in a malware incident impacting 345,353 patients.
Malware
Human health and social work
CC
US
ARcare
62
25/04/2022
-
-
Hackers of Savior
Bank of Israel
A group of hackers purportedly linked to Iran dubbed Hackers of Savior, claims to have succeeded in hacking into the system used to transfer money between Israeli banks and through it entered into people’s personal accounts.
Unknown
Finance and insurance
H
IL
Iran, Hackers of Savior, Bank of Israel
63
25/04/2022
-
-
?
Aeropost
Aeropost suffers a credit card breach.
Unknown
Wholesale and retail
CC
US
Aeropost
64
26/04/2022
-
-
Stormous
Coca-Cola
Coca-Cola investigates the claims of a cyberattack on its network after the Stormous ransomware gang said that it successfully breached some of the company's servers and stole 161 GB of data.
Unknown
Accommodation and food service
CC
US
Coca-Cola, Stormous, ransomware
65
26/04/2022
22/04/2022
22/04/2022
Black Basta
American Dental Association (ADA)
The American Dental Association (ADA) is hit by the new Black Basta ransomware.
Malware
Human health and social work
CC
US
American Dental Association, ADA, Black Basta, ransomware
66
26/04/2022
During April 2022
During April 2022
Emotet
Multiple organizations
The Emotet botnet is now using Windows shortcut files (.LNK) containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default.
Malware
Multiple Industries
CC
>1
Emotet, LNK
67
26/04/2022
During February 2022
During February 2022
Hive0117
Telecommunication service providers and industrial firms in Lithuania, Estonia, and Russia.
Researchers from IBM Security X-Force identify a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, designed to deliver the fileless malware variant dubbed DarkWatchman.
Malware
Information and communication
CC
>1
IBM Security, X-Force, Hive0117, DarkWatchman
68
26/04/2022
18/04/2022
18/04/2022
LockBit
EKZ
Library lending app Onleihe announces problems lending several media formats offered on the platform, like audio, video, and e-book files, after a ransomware attack targeted their service provider EKZ.
Malware
Information and communication
CC
DE
LockBit, Onleihe, ransomware, EKZ
69
26/04/2022
Between 04/04/2022 and 19/04/2022
Between 04/04/2022 and 19/04/2022
TA542
Multiple organizations
Researchers from Proofpoint identify a new low-volume Emotet campaign using Onedrive links to distribute the malicious payload.
Malware
Multiple Industries
CC
>1
Emotet, Proofpoint, Onedrive
70
26/04/2022
During the week of 18/04/2022
-
?
Tenet Healthcare Corporation
Tenet Healthcare Corporation investigates a cybersecurity incident.
Unknown
Human health and social work
CC
US
Tenet Healthcare Corporation
71
26/04/2022
Since at least one year
-
Lazarus Group
Users in South Korea
Researchers from Zscaler reveal the details of a campaign carried out by the North Korean Lazarus Group, targeting users in South Korea using Naver-themed credential phishing.
Targeted Attack
Individual
CE
KR
Zscaler, Lazarus Group, Naver
72
27/04/2022
-
-
Anonymous
Elektrocentromontazh (ECM)
In name of #OpRussia, the Anonymous collective leals 1.23 million emails (1.7 TB of data) from Elektrocentromontazh (ECM), the primary power organization of Russia.
Unknown
Electricity, gas steam, air conditioning
H
RU
f#OpRussia, Anonymous, Elektrocentromontazh, ECM
73
27/04/2022
During March 2022
During March 2022
Mustang Panda (AKA HoneyMyte, Bronze President)
Russian state officers
Researchers from Secureworks discover a campaign carried out by the Mustang Panda group targeting Russian state officers with the PlugX remote access tool.
Targeted Attack
Public admin and defence, social security
CE
RU
Secureworks, Mustang Panda, HoneyMyte, Bronze President, Russia, China
74
27/04/2022
Early 2022
Early 2022
?
