The second timeline of May 2022 is out. In the second half of the month I collected 120 events, corresponding to an average of 7.50 events/day, an important increase compared to the 103 events (7.87 events/day) of the previous fortnight.
The Russian invasion of Ukraine continues to characterize the cyber space, and this timeline is no exception: among the events you will find multiple cyber espionage campaigns targeting assets directly or indirectly related to the conflict, disinformation campaigns, and even several DDoS attacks (most of all in Italy) fueled by the pro-Russian Killnet collective.
Ransomware attacks continue to be a constant presence in the timeline, after the break of the previous fortnight, we are back at important percentages with 18.3% of events charcterized by this attack vector (a level similar to April after the 14.85% of the previous timeline.) Even the exploitation of vulnerabilities is back to the levels of April, with 10% of events (from 7.9% of the previous timeline) occurred leveraging a security hole in a software component.
And similarly, the attacks against Decentralized Finance platforms continue to characterized this troubled 2022: this time it was turn of the Mirror Protocol, which suffered the theft of more than $2 worth of cryptocurrency. Always related to fintech, are the numerous campaigns targeting collectors of NFTs, a consolidated presence even in this second timeline of May.
Analyzing the campaigns motivated by cyber espionage, the landscape is quite rich of events, even without considering those related to the conflict in Ukraine .For example the attackers, such as the Chinese group TA413 started to immediately exploit the so-called ‘Follina’ vulnerability (CVE-2022-30190). Similarly an unknown threat actor conducted several campaigns, against targets in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia, exploiting multiple vulnerabilities to install the ‘Predator’ spyware.
After this short summary, you can enjoy the interactive timeline. Thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
Expand for details
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
16/05/2022
Mid-May 2022
Mid-May 2022
?
German users interested in the Ukraine crisis
Researchers from Malwarebytes discover an unknown threat actor is targeting German users interested in the Ukraine crisis, infecting them with a custom PowerShell RAT (remote access trojan) and stealing their data.
Malware
Individual
CE
DE
Malwarebytes, Ukraine, PowerShell RAT
2
16/05/2022
SInce at least 14/05/2022
SInce at least 14/05/2022
?
Vulnerable WordPress sites
Researchers from Wordfence reveal that attackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites.
The U.S. Department of State, the U.S. Department of the Treasury, and the Federal Bureau of Investigation warn that the Democratic People’s Republic of Korea (DPRK) is dispatching its IT workers to get freelance jobs at companies across the world to obtain privileged access that is sometimes used to facilitate cyber intrusions.
Privileged Access
Multiple Industries
CE
>1
U.S. Department of State, U.S. Department of the Treasury, Federal Bureau of Investigation, FBI, Democratic People’s Republic of Korea, DPRK
4
16/05/2022
Between 11/04/2022 29/04/2022
Between 11/04/2022 29/04/2022
?
General Motors
US car manufacturer General Motors discloses that it was the victim of a credential stuffing attack that exposed some customers' information and allowed the attackers to redeem rewards points for gift cards.
Credential Stuffing
Manufacturing
CC
US
General Motors
5
16/05/2022
-
-
Facestealer
Android users
Researchers from Trend Micro identify more than 200 variants of the Facestealer malware in the Google Play store, before Google took them down.
Malware
Individual
CC
>1
Trend Micro, Facestealer, Google Play
6
16/05/2022
'Recently'
'Recently'
UpdateAgent
macOS users
Researchers from JAMF discover a new variant of the UpdateAgent macOS malware written in Swift.
Malware
Multiple Industries
CC
>1
JAMF, UpdateAgent, macOS, Swift
7
16/05/2022
-
25/12/2021
?
Heidell, Pittoni, Murphy & Bach, LLP ('HPM&B')
Heidell, Pittoni, Murphy & Bach, LLP ('HPM&B') discloses a data security incident affecting 114,979 individuals.
Unknown
Professional, scientific and technical
CC
US
Heidell, Pittoni, Murphy & Bach, LLP, HPM&B
8
16/05/2022
-
-
?
Hokusen Co.
Hokusen Co., issues a notice in which it addressed a data breach potentially affecting the personal information of up to 44,559 customers, when it discovered that personal information may have been leaked due to unauthorised access by a third party.
Unknown
Wholesale and retail
CC
JP
Hokusen Co.
9
16/05/2022
-
-
?
Elgin County
The Elgin County suffers a cyber attack that puts its email and website offline for nearly one month. The data of 330 individuals is also compromised.
Unknown
Public admin and defence, social security
CC
CA
Elgin County
10
16/05/2022
During December 2021
-
?
Michigan Avenue Immediate Care
Michigan Avenue Immediate Care is hacked by an unknown threat actor, and more that 580 GB personal information about ~43.000 patients is leaked.
Unknown
Human health and social work
CC
US
Michigan Avenue Immediate Care
11
17/05/2022
-
-
Space Pirates
Organizations in the aerospace industry in Russia, Georgia, and Mongolia.
Researchers from Positive Technologies discover a cyber espionage chinese group, dubbed 'Space Pirates' targeting Russian organizations in the aerospace industry.
Targeted Attack
Professional, scientific and technical
CE
RU
GE
MN
Positive Technologies, China, Space Pirates
12
17/05/2022
-
-
?
