The first timeline of May 2022 is out. In the first half of the month I collected 101 events, that is an average of 6.73 events/day. The level of activity, reflected by the cyber events that find some space in the media outlets, continue to be quite sustained, once again, fueled by the war in Ukraine that is continuing to have repercussions in the cyber space.
The Anonymous collective and their affiliates continue their cyber war against the Russian government: even in this fortnight, the hacktivists continued to leak data from Russian organizations. And similarly to the previous weeks, Ukraine continued to be the target of multiple operations aimed to distribute malware and spy on multiple institutions.
But this situation is affecting Europe as a whole: multiple campaigns (even from Chinese gropus) were spotted, and interesting twist is also the retaliation of the Killnet pro-Russian collective with multiple DDoS attacks against countries, like Italy, accused to back Ukraine.
Ransomware attacks continue to play an important role, with the usual suspects, like Conti, who continue to hit multiple organizations. In this fortnight, 14.85% of events were characterized by ransomware (vs. 18.56% of the previous timeline.) On the other hand, the impact of attacks carried out exploiting vulnerabilities went down to 7.9% from 10.3% of the previous timeline.
Another trend that is characterizing 2022 is the occurrence of massive attacks against fintech and decentralized finance companies continue. Unfortunately the list of victims continues to grow and this fortnight was no exception.
Even threat actors motivated by cyber espionage were quite active during the first week of May. New threat actors such as UNC3524 and Moshen Dragon joined the party. Besides, as already mentioned, many well-known group, such as APT28, Turla, Ghostwriter, and Mustang Panda were involved in operations related to Ukraine. Without considering “generic” cyber espionage operations, such as the ones carried on by APT29 and APT41.
A special mention to the Pegasus spyware that continued to plague organizations and individuals worldwide, such as Spain’s Prime Minister Pedro Sanchez and Defense Minister Margarita Robles.
Expand for details
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
01/05/2022
-
-
NB65 (AKA Network Battalion 65)
Qiwi
In name of #OpRussia, NB65, one of the Anonymous affiliate hacktivist groups claims to have gained access to the database of Qiwi, a Russian Payment Processor.
Politicians and audiences across a number of countries including the UK, South Africa and India.
The UK government discovers “a troll factory”, backed by the Russian government, utilized to spread disinformation on social media in a large-scale international campaign.
Fake Social Accounts
Individual
CW
>1
UK, Russia, Troll Factory
3
01/05/2022
28/04/2022
28/04/2022
?
Sixt
Car rental giant Sixt is hit by a weekend cyberattack causing business disruptions at customer care centers and select branches.
Unknown
Transportation and storage
CC
DE
Sixt
4
02/05/2022
During May and June 2021
-
?
Spain’s Prime Minister Pedro Sanchez and Defense Minister Margarita Robles
Spanish government officials reveal that the mobile phones used by Spain’s Prime Minister Pedro Sanchez and Defense Minister Margarita Robles were infected with Pegasus spyware, a well-known surveillance tool made by Israel’s NSO Group.
Targeted Attack
Public admin and defence, social security
CE
ES
Spain, Pedro Sanchez, Margarita Robles, Pegasus, NSO Group
5
02/05/2022
-
-
UNC3524
Organizations focusing on corporate development, mergers and acquisitions, and large corporate transactions
Researchers from Mandiant uncover a new threat group stealing emails from corporate Exchange servers.
Targeted Attack
Multiple Industries
CE
>1
Mandiant, UNC3524
6
02/05/2022
'Recently'
-
Moshen Dragon
Telecommunication service providers in Central Asia
Researchers from Sentinel One reveal the details of Moshen Dragon, a new cluster of malicious cyber activity, targeting telecommunication service providers in Central Asia, and abusing Security Software to Sideload PlugX and ShadowPad.
Targeted Attack
Information and communication
CE
>1
Sentinel One, Moshen Dragon, PlugX, ShadowPad
7
02/05/2022
Since April 2022
-
Multiple threat actors
Multiple organizations
Researchers from Avanan see a massive uptick of SMTP Relay Service Exploit attacks in the wild, spoofing any other Gmail tenant and sending out phishing emails that look legitimate. Over a span of two weeks, Avanan has seen nearly 30,000 similar emails.
SMTP Impersonification
Multiple Industries
CC
>1
Avanan, Google SMTP
8
02/05/2022
29/04/2022
29/04/2022
?
Kellogg Community College
Kellogg Community College is hit with a ransomware attack.
Malware
Education
CC
US
Kellogg Community College, ransomware
9
02/05/2022
03/03/2022
-
?