Multiple organizations
Researchers at Bitdefender uncover yet a new campaign that uses the RIG Exploit Kit to deliver the RedLine stealer malware exploiting CVE-2021-26411, an Internet Explorer vulnerability.
CVE-2021-26411 Vulnerability
Multiple Industries
CC
>1
Bitdefender, RIG Exploit Kit, RedLine, CVE-2021-26411, Internet Explorer
75
27/04/2022
At least since 21/04/2022
At least since 21/04/2022
Onyx
Six undisclosed organizations
A new Onyx ransomware operation is destroying files larger than 2MB instead of encrypting them, preventing those files from being decrypted even if a ransom is paid.
Malware
Multiple Industries
CC
>1
Onyx, Ransomware
76
27/04/2022
27/04/2022
27/04/2022
?
Austin Peay State University (APSU)
Austin Peay State University (APSU) confirms to have been hit with a ransomware attack.
Malware
Education
CC
US
Austin Peay State University, APSU, ransomware
77
27/04/2022
Earlier in April 2022
Earlier in April 2022
?
Undisclosed Crypto Platform
Internet infrastructure company Cloudflare reveals that it mitigated a 15.3 million request-per-second (rps) volumetric distributed denial of service (DDoS) attack.
DDoS
Fintech
CC
N/A
Cloudflare, DDoS
78
27/04/2022
During February 2022
During February 2022
Stonefly (AKA DarkSeoul, BlackMine, Operation Troy, and Silent Chollima)
Unnamed engineering company with energy and military customers
Researchers from Symantec/Broadcom reveal that an unnamed engineering company with energy and military customers was recently the target of the North Korean group Stonefly.
Researchers from Zscaler discover a malware campaign targeting users applying for Thailand travel passes. The end payload of many of these attacks is AsyncRAT.
Malware
Individual
CC
TH
Zscaler, Thailand, AsyncRAT
80
27/04/2022
Between 10/02/2022 and 14/02/202
09/04/2022
?
Sabre Corporation
A cyber-attack on Sabre Corporation exposes the personal data of thousands of guests who stayed at five hotels in Finland.
Undisclosed vulnerability
Accommodation and food service
CC
FI
Sabre Corporation, Finland
81
28/04/2022
During April 2022
During April 2022
?
Pro-Ukraine sites and the government web portal.
Ukraine's computer emergency response team (CERT-UA) publishes an announcement warning of ongoing DDoS attacks targeting pro-Ukraine sites and the government web portal from compromised WordPress sites.
DDoS
Public admin and defence, social security
CW
UA
Ukraine, CERT-UA, DDoS
82
28/04/2022
28/04/2022
28/04/2022
?
Massy Stores
Massy Stores, the largest supermarket chain in Trinidad is hit with a Cyber Attack.
Unknown
Wholesale and retail
CC
TT
Massy Stores, Trinidad
83
28/04/2022
27/04/2022
27/04/2022
?
Deus Finance
Decentralized finance (DeFi) platform Deus Finance confirms reports that an attacker stole about $13.4 million worth of cryptocurrency.
Flash loan attack
Fintech
CC
N/A
Deus Finance
84
28/04/2022
-
-
?
Battelle for Kids
Battelle for Kids, a company that houses student’s state testing information for districts across Ohio, is the victim of a ransomware attack.
Malware
Professional, scientific and technical
CC
US
Battelle for Kids, ransomware
85
28/04/2022
Early April 2022
-
Conti
Elgin County
The Conti ransomware group dumps the data allegedly leaked from Elgin County.
Malware
Public admin and defence, social security
CC
US
Conti, ransomware, Elgin County
86
28/04/2022
Between 10/11/2020 and 20/11/2020
-
?
Worcester County
Worcester County discloses a breach of the county government email account which contained limited personal information belonging to about 3,000 government and board of education employee and retiree accounts.
Account Takeover
Public admin and defence, social security
CC
US
Worcester County
87
28/04/2022
'Recently'
'Recently'
?
Customers of major financial institutions and online-retailers
Researchers from Resecurity reveal the details of "Frappo", a new phishing kit that allows to host and generate high-quality phishing pages which impersonate major online-banking, e-commerce, popular retailers, and online-services to steal customer data.