Poorly secured Microsoft SQL Servers
Microsoft warns of brute-forcing attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords.
Brute-Force
Multiple Industries
CC
>1
Microsoft, SQL Server, MSSQL
13
17/05/2022
During January 2022
During January 2022
Unidentified threat actors
Undisclosed US Business
The Federal Bureau of Investigations (FBI) issues a warning about attackers scraping credit card data from the checkout pages of US businesses' websites via a malicious PHP script.
Malicious Script Injection
Unknown
CC
US
Federal Bureau of Investigations, FBI, PHP
14
17/05/2022
-
-
?
Cryptocurrency users
Researchers from Microsoft warn of the rise of cryware, malicious software used to steal info an funds from hot wallets.
Malware
Fintech
CC
>1
Crypto, Microsoft, Cryware
15
17/05/2022
-
-
LockBit
Mercyhurst University
The LockBit ransomware gang claims to have hit the Mercyhurst University.
Malware
Education
CC
US
LockBit, Ransomware, Mercyhurst University.
16
17/05/2022
12/08/2021
-
?
Northern Rockies Orthopaedics
Northern Rockies Orthopaedics discloses a phishing incident affecting 6,701 individuals
Account Takeover
Human health and social work
CC
US
Northern Rockies Orthopaedics
17
17/05/2022
17/05/2022
17/05/2022
?
Seth Green
Comedian Seth Green announces that he'd been phished by scammers who stole several high-value NFTs from his crypto wallet.
Account Takeover
Fintech
CC
US
Seth Green, NFT
18
18/05/2022
Since 18/05/2022
18/05/2022
Obfuscated Dreams of Scheherazade
Russian Officials
A group of hacktivists going by the name of “Obfuscated Dreams of Scheherazade” create a website that allows visitors to make prank calls to two randomly selected Russian officials.
Robo-calls
Public admin and defence, social security
H
RU
Obfuscated Dreams of Scheherazade, Russia
19
18/05/2022
Since at least 12/05/2022
Since at least 12/05/2022
?
Cryptocurrency users
Security researchers discover a campaign where threat actors are luring potential thieves by spamming login credentials for other people accounts on fake crypto trading sites.
Crypto scams
Fintech
CC
>1
Crypto
20
18/05/2022
-
-
ERMAC
Android mobile banking users
Researchers from ESET discover a new version of the ERMAC Android banking trojan, increasing the number of applications targeted from 378 to 467, covering a much wider range of apps to steal account credentials and crypto wallets.
Malware
Finance and insurance
CC
>1
ESET, ERMAC, Android
21
18/05/2022
18/05/2022
18/05/2022
?
Washington Local Schools
The Washington Local Schools says a cyberattack affected phone, email, internet and WiFi networks as well as all Google Classroom systems.
Unknown
Education
CC
US
Washington Local Schools
22
18/05/2022
Since 09/05/2022
09/05/2022
?
Greenland hospital system
The government of Greenland confirms reports that the island’s hospital system was “severely” impacted by a cyberattack.
Unknown
Education
CC
GL
Greenland
23
18/05/2022
24/11/2021
24/11/2021
?
Bryan County Ambulance Authority
Bryan County Ambulance Authority notifies 14,000 patients that their data was stolen ahead of a November 2021 ransomware attack.
Malware
Human health and social work
CC
US
Bryan County Ambulance Authority, ransomware
24
18/05/2022
Between 10/11/2021 and 24/11/2021
24/11/2021
?
Allaire Healthcare Group
Allaire Healthcare Group reveals that an unauthorized individual has gained access to the email account of one of its employees.
Account Takeover
Human health and social work
CC
US
Allaire Healthcare Group
25
18/05/2022
-
-
?
Machatt Co., Ltd.
Machatt Co., Ltd. issues a notice in which it addressed a data breach potentially affecting the personal information of up to 16,093 customers. In particular, Machatt confirmed that it discovered that personal information of customers from the Machatt online store operated by its company may have been leaked due to unauthorised access by a third party.
Unknown
Wholesale and retail
CC
JP
Machatt Co
26
18/05/2022
18/05/2022
18/05/2022
?
Collectors of NFTs
A compromised NFT Discord Server of Memeland, RTFKT, PROOF/Moonbirds and infrastructure company Cyberconnect is used to deliver phishing pages.
Organizations all over the world, from North America to Colombia, Netherlands, China, Mexico and Vietnam.
Researchers from Cisco Talos reveal the details of the latest campaigns from the BlackByte ransomware group.
Malware
Multiple Industries
CC
>1
Cisco Talos, BlackByte, ransomware
28
18/05/2022
-
-
?
Malaysian National Registration Department (NRD)
The data of 22.5 million Malaysians, allegedly leaked from the National Registration Department (NRD) is leaked.
Unknown
Public admin and defence, social security
CC
MY
Malaysia, National Registration Department, NRD
29
19/05/2022
During May 2022
During May 2022
Ghostwriter
Individuals in Ukraine
Researchers from Mandiant reveal that the Ghostwriter group started to spread misinformation to divide Ukraine and its allies.