FPS Medical Center
FPS Medical Center notifies 28,024 patients that their data was potentially compromised during a ransomware attack in March.
Malware
Human health and social work
CC
US
FPS Medical Center, ransomware
10
02/05/2022
17/10/2021
-
?
Riviera Utilities
A data breach at Riviera Utilities exposes the personal details of customers after employee email accounts were accessed.
Account Takeover
Electricity, gas steam, air conditioning
CC
US
Riviera Utilities
11
02/05/2022
-
-
Anonymous
Nauru Police Force
The Anonymous collective releases 82GB worth of emails apparently belonging to the Nauru Police Force in protest against the alleged ill-treatment of asylum seekers and refugees carried out by Island authorities on behalf of the Australian government.
Unknown
Public admin and defence, social security
H
NR
Anonymous, Nauru Police Force, Australia
12
02/05/2022
-
-
Vice Society
SaludTotal
SaludTotal is hit by a Vice Society ransomware attack.
Malware
Human health and social work
CC
CO
SaludTotal, Vice Society, ransomware
13
03/05/2022
During the last few weeks
During the last few weeks
APT28 AKA Fancy Bear
Users in Ukraine
Google's Threat Analysis Group reveals that threat actors from APT28 are targeting users in Ukraine with a new variant of malware distributed via email attachments inside of password protected zip files.
Targeted Attack
Multiple Industries
CE
UA
Google, Threat Analysis Group, TAG, APT28, Fancy Bear, Ukraine, Russia
14
03/05/2022
During the last few weeks
During the last few weeks
Turla
Defense and cybersecurity organizations in the Baltics
Google's Threat Analysis Group reveals that the Russian threat actor Turla is targeting defense and cybersecurity organizations in the Baltics via emails distributing malicious documents.
Targeted Attack
Professional, scientific and technical
CE
>1
Google, Threat Analysis Group, TAG, Turla, Ukraine, Russia
15
03/05/2022
During the last few weeks
During the last few weeks
COLDRIVER AKA Calisto
Government and defense officials, politicians, NGOs and think tanks, and journalists
Google's Threat Analysis Group reveals that the Russian threat actor Calisto is targeting government and defense officials, politicians, NGOs and think tanks, and journalists via phishing links directly in the email, linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive.
Targeted Attack
Multiple Industries
CE
>1
Google, Threat Analysis Group, COLDRIVER CALISTO, Ukraine, Russia
16
03/05/2022
During the last few weeks
During the last few weeks
Ghostwriter AKA UNC1151
High risk individuals in Ukraine
Google's Threat Analysis Group reveals that the Belarusian threat actor Ghostwriter has resumed its activity of targeting Gmail accounts via credential phishing.
Government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia
Google's Threat Analysis Group reveals that the Chinese threat actor Curious Gorge has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia.
Targeted Attack
Multiple Industries
CE
>1
Google, Threat Analysis Group, Curious Gorge, Ukraine, Belarus, China
18
03/05/2022
During the previous week
During the previous week
?
Twitter users
Multiple reporters numerous are targeted with phishing emails pretending to be from Twitter Verified - Twitter's verified account platform.
Account Takeover
Information and communication
CC
>1
Twitter
19
03/05/2022
Early April
-
?
Transport for NSW
Transport for NSW confirms its Authorised Inspection Scheme (AIS) online application was impacted by a cyber incident in early April.
Unknown
Transportation and storage
CC
AU
Transport for NSW, TNSW, Authorised Inspection Scheme, AIS
20
03/05/2022
SInce mid-2021
SInce mid-2021
APT29 AKA Cozy Bear or Nobelium
Multiple organizations
Researchers from Recorded Future identify a new campaign carried out by the Russian group APT29, targeting multiple organizations via malicious domains, emulating well-known brands via typosquatting.
Account Takeover
Multiple Industries
CE
>1
APT29, Cozy Bear, Nobelium, Recorded Future
21
03/05/2022
-
-
?
Kenosha Community Health Center
Kenosha Community Health Center discloses a phishing attack affecting 2,688 individuals.
Account Takeover
Human health and social work
CC
US
Kenosha Community Health Center
22
03/05/2022
-
-
?
Thompson Child & Family Focus
Thompson Child & Family Focus discloses a breach affecting 986 individuals.
Unknown
Human health and social work
CC
US
Thompson Child & Family Focus
23
04/05/2022
-
-
?
LLC Capital
Anonymous leak a 20.4 GB archive containing 31,990 emails from LLC Capital.