Account Takeover
Finance and insurance
CC
>1
Resecurity, Frappo
88
29/04/2022
-
-
Anonymous
ALET
in name of #OpRussia, the Anonymous collective releases a 1.1 TB archive that contains nearly 1.1 million emails from ALET, a customs broker for companies in the fuel and energy industries.
Unknown
Finance and insurance
H
RU
#OpRussia, Anonymous, ALET
89
29/04/2022
During April 2022
During April 2022
Killnet
Several public websites managed by the state entities in Romania
The Romanian national cyber security and incident response team, DNSC, issues a statement about a series of DDoS attacks targeting several public websites managed by the state entities carried out by a pro-Russian group dubbed Killnet.
DDoS
Public admin and defence, social security
CW
RU
DNSC, Killnet
90
29/04/2022
SInce mid-January 2022
SInce mid-January 2022
APT29 AKA Cozy Bear or Nobelium
Diplomats and government entities
Researchers from Mandiant uncover a recent phishing campaign from Russian hackers known as APT29 (Cozy Bear or Nobelium) targeting diplomats and government entities.
Targeted Attack
Public admin and defence, social security
CE
>1
Mandiant, APT29, Cozy Bear, Nobelium
91
29/04/2022
-
Since March 2022
Bumblebee
Multiple organizations
Researchers from NCC Group reveal the details of Bumblebee, a relatively new custom malware downloader that appears to have been used by several cybercrime groups.
Malware
Multiple Industries
CC
>1
NCC Group, Bumblebee
92
29/04/2022
03/03/2022
07/03/2022
?
Salusive Health AKA myNurse
Salusive Health informs patients of a data security incident involving patient information.
Unknown
Human health and social work
CC
US
Salusive Health, myNurse
93
29/04/2022
Between 31/5/2021 and 01/06/2021
-
?
Refuah Health Center
Refuah Health Center notifies 260,740 individuals of a cybersecurity incident that occurred between May 31 and June 1, 2021.
Unknown
Human health and social work
CC
US
Refuah Health Center
94
29/04/2022
'Recently'
'Recently'
?
State Bar of Georgia
The State Bar of Georgia discloses an unauthorized access to its network.
Unknown
Professional, scientific and technical
CC
US
State Bar of Georgia
95
29/04/2022
During February 2022
-
Vice Society
ABI (Associazione Bancaria Italiana)
The ransomware group Vice Society claims responsibility for an attack to ABI, the Italian Bank Association, and publishes some employees data.
Malware
Finance and insurance
CC
IT
Ransomware, Vice Society, ABI, Associazione Bancaria Italiana, Italian Bank Association
96
30/04/2022
30/04/2022
30/04/2022
?
Rari Capital
Rari Capital confirms reports from several blockchain security companies that about $80 million worth of cryptocurrency was stolen through their platform.
Reentrancy vulnerability
Fintech
CC
N/A
Rari Capital
97
30/04/2022
30/04/2022
30/04/2022
?
Saddle Finance
Saddle Finance reports that about $10.3 million worth of cryptocurrency was stolen from their platform.
Unknown
Finance and insurance
CC
N/A
Saddle Finance
98
30/04/2022
-
-
?
Valley View Hospital
Valley View Hospital is hit by a phishing attack, potentially impacting the personal data of about 21,000 people.
Account Takeover
Human health and social work
CC
US
Valley View Hospital
99
30/04/2022
During December 2021
-
?
Guernsey's Medical Specialist Group (GMSG)
Guernsey's Medical Specialist Group (GMSG) confirms it experienced a "cyber incident" which affected their email system in December 2021.
Account Takeover
Human health and social work
CC
UK
Guernsey's Medical Specialist Group, GMSG
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
SUPPORT MY WORK!
BREACHOMETER
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July...
I have aggregated the statistics created from the cyber attacks timelines published in the second quarter of 2023. In total I have collected 1040 events...
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.