The growing trend of attacks continued also in the second half of August, where I collected 144 events. Despite the numbers are decreasing in comparison with the previous timeline, the overall level of activity remains significant.
The new wave of ransomware attack, driven especially by the gangs BlackCat (AKA ALPHV) and LockBit 3.0 continued also in the second fortnight, characterizing 39 out of 144 events (27%) in line with the previous timeline. Similarly the impact of vulnerabilities continue to decrease (10 out of 144 events, corresponding to 6.9%.)
And if, at least for once, the massive hacks against crypto platform experienced a break, one cannot say the same for the mega breaches: more than 10 million records were leaked in two incidents occurred to a technology service provider in the US (2.5 million), and a media streaming company in Russia (7.5 million.)
The effects of the conflict in Ukraine continue also in the cyber space: pro-Russian hacktivists continue to be very active, and in the second half of August Energoatom (Ukraine’s state nuclear power company) and multiple websites in Estonia, including ESTO AS, the main local payment provider fell on their knees under the blows of the hacktivists.
One concerning trend is also the growing number of misinformation campaigns carried out via Coordinated Inauthentic Behavior. Most of them were predictably orchestrated by pro-Russian entities, but in one case, a long-lasting pro-U.S. campaign was unearthed.
And as usual, the cyber espionage front is always rich of events, even if with a minor impact in comparison to the previous timelines. the timeline reports new campaigns by the usual suspects such as: APT29, Charming Kitten, Kimsuky, and MuddyWater, but also emerging actors such as RedAlpha, TA423, and UNC3890.
As usual the list is too long to be summarized in few words (this one in particular), so my suggestion is to enjoy the interactive timeline and the tabular format, and obviously thanks for sharing it, and supporting my work in spreading the risk awareness across the community. As always, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
Expand for details
Geo Map August H2 2022
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
16/08/2022
16/08/2022
16/08/2022
Russian group ‘People’s Cyber Army
Energoatom
Ukraine’s state nuclear power company Energoatom said Russian-based hackers launched a major three-hour attack on its website but had not caused significant problems.
DDoS
Electricity, gas steam, air conditioning
CW
UA
Ukraine, Russia, Energoatom, Russian group ‘People’s Cyber Army
2
16/08/2022
Since at least 2015
-
RedAlpha
Global humanitarian, think tank, and government organizations
Researchers from Recorded Future discover RedAlpha, a Chinese group targeting global humanitarian, think tank, and government organizations via a multi-year phishing campaign.
Targeted Attack
Multiple Industries
CE
>1
Recorded Future, RedAlpha, China
3
16/08/2022
-
-
Multiple threat actors
Multiple organizations
Google issues 11 security fixes for desktop Chrome, including one for CVE-2022-2856, a bug that has an exploit for it out in the wild.
CVE-2022-2856 Vulnerability
Multiple Industries
N/A
N/A
Google, Chrome, CVE-2022-2856
4
16/08/2022
SInce 01/08/2022
-
scarycoder
Single Individuals
Researchers from Snyk discover a dozen malicious PyPi packages installing malware that modifies the Discord client to become an information-sealing backdoor and stealing data from web browsers and Roblox.
Malware
Individual
CC
>1
Snyk, PyPi, Discord, Roblox
5
16/08/2022
'During the last two months'
'During the last two months'
Xenomorph
Android users
Researchers from ThreatFabric discover a new version of the Android malware Xenomorph using a new drupper called BugDrop.
Malware
Individual
CC
>1
ThreatFabric, Android, Xenomorph, BugDrop
6
16/08/2022
-
05/06/2022
?
Service By Medallion (SBM)
Service By Medallion (SBM) reports a data breach after an unauthorized party gained access to an employee's email account.
Account Takeover
Administration and support service
CC
US
Service By Medallion, SBM
7
16/08/2022
-
24/05/2022
?
HanesBrands
HanesBrands, reports a data breach after the company experienced a ransomware attack.
Malware
Manufacturing
CC
US
HanesBrands, ransomware
8
16/08/2022
10/08/2022
10/08/2022
?
Aceitera General Deheza (AGD)
Argentinian agribusiness Aceitera General Deheza (AGD) discloses a ransomware attack.
Malware
Manufacturing
CC
AR
Aceitera General Deheza, AGD
9
17/08/2022
Since late 2022
During Mid-2022
UNC3890
Israeli Shipping, Healthcare, Government and Energy Sectors
Researchers from Mandiant discover a campaign carried out by an Iranian Threat Actor dubbed UNC3890 targeting Israeli shipping, healthcare, government and energy sectors.
Targeted Attack
Multiple Industries
CE
IL
Mandiant discover, UNC3890, Iran, Israel
10
17/08/2022
Since at least 2015
-
DarkTortilla
Multiple organizations
Researchers from Secureworks' Counter Threat Unit (CTU) expose DarkTortills, a highly pervasive .NET-based crypter that has flown under the radar since about 2015 and can deliver a wide range of malicious payloads like AgentTesla, AsyncRat, NanoCore, and RedLine, Cobalt Strike and Metasploit.
Apple issues macOS 12.5.1, iOS 15.6.1, and iPadOS 15.6.1 updates to address a flaw in the kernel (CVE-2022-32894) and a flaw in WebKit (CVE-2022-32893) exploited in the wild.