DDoS
Finance and insurance
H
RU
Anonymous, LLC Capital, Ukraine, Russia #OpUkraine
24
04/05/2022
Between February and March 2022
Between February and March 2022
Ukraine IT Army
A dozen of Russian and Belarusian websites managed by government, military, and news organizations.
Researchers from Crowdstrike reveal that Docker images with a download count of over 150,000 have been used to run DDoS attacks against a dozen of Russian and Belarusian websites managed by government, military, and news organizations.
DDoS
Multiple Industries
H
RU
BY
Crowdstrike, Docker, Russia, Belarus, Ukraine IT Army
25
04/05/2022
04/05/2022
04/05/2022
Ukraine IT Army
EGAIS (ЕГАИС)
Hacktivists from Ukraine IT Army take down EGAIS (ЕГАИС), a portal that is considered crucial for the distribution of alcoholic beverages in Russia.
DDoS
Public admin and defence, social security
H
RU
Ukraine IT Army, EGAIS, ЕГАИС, Russia
26
04/05/2022
Since at least 2019
-
APT41 AKA Winnti
US and European organizations
Researchers from Cybereason reveal the details of Operation CuckooBees, a long-lasting operation stealthily stealing intellectual property assets like patents, copyrights, trademarks, and other corporate data from US and European organizations.
Targeted Attack
Multiple Industries
CE
>1
APT41, Winnti, Cybereason, Operation CuckooBees, China, US; Europe
27
04/05/2022
During April 2022
-
?
Heroku
Salesforce-owned Heroku performs a forced password reset on a subset of user accounts. The company admits that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database.
Account Takeover
Professional, scientific and technical
CC
US
Salesforce, Heroku, GitHub, OAuth
28
04/05/2022
Since at least six months
During March 2022
?
Multiple organizations in the UK
Researchers from INKY reveal that for about half a year, work email accounts belonging to over 100 employees of the National Health System (NHS) in the U.K. were used in several phishing campaigns, some aiming to steal Microsoft logins.
Account Takeover
Multiple Industries
CC
UK
INKY, National Health System, NHS, Microsoft
29
04/05/2022
Since the beginning of May 2022
Since the beginning of May 2022
?
Users on Pixiv, DeviantArt, and other NFT platforms
Researchers from Malwarebytes discover a malicious campaign targeting users on Pixiv, DeviantArt, and other creator-oriented online platforms, rom people claiming to be from the "Cyberpunk Ape Executives" NFT project, with the main goal to infect artists' devices with information-stealing malware.
Malware
Fintech
CC
>1
Malwarebytes, Pixiv, DeviantArt, Cyberpunk Ape Executives, NFT
30
04/05/2022
During February 2022
During February 2022
?
Undisclosed organization
Researchers from Kaspersky discover a malicious campaign using Windows event logs to store malware,
Malware
Unknown
CE
N/A
Kaspersky, Windows, Event Log
31
04/05/2022
-
-
?
MM.Finance
MM.Finance announces that attackers managed to steal $2 million worth of digital assets in a Domain Name System (DNS) attack.
DNS Vulnerability
Fintech
CC
N/A
MM.Finance, DNS
32
04/05/2022
-
-
?
Vail Health Services
Vail Health Services discloses a breach affecting 17,039 individuals.
Unknown
Human health and social work
CC
US
Vail Health Services
33
05/05/2022
-
-
NB65 (AKA Network Battalion 65)
CorpMSP
NB65, a group affiliated to the Anonymous leak a 482.5 GB archive containing 75,000 files, emails and disk images from CorpMSP. a federal institution providing support to small and medium-sized businesses.
DDoS
Public admin and defence, social security
H
RU
NB65, Network Battalion 65, Anonymous, CorpMSP
34
05/05/2022
'Recently'
'Recently'
NetDooka
Multiple organizations
Researchers from Trend Micro discover a new malware framework known as NetDooka, being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, and via poisoned search results.
Malware
Multiple Industries
CC
>1
Trend Micro, NetDooka, PrivateLoader
35
05/05/2022
-
-
?
Undisclosed organzations
Google releases the second part of the May security patch for Android, including a fix for CVE-2021-22600, an actively exploited Linux kernel vulnerability.
CVE-2021-22600 vulnerability
Unknown
N/A
N/A
Google, Android, CVE-2021-22600
36
05/05/2022
Since at least September 2021
'Recently'
Raspberry Robin
Multiple organizations
Researchers from Red Canary discover Raspberry Robin (also known as QNAP worm), a new Windows malware with worm capabilities that spreads using external USB drives.