CID (Coordinated Inauthentic Behavior)
Individual
CW
UA
Ghostwriter, Russia, Ukraine
30
19/05/2022
Since February 2022
Since February 2022
Russia
Individuals in Ukraine
Researchers from Mandiant reveal the details of a Russian-influence campaign known as "Secondary Infektion," which began prior to the ground invasion and spread misinformation about Ukrainian president Volodymyr Zelenskyy. Mandiant linked the operation to a March false claim that Zelenskyy had died by suicide in the military bunker in Kyiv.
A more recent Secondary Infektion campaign circulate in both Ukrainian and Russian falsely claiming that the Ukrainian and Polish governments sought to enable Polish troops to deploy in western Ukraine.
CID (Coordinated Inauthentic Behavior)
Individual
CW
UA
Mandiant, Secondary Infektion, Ukraine, Poland
32
19/05/2022
Since April 2022
Since April 2022
Russia
Individuals in Ukraine and Russia
An additional version of the Secondary Infektion campaign claims that Poland attempted to use an alleged "provocation," staged by Ukraine, to station Polish troops in the country.
CID (Coordinated Inauthentic Behavior)
Individual
CW
UA
Mandiant, Secondary Infektion, Ukraine, Poland
33
19/05/2022
Since February 2022
Since February 2022
Roaming Mayfly
Russian audiences
Researchers from Mandiant reveal the details of Roaming Mayfly, an Iranian threat actor, targeting Russian audiences on the eve of the invasion in what the security researchers say is an attempt to increase tensions between Russia and Israel.
CID (Coordinated Inauthentic Behavior)
Individual
CW
RU
Mandiant, Roaming Mayfly, Russia, Iran, Israel
34
19/05/2022
-
-
Dragonbridge
Individuals in the US and Ukraine
Researchers from Mandiant link a pro-Chinese government effort called "Dragonbridge" to an ongoing misinformation campaign that alleges Pentagon-linked labs are conducting biological weapons research in Ukraine.
CID (Coordinated Inauthentic Behavior)
Individual
CW
US
UA
Mandiant, Dragonbridge, China, US, Ukraine
35
19/05/2022
Since several months
Since several months
Threat actors from China connected with Stone Panda (aka APT10) and Mustang Panda
At least two research institutes in Russia
Researchers from Check Point discover an ongoing long-lasting campaign, dubbed Twisted Panda, carried out by a Chinese threat actor, targeting at least two research institutes in Russia, part of the Rostec Corporation.
Targeted Attack
Professional, scientific and technical
CE
RU
Check Point, China, Russia, Twisted Panda, Rostec Corporation, Stone Panda, APT10, Mustang Panda
36
19/05/2022
Since several months
Since several months
Threat actors from China connected with Stone Panda (aka APT10) and Mustang Panda
A research institute in Belarus
The same campaign Twisted Panda, also targeted a research institute in Belarus.
Targeted Attack
Professional, scientific and technical
CE
BY
Check Point, China, Russia, Twisted Panda, Rostec Corporation, Stone Panda, APT10, Mustang Panda, Belarus
37
19/05/2022
13/05/2022
13/05/2022
?
Nikkei
Publishing giant Nikkei discloses that the group's headquarters in Singapore was hit by a ransomware attack on May 13, 2022.
Malware
Information and communication
CC
SG
Nikkei, Ransomware
38
19/05/2022
-
-
DEADBOLT
Misconfigured QNAP devices
QNAP warns customers to secure their devices against attacks pushing DeadBolt ransomware payloads.
Malware
Multiple Industries
CC
>1
QNAP, DeadBolt, ransomware
39
19/05/2022
'Recently'
'Recently'
?
Multiple organizations
Researchers from Trustwave discover a phishing website containing a chatbot, able to establish a conversation first, and to guide the victim to the actual phishing pages.
Account Takeover
Multiple Industries
CC
>1
Trustwave, chatbot
40
19/05/2022
Since April 2022
-
Lazarus Group
Multiple organizations
Researchers from Ahnlab discover a new campaign by the North Korean group Lazarus group exploiting the Log4Shell vulnerability (CVE-2021-44228) to install the NukeSped backdoor.
CVE-2021-44228 Vulnerability
Multiple Industries
CC
>1
Ahnlab, North Korea Lazarus, Log4Shell vulnerability, CVE-2021-44228, NukeSped backdoor
41
19/05/2022
During the last six months
During the last six months
XorDDoS (AKA XOR DDoS)
Linux devices
Researchers from Microsoft detect an increase of infections (254% in six months) for the XorDDoS (AKA XOR DDoS) malware.
Brute-Force
Multiple Industries
CC
>1
Microsoft, XorDDoS, XOR DDoS, Linux
42
19/05/2022
During August 2021
-
State-sponsored threat actor
Targets in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.
Researchers from Google's Threat Analysis Group (TAG) uncover three campaigns carried out by state-backed threat actors using five zero-day vulnerabilities to install the Predator spyware developed by commercial surveillance developer Cytrox.
Targets in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.
Researchers from Google's Threat Analysis Group (TAG) uncover three campaigns carried out by state-backed threat actors using five zero-day vulnerabilities to install the Predator spyware developed by commercial surveillance developer Cytrox.
Targets in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.
Researchers from Google's Threat Analysis Group (TAG) uncover three campaigns carried out by state-backed threat actors using five zero-day vulnerabilities to install the Predator spyware developed by commercial surveillance developer Cytrox.