Malware
Multiple Industries
CC
>1
Red Canary, Raspberry Robin, QNAP worm, USB drives
37
05/05/2022
-
-
?
Users of Cryptocurrency assets
Researchers from McAfee identify several Youtube channels live-streaming a modified version of a stream called ‘The B Word’ where Elon Musk, Cathie Wood, and Jack Dorsey discuss various aspects of cryptocurrency and promoting malicious websites pushing crypto scams and fake giveaways.
Crypto scams
Fintech
CC
>1
McAfee, Youtube,‘The B Word’,Elon Musk, Cathie Wood, Jack Dorsey, Crypto
38
05/05/2022
05/05/2022
05/05/2022
?
Ferrari
One of Ferrari's subdomains (forms.ferrari.com) is hijacked to host a scam promoting fake Ferrari NFT collection.
Unknown
Manufacturing
CC
IT
Ferrari, forms.ferrari.com, NFT
39
05/05/2022
CaramelCorp
Multiple organizations
Researchers from DomainTools discover Caramel, a new credit card skimmer as-a-service.
Malicious Script Injection
Wholesale and retail
CC
>1
DomainTools, Caramel, CaramelCorp
40
05/05/2022
During February 2022
During February 2022
Mustang Panda (AKA HoneyMyte, Bronze President)
Organizations in Asia, the European Union, Russia, and the US
Research from Cisco Talos observe the China-based threat actor Mustang Panda conducting phishing campaigns against European entities, including Russian organizations.
Targeted Attack
Multiple Industries
CE
>1
Cisco Talos, Mustang Panda, HoneyMyte, Bronze President
41
06/05/2022
05/05/2022
05/05/2022
?
AGCO
AGCO, a leading US-based agricultural machinery producer, announces it was hit by a ransomware attack impacting some of its production facilities.
Malware
Manufacturing
CC
US
AGCO, ransomware
42
06/05/2022
02/03/2022
-
?
Fairfield County Implants and Periodontics (FCIP)
Fairfield County Implants and Periodontics (FCIP) notifies patients of an email data security incident that impacted 10,502 individuals. The Connecticut provider discovered a compromised email account on March 2, 2022.
Account Takeover
Professional, scientific and technical
CC
US
Fairfield County Implants and Periodontics, FCIP
43
06/05/2022
Between 30/10/2021 and 01/11/2021
02/12/2021
?
WellDyneRx
WellDyneRx, a pharmacy benefits service provider, discloses to have been hit by a phishing attack.
Account Takeover
Administration and support service
CC
US
WellDyneRx
44
06/05/2022
09/03/2022
09/03/2022
?
North Alabama Bone & Joint Clinic, P.C. (“NABJC”)
North Alabama Bone & Joint Clinic, P.C. (“NABJC”) confirms that some employee email accounts had been accessed without authorization.
Account Takeover
Human health and social work
CC
US
North Alabama Bone & Joint Clinic, NABJC
45
06/05/2022
06/05/2022
06/05/2022
?
Official OpenSea Discord Channel
OpenSea, a non-fungible token marketplace, is the victim of a hack on its main Discord channel: threat actors post fake announcements about partnerships between OpenSea and other projects.
Account Takeover
Fintech
CC
US
OpenSea, Discord
46
06/05/2022
-
-
?
Wagner Heights Nursing and Rehabilitation Center
Wagner Heights Nursing and Rehabilitation Center discloses a phishing attack affecting 4,676 individuals.
Account Takeover
Human health and social work
CC
US
Wagner Heights Nursing and Rehabilitation Center
47
06/05/2022
-
-
?
Mindpath Care Centers
Mindpath Care Centers discloses a phishing attack affecting 1,781 individuals.
Account Takeover
Human health and social work
CC
US
Mindpath Care Centers
48
06/05/2022
-
-
?
Greater Nashua Mental Health
Greater Nashua Mental Health discloses a phishing attack affecting 1,781 individuals.
Account Takeover
Human health and social work
CC
US
Greater Nashua Mental Health
49
06/05/2022
-
-
?
Mississippi Sports Medicine and Orthopaedic Center
Mississippi Sports Medicine and Orthopaedic Center discloses a breach affecting 500 individuals.
Unknown
Human health and social work
CC
US
Mississippi Sports Medicine and Orthopaedic Center
50
07/05/2022
Since beginning of May 2022
May 2022
?
Multiple organizations in Ukraine
Ukraine's Computer Emergency Response Team (CERT-UA) warns of the mass distribution of Jester Stealer malware via phishing emails using warnings of impending chemical attacks to scare recipients into opening attachments.