The Cl0p ransomware gang leaks the data stolen from the Fort Sumner Municipal Schools.
Malware
Education
CC
US
Cl0p, ransomware, Fort Sumner Municipal Schools
46
19/05/2022
Since at least 2020
During May 2022
FSB Contractor
Single individuals worldwide
Researchers from Nisos reveal the details of the Russian Fronton botnet, able to create a coordinated inauthentic behavior "on a massive scale" to spread misinformation and propaganda.
CID (Coordinated Inauthentic Behavior)
Individual
CW
>1
Nisos, Russia, Fronton
47
19/05/2022
During April 2022
During April 2022
?
Multiple organizations
Researchers from Zscaler discover a new collection of phishing domains offering up fake Windows 11 installers that actually deliver the Vidar information-stealing malware.
Malware
Multiple Industries
CC
>1
Zscaler, Windows 11, Vidar
48
19/05/2022
Since at least May 2022
10/05/2022
?
Rust developers
Researchers from Sentinel Labs reveal the details of 'CrateDepression', a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration (CI) pipelines.
Malware
Multiple Industries
CC
>1
Sentinel Labs, CrateDepression, GitLab, Continuous Integration, CI
49
19/05/2022
-
-
Vice Society
Atlanta Perinatal Associates
The Vice Society ransomware gang claims to have acquired patient files from Atlanta Perinatal Associates.
Malware
Human health and social work
CC
US
Vice Society, ransomware, Atlanta Perinatal Associates
50
20/05/2022
-
-
Sandworm
Targets in Ukraine
Researchers from ESET discover a new version of the Industroyer2 malware, dubbed ArguePatch, deployed against targets in Ukraine.
Malware
Multiple Industries
CW
UA
ESET, Industroyer2, ArguePatch, Ukraine, Sandworm
51
20/05/2022
Since at least 06/05/2022
Since at least 06/05/2022
Pro-Ukrainian hacking groups
Sberbank
Russia's banking and financial services company Sberbank is being targeted in a wave of unprecedented DDoS attacks
DDoS
Finance and insurance
H
RU
Sberbank
52
20/05/2022
20/05/2022
20/05/2022
Killnet
Websites of various Italian institutions and government ministries
The websites of various Italian institutions and government ministries are taken down by the Killnet collective.
DDoS
Public admin and defence, social security
H
IT
Killnet, Russia
53
20/05/2022
20/05/2022
20/05/2022
Killnet
Italian airports of Malpensa, Linate and Orio al Serio
The websites of the Italian airports of Malpensa, Linate and Orio al Serio are taken down by the pro-Russian Killnet collective.
DDoS
Transportation and storage
H
IT
Malpensa, Linate, Orio al Serio, Killnet, Russia
54
20/05/2022
-
-
?
Organizations using the School Management WordPress plugin
Researchers from Jetpack discover a backdoor in School Management, a premium WordPress plugin designed as a complete management solution for schools. The malicious code, whose source is unknown to the author of the plugin, enables a threat actor to execute PHP code without authenticating.
Malicious WordPress Plugin
Education
CC
>1
Jetpack, School Management, WordPress
55
20/05/2022
During May 2022
During May 2022
Multiple threat actors
Vulnerable Cisco IOS XR routers
Cisco addresses a zero-day vulnerability in its IOS XR routers (CVE-2022-20821) currently exploited in attacks.
CVE-2022-20821 vulnerability
Multiple Industries
N/A
>1
Cisco, IOS XR, CVE-2022-20821
56
20/05/2022
17/05/2022
17/05/2022
?
Windows, Linux, and macOS systems
Researchers from Sonatype discover 'pymafka', a malicious Python package performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems.
The Chicago Public Schools suffers a massive data breach that exposes the data of almost 500,000 students and 60,000 employee after their vendor, Battelle for Kids, suffered a ransomware attack in December 2021
Malware
Education
CC
US
Chicago Public Schools, Battelle for Kids, ransomware
58
20/05/2022
Earlier in 2022
Earlier in 2022
?
Multiple organizations
Researchers from HP Wolf security discover a malicious campaign using PDF attachments to smuggle malicious Word documents that infect users with the Snake keylogger malware.
Malware
Multiple Industries
CC
>1
HP Wolf, PDF, Word, SNake
59
20/05/2022
Mid-may 2022
Mid-may 2022
?
Security researchers
Researchers from Cyble uncover a campaign carried over by a threat actor targeting security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor, and taking advantage of recently patched Windows remote code execution vulnerabilities tracked as CVE-2022-24500 and CVE-2022-26809.
CVE-2022-24500 and CVE-2022-26809 Vulnerabilities
Individual
CC
>1
Cyble, Windows, CVE-2022-24500 and CVE-2022-26809.
60
20/05/2022
Between 25/12/2021 and 08/03/2022
08/03/2022
?
Aesto Health
Aesto Health says it suffered a data security incident that impacted its internal IT systems when an unauthorized actor had accessed Aesto Health’s systems between December 25 and March 8.
Unknown
Human health and social work
CC
US
Aesto Health
61
20/05/2022
08/04/2020
-
?