A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems without being noticed for more than five years.
Targeted Attack
Multiple Industries
CE
>1
Red Menshen, BPFdoor, Linux, Solaris
52
07/05/2022
-
-
?
SuperVPN, GeckoVPN, and ChatVPN users
A database containing the personal details and login credentials of 21 million users of SuperVPN, GeckoVPN, and ChatVPN is leaked on Telegram.
Unknown
Professional, scientific and technical
CC
N/A
SuperVPN, GeckoVPN, ChatVPN, Telegram
53
07/05/2022
-
-
?
City of Quincy
The City of Quincy is hit with a cyber attack.
Unknown
Public admin and defence, social security
CC
US
Quincy
54
08/05/2022
-
-
Conti
Multiple government bodies in Costa Rica
The Costa Rican President Rodrigo Chaves declares a national emergency following cyber attacks from Conti ransomware group on multiple government bodies.
Malware
Public admin and defence, social security
CC
CR
Costa Rica, Rodrigo Chaves, Conti, ransomware
55
08/05/2022
08/05/2022
08/05/2022
?
Fortress
The operators of decentralized finance (DeFi) lending and credit protocol Fortress announce that about $3 million worth of cryptocurrency was stolen during an attack on third-party infrastructure.
Oracle Manipulation
Fintech
CC
N/A
Fortress
56
08/05/2022
-
-
Conti
Perú MOF – Dirección General de Inteligencia (DIGIMIN)
The Conti ransomware gang adds the intelligence Peru MOF – Dirección General de Inteligencia (DIGIMIN) to the list of its victims.
Malware
Public admin and defence, social security
CC
PE
Conti, ransomware Peru MOF, Dirección General de Inteligencia, DIGIMIN
57
08/05/2022
-
-
?
Law Enforcement Inquiry and Alerts
The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to the Law Enforcement Inquiry and Alerts database.
Unknown
Public admin and defence, social security
CC
US
U.S. Drug Enforcement Administration, DEA, Law Enforcement Inquiry and Alerts
58
09/05/2022
09/05/2022
09/05/2022
Pro-Ukrainian hacking groups
Russian TV
During the Russian President Putin's speech at today's "Victory Day" military parade, pro-Ukrainian hacking groups defaced the online Russian TV schedule page to display anti-war messages.
Defacement
Information and communication
H
RU
Russia, Ukraine, Victory Day
59
09/05/2022
09/05/2022
09/05/2022
Pro-Ukrainian hacking groups
RuTube
Russian video content provider RuTube also announces that their site was offline after suffering a cyberattack.
DDoS
Information and communication
H
RU
Russia, Ukraine, RuTube
60
09/05/2022
Since at least 08/05/2022
09/05/2022
Multiple attackers
Multiple organizations
Threat actors start to massively exploit the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to drop malicious payloads.
CVE-2022-1388 Vulnerability
Multiple Industries
CC
>1
CVE-2022-1388, F5 BIG-IP
61
09/05/2022
Since at least 2018
-
DCRat
Multiple organizations
Researchers from Blackberry reveal the details of DCRat, a powerful trojan that offers complete backdoor access to Windows systems, sold on underground forums at a very cheap price.
Malware
Multiple Industries
CC
>1
Blackberry, DCRat, DarkCrystal RAT
62
09/05/2022
-
-
?
Opus Interactive
Opus Interactive, a web hosting provider, is hit with a ransomware attack.
Malware
Information and communication
CC
US
Opus Interactive, ransomware.
63
09/05/2022
Between 09/05/2022 and 11/05/2022
11/05/2022
?
NuLife Med
NuLife Med discloses a data security incident that impacted 81,244 individuals.
Unknown
Human health and social work
CC
US
NuLife Med
64
09/05/2022
-
-
?
?
The Belton Police Department is hit with a ransomware attack.
Malware
Public admin and defence, social security
CC
US
Belton Police Department, ransomware
65
10/05/2022
Since around July 2021
-
?
German companies in the automotive industry
Researchers from Checkpoint discover a years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.
Targeted Attack
Manufacturing
CE
DE
Checkpoint, Automotive, Germany
66
10/05/2022
-
-
FluBot
Android users in Finland
Finland's National Cyber Security Center (NCSC-FI) issues a warning about the FluBot Android malware infections increasing due to a new campaign that relies on SMS and MMS for distribution.