Alameda Health System (AHS)
Alameda Health System (AHS) notifies 90,000 individuals of a data breach that occurred in 2020, when an unauthorized actor was able to remotely access an employee’s email account.
Account Takeover
Human health and social work
CC
US
Alameda Health System, AHS
62
20/05/2022
During March 2022
During March 2022
?
Oswego County Opportunities (OCO)
Oswego County Opportunities (OCO) announces that a limited number of employee email accounts were accessed by an unknown actor, when suspicious email activity was detected and the email accounts were immediately secured.
Account Takeover
Public admin and defence, social security
CC
US
Oswego County Opportunities, OCO
63
20/05/2022
-
-
?
OE Enterprise
OE Enterprise discloses a phishing attack impacting 4,075 individuals.
Account Takeover
Human health and social work
CC
US
OE Enterprise
64
22/05/2022
-
During Summer 2019?
?
MGM Resorts
Miscreants dump on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.
Unknown
Accommodation and food service
CC
US
Telegram, MGM Resorts
65
22/05/2022
-
-
?
Cryptocurrency users
Cryptocurrency scammers are using deep fake videos of Elon Musk and other prominent cryptocurrency advocates to promote a BitVex trading platform scam that steals deposited currency.
Crypto scams
Fintech
CC
>1
Crypto, Elon Musk, BitVex
66
22/05/2022
22/05/2022
22/05/2022
?
Twitter account of NFT artist Beepie (Mike Winkelmann)
Hackers take control of the Twitter account of the well-known NFT artist Beeple and are able gather around $270,000 in ETH and steal 45 NFTs worth around $165,000.
Account Takeover
Fintech
CC
US
Twitter, NFT Beeple, Mike Winkelmann
67
23/05/2022
-
-
Turla
Austrian Economic Chamber, the NATO Joint Advanced Distributed Learning, and the Baltic Defense College
Researchers from Sekoia expose a new reconnaissance campaign by the Russian state-sponsored hacking group Turla, targeting the Austrian Economic Chamber, the NATO Joint Advanced Distributed Learning, and the Baltic Defense College.
Microsoft security researchers disclose an uptick in web skimming campaigns, employing various obfuscation techniques to deliver and hide skimming scripts.
Malicious Script Injection
Wholesale and retail
CC
>1
Microsoft, web skimming
69
23/05/2022
21/05/2022
21/05/2022
?
Zola
Wedding registry website Zola confirms that it was hit with a cyberattack after dozens of customers complained on social media about their accounts being drained or breached.
Credential Stuffing
Administration and support service
CC
US
Zola
70
23/05/2022
Between 04/03/2022 and 28/03/2022
-
?
Washington University School of Medicine
Washington University School of Medicine announces that patient information has been exposed as a result of a recent data security incident when an unknown actor gained access to the email accounts of certain employees between March 4, 2022, and March 28, 2022.
Account Takeover
Public admin and defence, social security
CC
US
Washington University School of Medicine
71
23/05/2022
Between April 1, 2021, and March 31, 2022
-
?
Homestead Hospice & Palliative Care
The data of 28,332 patients of Homestead Hospice & Palliative Care in Georgia is potentially compromised during a yearlong hack of multiple employee email accounts between April 1, 2021, and March 31, 2022.
Homestead Hospice & Palliative Care
72
24/05/2022
Between February and April 2022
Between February and April 2022
Unknown APT linked to China
Russian government entities
Researchers from Malwarebytes reveal that an unknown Advanced Persistent Threat (APT) group, linked to China, has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.
Targeted Attack
Public admin and defence, social security
CE
RU
APT, Russia, China
73
24/05/2022
At least since 22/05/2021
22/05/2021
?
Multiple organizations
The popular PyPI module 'ctx' that gets downloaded over 20,000 times a week is compromised in a software supply chain attack with malicious versions stealing the developer's environment variables, to collect secrets like Amazon AWS keys and credentials.
Malware
Multiple Industries
CC
>1
PyPI, ctx, Amazon AWS
74
24/05/2022
-
-
?
Police servers in China’s Xinjiang region
A hack on police servers in China’s Xinjiang region yields thousands of graphic images and videos of Uyghur detainees suffering in detention camps.
Unknown
Public admin and defence, social security
H
CN
China, Xinjiang, Uighur
75
24/05/2022
10/03/2022
10/03/2022
?
Val Verde Regional Medical Center ('VVRMC')
Val Verde Regional Medical Center ('VVRMC') discloses a data security incident affecting 86,562 individuals.
Unknown
Human health and social work
CC
US
Val Verde Regional Medical Center, VVRMC
76
24/05/2022
Since March 2022
Since March 2022
Goodwill
Multiple organizations in India
Researchers from CloudSEK discover a new ransomware strain, dubbed 'Goodwill', demanding people donate to the most vulnerable.
Malware
Multiple Industries
CC
IN
CloudSEK. ransomware, Goodwill
77
24/05/2022
Since May 2022
Since May 2022
Yashma
Multiple organizations
Researchers from BlackBerry reveal the details of Yashma, a new ransomware variant derived from the Chaos wiper.
Malware
Multiple Industries
CC
>1
BlackBerry, Yashma, ransomware, Chaos
78
24/05/2022
24/05/2022
24/05/2022
ALtahrea Team
Port of London Authority/PLA
The Pro-Iranian group ALtahrea Team takes down the website of the Port of London Authority/PLA.
DDoS
Transportation and storage
H
UK
Iran, ALtahrea Team, Port of London Authority, PLA
79
24/05/2022
24/05/2022
24/05/2022
?
Undisclosed NFT collector
A hacker steals dozens of NFTs worth more than $1.4 million from a single collector on Tuesday, according to blockchain observers.
Account Takeover
Finance and insurance
CC
N/A
NFT
80
25/05/2022
25/05/2022
25/05/2022
?
SpiceJet
Low-cost Indian airline SpiceJet informs its customers of an attempted ransomware attack that has impacted some of its systems and caused delays on flight departures.
Malware
Transportation and storage
CC
IN
SpiceJet, Ransomware
81
25/05/2022
During May 2022
During May 2022
ChromeLoader
Multiple organizations
Researchers from Red Canary detect an uptick of the ChromeLoader malware distributed via malvertising campaigns.
Malware
Multiple Industries
CC
>1
Red Canary, ChromeLoader
82
25/05/2022
'Recently'
'Recently'
Cheerscrypt
VMware ESXi servers
Researchers from Trend Micro discover a new variant of the Cheers ransomware targeting VMware ESXi servers.
Researchers from NCC Group reveal a surge in Cl0p ransomware infections between April and May 2022.
Malware
Multiple Industries
CC
>1
NCC Group, Cl0p, ransomware
84
25/05/2022
During January 2022
During January 2022
Conti
Linn County
The Conti ransomware gang publishes all of the data it stole during a January attack on the government servers of Linn County.
Malware
Public admin and defence, social security
CC
US
Conti, ransomware, Linn County
85
25/05/2022
-
-
Cold River
Individuals in the UK
Researchers from Google's Threat Analysis Group (TAG) reveal that a new website "Very English Coop d'Etat" that published leaked emails from several leading proponents of Brexit is tied to Russian hackers from the Cold River threat group.
CID (Coordinated Inauthentic Behavior)
Individual
CW
UK
Google, Threat Analysis Group, TAG, "Very English Coop d'Etat", Brexit, Cold River
86
25/05/2022
05/03/2022
02/03/2022
?
Allwell Behavioral Health Services
Allwell Behavioral Health Services announces that a computer system used to store quality assurance information related to the treatment of patients was accessed by an unauthorized individual.
Unknown
Human health and social work
CC
US
Allwell Behavioral Health Services
87
25/05/2022
24/11/2021
13/12/2021
?
Cooper University Health Care
Cooper University Health Care announces that the email account of an employee was accessed by an unauthorized individual on November 24, 2021
Account Takeover
Human health and social work
CC
US
Cooper University Health Care
88
25/05/2022
'Recently'
'Recently'
?
Lifespan Services
Lifespan Services, a non-profit provider of services to individuals with disabilities, confirms it was the victim of a ransomware attack that affected data on its servers.
Malware
Human health and social work
CC
US
Lifespan Services, Ransomware
89
25/05/2022
During the previous week
During the previous week
?
Sohu.com
Chinese internet portal operator Sohu.com says that two dozen employees lost more than 40,000 yuan (US$6,000) after they fell victim to an email scam, which promised “allowances” to recipients who provided their bank accounts and other personal identification information.
Account Takeover
Information and communication
CC
CN
Sohu.com
90
25/05/2022
-
-
?
Calgary Urban Project Society (CUPS)
The Calgary Urban Project Society (CUPS) informs him that a staff member’s email account had been hacked and some of his personal information may have been put at risk.
Account Takeover
Human health and social work
CC
CA
Calgary Urban Project Society, CUPS
91
25/05/2022
26/03/2022
?
Comstar LLC
Ambulance billing service Comstar LLC notifies an as-yet undisclosed number of people following a data security breach of their systems that was detected on March 26, 2022.
Unknown
Administration and support service
CC
US
Comstar LLC
92
25/05/2022
-
-
?
Fred Hutchinson Cancer Center
Fred Hutchinson Cancer Center discloses a breach affecting 500 individuals
Account Takeover
Human health and social work
CC
US
Fred Hutchinson Cancer Center
93
25/05/2022
-
-
?
Multiple Sclerosis Center of Atlanta
The Multiple Sclerosis Center of Atlanta discloses a breach affecting 2,820 individuals.
Account Takeover
Human health and social work
CC
US
Multiple Sclerosis Center of Atlanta
94
26/05/2022
-
-
?
Multiple organizations
Tax software vendor Intuit warns that QuickBooks customers are being targeted in an ongoing series of phishing attacks impersonating the company and trying to lure them with fake account suspension warnings.
Account Takeover
Multiple Industries
CC
>1
Intuit, QuickBooks
95
26/05/2022
-
-
?
Colleges and universities based in the U.S.
The FBI issues an alert about usernames and passwords giving access to colleges and universities based in the U.S., available for sale on Russian cybercriminal forums.
Account Takeover
Education
CC
US
FBI, Federal Bureau of Investigation, colleges and universities based in the U.S.