Malware
Individual
CC
FI
Finland, National Cyber Security Center, NCSC-FI, FluBot, Android
67
10/05/2022
-
-
Multiple attackers
Multiple organizations
Microsoft patches CVE-2022-26925, an actively exploited Windows LSA spoofing zero-day that unauthenticated attackers can exploit remotely to force domain controllers to authenticate them via the Windows NT LAN Manager (NTLM) security protocol.
CVE-2022-26925 Vulnerability
Multiple Industries
CC
>1
CVE-2022-26925, Windows LSA, NT LAN Manager, NTLM
68
10/05/2022
-
11/03/2022
?
McKenzie Health System
McKenzie Health System informs 25,318 individuals regarding the theft of some of their protected health information (PHI) due to a recent security incident that interrupted the operations of a number of its systems.
Unknown
Human health and social work
CC
US
McKenzie Health System
69
10/05/2022
15/03/2022
-
?
RiverKids Pediatric Home Health
RiverKids Pediatric Home Health notifies 3,494 patients that some of their protected health information has potentially been viewed or stolen as a result of an email security incident.
Account Takeover
Human health and social work
CC
US
RiverKids Pediatric Home Health
70
10/05/2022
Since at least 2019
-
?
Android users
Researchers from Kaspersky discover a spike of infections for the Joker trojan.
Malware
Individual
CC
>1
Kaspersky, Joker, Android
71
10/05/2022
Since at least 2019
-
?
Android users
Researchers from Kaspersky discover a spike of infections for the MobOk trojan.
Malware
Individual
CC
>1
Kaspersky, MobOk, Android
72
10/05/2022
Since at least 2019
-
?
Android users
Researchers from Kaspersky discover a spike of infections for the Vesub trojan.
Malware
Individual
CC
>1
Kaspersky, Vesub, Android
73
10/05/2022
Since at least 2019
-
?
Android users
Researchers from Kaspersky discover a spike of infections for the GriftHorse.I trojan.
Malware
Individual
CC
>1
Kaspersky, GriftHorse.I, Android
74
10/05/2022
-
-
?
Undisclosed FTSE 100 firms
Researchers from Outpost24 discover 31,135 usernames and passwords belonging to FTSE 100 firms on the dark web.
Unknown
Multiple Industries
CC
>1
Outpost24, FTSE 100
75
10/05/2022
-
-
?
AA Traveller
AA Traveller a website used for travel bookings, suffers a data breach when an authorized party accesses the internal information because of a vulnerability.
Vulnerability
Arts entertainment, recreation
CC
NZ
AA Traveller
76
11/05/2022
Since at least late 2021
During late 2021
Anonymous
Microsoft Exchange servers worldwide
Researchers from Crowdstrike discover a new post-exploitation framework, dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography.
Malware
Multiple Industries
CC
>1
Crowdstrike, IceApple, Microsoft Exchange
77
11/05/2022
Since at least August 2021
-
Bitter APT
Government of Bangladesh
Researchers from Cisco Talos discover a new campaign by the Bitter APT targeting the government of Bangladesh with a new trojan dubbed ZxxZ.
Targeted Attack
Public admin and defence, social security
CE
BD
Cisco Talos, Bitter APT, Bangladesh, ZxxZ.
78
11/05/2022
Since at least 26/04/2022
Since 26/04/2022
?
Multiple organizations
Researchers from Proofpoint discover a new remote access trojan, called Nerbian RAT, including a rich set of features, including the ability to evade detection and analysis by researchers.
Malware
Multiple Industries
CC
>1
Proofpoint, Nerbian RAT
79
11/05/2022
'Recently'
'Recently'
APT34 AKA Oilrig
Unnamed Jordanian diplomat
Researchers from Fortinet discover a novel attack attributed to the Iranian hacking group known as APT34 group or Oilrig, targeting a Jordanian diplomat with custom-crafted tools.
Targeted Attack
Individual
CE
JO
Fortinet, APT34, Oilrig
80
11/05/2022
-
-
LockBit
Top Aces
Top Aces, a Canadian company that supplies fighter jets for airborne training exercises is hit with a LockBit ransomware attack.
Malware
Manufacturing
CC
CA
Top Aces, LockBit, ransomware
81
11/05/2022
-
-
?
Omnicell
Healthcare technology company Omnicell revealed in a filing with the United States Securities and Exchange Commission (SEC) that it recently fell victim to a ransomware attack.
Malware
Professional, scientific and technical
CC
US
Omnicell, United States Securities and Exchange Commission, SEC, ransomware
82
11/05/2022
Since 09/05/2022
-
?
Vulnerable WordPress sites
Researchers from Sucuri uncover a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content.