96
26/05/2022
-
-
Keksec
Multiple organizations
Researchers from AT&T Alien Labs discover a new variant of the EnemyBot malware exploiting new vulnerabilities: CVE-2022-22954 (VMware), CVE-2022-22947 (Spring), CVE-2022-1388 (F5)
The Somerset County is hit with a ransomware attack.
Malware
Public admin and defence, social security
CC
US
Somerset County
98
26/05/2022
Since at least February 2021
During February 2021
Threat actors from the Dominican Republic
Facebook users
Researchers from Cybernews expose a network of Facebook accounts responsible to distribute malicious content via the "is that you?" scam.
CID (Coordinated Inauthentic Behavior)
Individual
CC
>1
Cybernews, Facebook, "is that you?"
99
26/05/2022
Since at least 25/01/2022
25/01/2022
?
Scarborough Health Network (SHN)
Canadian healthcare service provider Scarborough Health Network (SHN) warns that a data breach may have exposed patient healthcare records.
Unknown
Human health and social work
CC
CA
Scarborough Health Network, SHN
100
26/05/2022
-
-
?
Verizon
A hacker obtains a database that includes the full name, email address, corporate ID numbers, and phone number of hundreds of Verizon employees.
Account Takeover
Information and communication
CC
US
Verizon
101
26/05/2022
03/01/2022
-
?
Martin University
Martin University discloses to have been hit with a ransomware incident.
Malware
Education
CC
US
Martin University, ransomware
102
27/05/2022
24/05/2022
24/05/2022
BlackCat AKA ALPHV
Austrian federal state Carinthia
Austrian federal state Carinthia is hit by the BlackCat ransomware gang, also known as ALPHV, who demands a $5 million to unlock the encrypted computer systems.
Malware
Public admin and defence, social security
CC
AT
Carinthia, BlackCat, ransomware, ALPHV
103
27/05/2022
Between 07/03/2022 and 21/03/2022
28/03/2022
?
Shields Health Care Group
The sensitive information of two million people is accessed during a cyberattack on Shields Health Care Group, a Massachusetts-based healthcare organization that provides services to dozens of hospitals and other medical facilities.
Unknown
Human health and social work
CC
US
Shields Health Care Group
104
27/05/2022
During April 2022
17/05/2022
?
City of Portland
The City of Portland investigates a cybersecurity breach that resulted in a $1.4 million fraudulent transaction with city funds in April.
Account Takeover
Public admin and defence, social security
CC
US
City of Portland
105
27/05/2022
Between 29/12/2020 and 26/02/2022
25/02/2022
?
Aon PLC
Aon PLC reports a hacking incident that impacted 28,714 individuals.
Unknown
Human health and social work
CC
US
Aon PLC
106
27/05/2022
-
29/03/2022
-
?
Platinum Hospitalists notifies 6,000 patients that some of their protected health information has potentially been compromised by a phishing attack.
Account Takeover
Human health and social work
CC
US
Platinum Hospitalists
107
27/05/2022
05/03/2022
-
?
Capsule
Capsule, a digital pharmacy, starts notifying 27,486 individuals that some of their protected health information has been exposed in a cyberattack where unauthorized individuals gained access to certain Capsule accounts on April 5, 2022.
Account Takeover
Human health and social work
CC
US
Capsule
108
27/05/2022
Between 04/03/2022 and 28/03/2022
-
?
BJC HealthCare
BJC HealthCare starts notifying certain patients that some of their protected health information was stored in email accounts that were accessed by an unauthorized individual.
Account Takeover
Human health and social work
CC
US
BJC HealthCare
109
27/05/2022
Since 25/05/2022
Since 25/05/2022
Magniber
Multiple organizations
Researchers from 360 Total Security reveal that the Magniber ransomware has been upgraded to target Windows 11 machines.
Malware
Multiple Industries
CC
>1
Magniber, Ransomware, 360 Total Security
110
27/05/2022
15/12/2021
During January 2022
?
Acorda Therapeutics
An undisclosed number of patients tied to Acorda Therapeutics are notified that their data was accessed during the hack of its business email environment.
Account Takeover
Human health and social work
CC
US
Acorda Therapeutics
111
27/05/2022
-
-
?
North Lakes Pain Consultants
North Lakes Pain Consultants discloses a breach affecting 620 individuals
Unknown
Human health and social work
CC
US
North Lakes Pain Consultants
112
28/05/2022
-
-
BlackCat AKA ALPHV
Regina Public Schools
Regina Public Schools are hit by a ransomware attack.
Malware
Education
CC
CA
Regina Public Schools, ransomware, BlackCat, ALPHV
113
29/05/2022
-
-
Spid3r
Several Belarus’ government websites
Anonymous-affiliated collective Spid3r claims to have attacked Belarus’ government websites in retaliation for the country’s alleged support of Russia’s invasion of Ukraine.
Unknown
Public admin and defence, social security
H
BY
Anonymous, Spid3r, Belarus, Russia, Ukraine
114
30/05/2022
30/05/2022
30/05/2022
Killnet
Italian Ministries of Defense and Foreign Affairs
The websites of the talian Ministries of Defense and Foreign Affairs are taken down by the pro-Russian Killnet collective.
DDoS
Public admin and defence, social security
H
IT
Killnet, Russia
115
30/05/2022
-
27/05/2022
?
Multiple organizations
Security researchers discover a new Microsoft Office zero-day vulnerability, dubbed 'Follina' (CVE-2022-30190) used in attacks to execute malicious PowerShell commands via Microsoft Diagnostic Tool (MSDT) simply by opening a Word document.
CVE-2022-30190 vulnerability (Follina)
Multiple Industries
N/A
>1
Microsoft Office, Follina, PowerShell, Microsoft Diagnostic Tool, MSDT, Word, CVE-2022-30190
116
30/05/2022
30/05/2022
30/05/2022
?
Mirror Protocol
The Mirror Protocol, a decentralized finance platform on the Terra network, has more than $2 million drained from it due to an issue affecting how its price-setting software reacted to the historic Luna cryptocurrency crash.
Price Manipulation
Fintech
CC
N/A
Mirror Protocol, Terra, Luna
117
30/05/2022
'Recently'
'Recently'
?
WhatsApp users in India
Researchers from CloudSEK warn of a new ongoing WhatsApp OTP scam that could allow attackers to hijack users’ accounts through phone calls.
Account Takeover
Individual
CC
IN
CloudSEK, WhatsApp
118
30/05/2022
-
-
?
Pegasus Airlines
Turkish flight operator Pegasus Airlines suffers a data breach after an AWS cloud storage bucket is reportedly left unprotected and there was unauthorized access to certain information held by carrier.
Misconfiguration
Transportation and storage
CC
TR
Pegasus Airlines, AWS
119
30/05/2022
19/05/2022
-
?
Spirit Super
A phishing attack at Australian pension provider Spirit Super results in “some personal details being compromised”.
Account Takeover
Human health and social work
CC
AU
Super Spirit
120
31/05/2022
-
-
Anonymous
Metprom Group
In name of #OpRussia, the Anonymous leak a trove of emails from Metprom Group, a metallurgical engineering and investment firm.
Unknown
Professional, scientific and technical
H
RU
#OpRussia, Anonymous, Metprom Group
121
31/05/2022
-
-
XLoader
Multiple organizations
Researchers from Check Point discover a new version of the XLoader botnet malware that uses probability theory to hide its command and control servers.
Malware
Multiple Industries
CC
>1
Check Point, XLoader, probability theory
122
31/05/2022
31/05/2022
31/05/2022
Hive
Costa Rica's public health service (AKA Costa Rican Social Security Fund or CCCS)
Costa Rica's public health service (known as Costa Rican Social Security Fund or CCCS) are hit by a Hive ransomware attack.
Malware
Human health and social work
CC
CR
Costa Rica, Costa Rican Social Security Fund, CCCS, Hive, ransomware
123
31/05/2022
Since February 2022
Since February 2022
?
Individuals
The FBI warns the public of fraudulent schemes seeking donations or other financial assistance related to the crisis in Ukraine.
Financial Scam
Individual
CC
>1
FBI, Federal Bureau of Investigation, Ukraine
124
31/05/2022
During May 2022
During May 2022
TA413
International Tibetan community
Researchers from Proofpoint reveal that the Chinese APT Group TA413 is now actively exploiting the Microsoft Office zero-day vulnerability (known as 'Follina' AKA CVE-2022-30190) to target the International Tibetan community.
Targeted Attack
Individual
CE
N/A
Proofpoint, China, APT, TA413, Microsoft Office, Follina, CVE-2022-30190, Tibet
125
31/05/2022
During May 2022
During May 2022
?
RuneScape players
Researchers from Malwarebytes discover a new RuneScape-themed phishing campaign exceptionally well-crafted.
Account Takeover
Arts entertainment, recreation
CC
>1
Malwarebytes, RuneScape
126
31/05/2022
Between 16/01/2022 and 20/01/2022
Between 16/01/2022 and 20/01/2022
?
Virginia Mason Medical Center (VMMC)
Virginia Mason Medical Center (VMMC) discloses an incident where an external third party “intruded” three servers between January 16 and January 20, 2022.
Unknown
Human health and social work
CC
US
Virginia Mason Medical Center, VMMC
127
31/05/2022
-
-
?
Undisclosed organzations
Google releases the second part of the May security patch for Android, including a fix for CVE-2021-22600, an actively exploited Linux kernel vulnerability.
CVE-2021-22600 vulnerability
Unknown
N/A
N/A
Google, Android, CVE-2021-22600
128
31/05/2022
"Few months ago"
"Few months ago"
?
Calcasieu Parish School Board
The Calcasieu Parish School Board is the victim of a cyber fraud incident when the emails of a contractor are compromised.
Account Takeover
Education
CC
US
Calcasieu Parish School Board
129
31/05/2022
15/05/2022
-
?
CTARS
CTARS, the makers of a cloud-based client management system used by the Australian National Disability Insurance Scheme (NDIS) as well as disability services, out of home care, and children's services, reveals it was breached on May 15 and found the data posted to the dark web a week later.
Unknown
Professional, scientific and technical
CC
AU
CTARS, Australian National Disability Insurance Scheme, NDIS
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
SUPPORT MY WORK!
BREACHOMETER
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
2022 Cyber Attacks Statistics
The Biggest Data Breaches of 2023
February 2023 Cyber Attacks Statistics
January 2023 Cyber Attacks Statistics
January 2022 Cyber Attacks Statistics