Malicious Script Injection
Multiple Industries
CC
>1
Sucuri, WordPress
83
11/05/2022
-
-
Avos Locker
Christus Health
Christus Health is hit by a ransomware attack by Avos Locker. The gang publishes the leaked data on their website.
Malware
Human health and social work
CC
US
Christus Health, ransomware, Avos Locker
84
11/05/2022
01/10/2021
-
?
Behavioral Health Partners of Metrowest (BHPMW)
Behavioral Health Partners of Metrowest (BHPMW) informs 11,288 patients that their data was “copied from its digital environment” by a hacker.
Unknown
Human health and social work
CC
US
Behavioral Health Partners of Metrowest, BHPMW)
85
11/05/2022
01/05/2022
01/05/2022
?
Dis-Chem Pharmacies
Dis-Chem Pharmacies reveals that nearly 3.7 million of its clients’ records were compromised during an incident involving a third-party service provider.
Unknown
Wholesale and retail
CC
ZA
Dis-Chem Pharmacies
86
11/05/2022
-
-
?
Summit Healthcare Association
Summit Healthcare Association discloses a breach affecting 1,403 individuals.
Unknown
Human health and social work
CC
US
Summit Healthcare Association
87
11/05/2022
24/09/2021
-
?
Genetics & IVF Institute
Genetics & IVF Institute discloses a breach affecting 606 individuals.
Unknown
Human health and social work
CC
US
Genetics & IVF Institute
88
12/05/2022
During April 2022
During April 2022
Armageddon (AKA UAC-0010, Gamaredon, Primitive Bear, Winterflounder, or Iron Tilden)
Multiple organizations in Ukraine
The Ukraine Computer Emergency Response Team (CERT-UA) reports a phishing campaign conducted by Russian Armageddon APT.
Researchers from Cyble reveal that threat actors have launched the 'Eternity Project,' a new malware-as-a-service where threat actors can purchase a malware toolkit that can be customized with different modules depending on the attack being conducted.
Malware
Multiple Industries
CC
>1
Cyble, Eternity Project
90
12/05/2022
Since at least April 2022
During April 2022
?
Individuals
Researchers from Netskope discover a new RedLine malware distribution campaign promoting fake Binance NFT mystery box bots on YouTube to lure people into infecting themselves with the information-stealing malware from GitHub repositories.
Malware
Individual
CC
>1
Netskope, RedLine, Binance NFT, YouTube, GitHub
91
12/05/2022
-
-
?
Cryptocurrency users
A fake Pixelmon NFT site entices fans with free tokens and collectibles while infecting them with malware that steals their cryptocurrency wallets.
Malware
Fintech
CC
>1
Pixelmon NFT
92
12/05/2022
12/05/2022
12/05/2022
?
Venus Protocol
Venus Protocol, a decentralized money market, announces that about $11 million has been lost due to people exploiting the historic collapse of the Luna cryptocurrency and its sister stablecoin UST.
Price Manipulation
Fintech
CC
N/A
Venus Protocol, Luna, UST
93
12/05/2022
End of April 2022
End of April 2022
?
Windows users
Researchers from Fortinet discover a phishing campaign delivering three trojans: AveMariaRAT, BitRAT and PandoraHVNC.
Researchers from Secureworks reveal the details of a string of cyberattacks involving ransomware and data theft that took place in early 2022 to an Iranian hacking group they refer to as Cobalt Mirage – also known as APT35, Charming Kitten, Phosphorus and TA453.
Quantum Imaging & Therapeutic Associates (QITA) notifies patients of a data breach detected on October 7, 2021.
Unknown
Professional, scientific and technical
CC
US
Quantum Imaging & Therapeutic Associates, QITA
96
12/05/2022
Since March 2022
-
?
Roblox players
Researchers from Avanan discover a Trojan hidden within a legitimate scripting engine that’s used for cheat code in Roblox, a popular game.
Malware
Arts entertainment, recreation
CC
>1
Avanan, Roblox
97
12/05/2022
-
-
?
Cameron County Elections Department
The Cameron County Elections Department acknowledges a security breach in which someone gained access to files containing the personal identifying information of staff members and poll workers handled by Easy Vote, a company that provides poll worker management software.
Unknown
Public admin and defence, social security
CC
US
Cameron County Elections Department, Easy Vote
98
12/05/2022
-
-
?
Mission School District
The Mission School District suffers a phishing attack, and teachers' emails are exploited to send out additional phishing messages.
Account Takeover
Education
CC
US
Mission School District
99
12/05/2022
28/05/2021
-
Grief
Vicksburg Warren School District
Vicksburg Warren School District discloses a Grief ransomware incident.
Malware
Education
CC
US
Vicksburg Warren School District, Grief, ransomware
100
12/05/2022
-
-
Quantum
Glenn County Office of Education
Glenn County Office of Education is hit with a Quantum ransomware attack and forced to pay a $400k ransom.
Malware
Education
CC
US
Glenn County Office of Education, Quantum, ransomware
101
13/05/2022
Since 11/05/2022
11/05/2022
Killnet
Multiple Italian Government sites
Italy's Computer Security Incident Response Team (CSIRT) discloses DDoS attacks against crucial government sites in the country over the past couple of days.
Researchers from Microsoft discover a new variant of the Sysrv botnet (Sysrv-K) now exploiting vulnerabilities in the Spring Framework and WordPress to ensnare and deploy cryptomining malware on vulnerable Windows and Linux servers.
The National Bank of Zambia is hit with a Hive ransomware attack.
Malware
Finance and insurance
CC
ZM
National Bank of Zambia, ransomware, attack
104
13/05/2022
Between 19/02/2022 and 20/02/2022
-
Lapsus$
Americanas.com
Brazilian e-commerce conglomerate Americanas.com report a multimillion-dollar loss in sales in its financial results (923 million Brazilian reais equivalent to $183 million) after a major cyber attack earlier this year.
Malware
Wholesale and retail
CC
BR
Americanas.com, Lapsus$
105
13/05/2022
29/09/2021
-
?
Schneck Medical Center
Schneck Medical Center announces that it was notifying “a limited number” of patients of a data security incident that resulted in the access and exfiltration of some files containing protected health information (PHI).
Unknown
Human health and social work
CC
US
Schneck Medical Center
106
13/05/2022
Between 01/09/2021 and 30/01/2022
18/04/2022
?
Shaker Heights City School District
Shaker Heights City School District discloses a security incident.
Unknown
Education
CC
US
Shaker Heights City School District
107
14/05/2022
-
-
Anonymous
SOCAR Energoresource
In name of #OpRussia the Anonymous collective leaks a 130 GB archive that contains nearly 116,500 emails from SOCAR Energoresource.
In name of #OpRussia the Anonymous collective steals over 7,000 emails from the Achinsk city government and leak an 8.5GB archive.
Unknown
Public admin and defence, social security
H
RU
#OpRussia, Anonymous, Russia, Ukraine, Achinsk
109
14/05/2022
-
-
Anonymous
Port and Railway Projects Service of JSC UMMC
In name of #OpRussia the Anonymous collective leaks a 106 GB archive that contains nearly 77,500 emails from Port and Railway Projects Service of JSC UMMC.
Unknown
Transportation and storage
H
RU
#OpRussia, Anonymous, Russia, Ukraine, Port and Railway Projects Service of JSC UMMC
110
14/05/2022
-
-
B00daMooda and @DepaixPorteur.
Polar Branch of the Russian Federal Research Institute of Fisheries and Oceanography
In name of #OpRussia two hacktivists leak 466 GB of emails from the Polar Branch of the Russian Federal Research Institute of Fisheries and Oceanography.
Unknown
Professional, scientific and technical
H
RU
#OpRussia, Anonymous, Russia, Ukraine, Russian Federal Research Institute of Fisheries and Oceanography, B00daMooda, @DepaixPorteur
111
14/05/2022
-
-
Multiple threat actors
Multiple organizations
Attackers start to exploit a recently patched critical vulnerability, tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses.
CVE-2022-30525 Vulnerability
Multiple Industries
CC
>1
CVE-2022-30525, Zyxel
112
15/05/2022
15/05/2022
15/05/2022
Killnet
Eurovision
The Italian Police says to have fended off a DDoS attack by the Russian collective Killnet.
DDoS
Arts entertainment, recreation
H
IT
Italian Police, Russia, Killnet
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
SUPPORT MY WORK!
BREACHOMETER
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
After the cyber attacks timelines (part I and part II), it’s time to publish the statistics of March 2023 where I have collected and analyzed 334 events, which...
As I promised few days ago, I have aggregated and analyzed the events collected in the cyber attacks timelines for the whole 2019, producing some (hopefully) interesting stats. At the end the total sample is composed of 1802 events, which is a sharp increase in ...
2022 Cyber Attacks Statistics
March 2023 Cyber Attacks Statistics
Q1 2023 Cyber Attacks Statistics
2019 Cyber Attacks Statistics
The Biggest Data Breaches of 2023