Researchers from Cybereason discover a new campaign distributing the BumbleBee loader via ISO files.
Malware
Multiple Industries
CC
>1
Cybereason, BumbleBee, ISO
13
17/08/2022
Since the beginning of 2019
-
ATMZOW
483 websites in Italy, Germany, France, UK, Australia, India, Brazi
Researchers from Group-IB reveal that the ATMZOW campaign has successfully infected at least 483 websites belonging to the domain zones of Italy, Germany, France, UK, Australia, India, Brazil etc. since the beginning of 2019.
Malicious Script Injection
Wholesale and retail
CC
IT
DE
FR
UK
AU
IN
BR
Group-IB, ATMZOW
14
17/08/2022
-
-
?
Android users
Researchers from BitDefender discover a series of 35 malicious apps on Google Play store, totaling over two million downloads.
Malware
Individual
CC
>1
BitDefender, Android, Google Play
15
17/08/2022
-
-
?
Crypto users
Patrick Hillmann, the chief communications officer at Binance, claims that a “sophisticated hacking team” used video footage of his past TV appearances and digitally altered it to make an “AI hologram” of him and trick people into meetings.
Deepfake
Fintech
CC
>1
Patrick Hillmann, Binance
16
17/08/2022
-
-
?
Multiple organizations
At least 33 packages on PyPi were observed installing crypto mining software XMRig following a Linux system infection.
Malware
Multiple Industries
CC
>1
PyPi, XMRig, Linux, Crypto
17
17/08/2022
24/06/2022
24/06/2022
?
Peter Brasseler Holdings
Peter Brasseler Holdings confirms it was the victim of a ransomware attack.
Malware
Human health and social work
CC
US
Peter Brasseler Holdings, Ransomware
18
17/08/2022
-
-
?
Calcium Products
Calcium Products reports a data breach after the company experienced a “data security incident."
Unknown
Manufacturing
CC
US
Calcium Products
19
17/08/2022
-
-
?
Forsyth County Medical Office
Forsyth County Medical Office discloses a cyber attack where suspicious emails were being sent out through the practices email system.
Account Takeover
Public admin and defence, social security
CC
US
Forsyth County Medical Office
20
18/08/2022
17/08/2022
17/08/2022
Killnet
Government websites in Estonia
Estonia claims to have repelled "the most extensive cyber attacks since 2007", shortly after removing Soviet monuments in a region with an ethnic Russian majority.
DDoS
Public admin and defence, social security
H
EE
Killnet, Estonia, Russia
21
18/08/2022
17/08/2022
17/08/2022
Killnet
ESTO AS
The pro-Russian collective Killnet takes down ESTO AS, the main payment provider in Estonia.
Researchers from Group-IB release a new research on the state-sponsored hacker group APT41 that the team estimates in 2021 gained access to at least 13 organizations worldwide and splitting Cobalt Strike into 154 pieces to evade detection.
Organizations in the travel and hospitality sector,
Researchers from Proofpoint reveal the details of TA558, a financially motivated group targeting organizations in the travel and hospitality sector, mainly in Latin America and sometimes North America and Western Europe, using a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT.
Malware
Individual
CC
US
Proofpoint, TA558, Loda RAT, Vjw0rm, Revenge RAT.
24
18/08/2022
01/06/2022
01/06/2022
?
Undisclosed organization
Google says it has blocked the largest ever HTTPS-based distributed-denial-of-service (DDoS) attack in June, which peaked at 46 million requests per second.
DDoS
Unknown
CC
N/A
Google DDoS
25
18/08/2022
End of July 2022
-
?
Multiple organizations
Researchers from Avanan discover a wave of phishing campaigns hosting the phishing pages on AWS.
Account Takeover
Multiple Industries
CC
>1
Avanan, AWS
26
18/08/2022
-
-
Multiple threat actors
Multiple organizations
The US Cybersecurity and Infrastructure Security Agency (CISA) adds CVE-2022-22536, a critical SAP vulnerability, to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con conferences.
CVE-2022-22536 Vulnerability
Multiple Industries
CC
>1
The US Cybersecurity and Infrastructure Security Agency, CISA, CVE-2022-22536, SAP, Black Hat, Def Con
27
18/08/2022
-
-
Multiple threat actors
Companies in the United States
The Federal Bureau of Investigation (FBI) raises an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the United States.
Credential Stuffing
Multiple Industries
CC
US
Federal Bureau of Investigation, FBI, proxies
28
18/08/2022
Since June 2022
-
Grandoreiro
Chemicals manufacturer in Spain and automotive and machinery makers in Mexico
Researchers from Zscaler discover a new campaign of the Grandoreiro banking trojan, targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico.
Malware
Manufacturing
CC
ES
MX
Zscaler, Grandoreiro
29
18/08/2022
'Recently'
'Recently'
?
Individuals
Researchers from Sucuri discover a recent campaign exploiting compromised WordPress sites to display fake Cloudflare DDoS protection pages to distribute malware.
Malware
Individual
CC
>1
Sucuri, WordPress, Cloudflare
30
18/08/2022
-
-
APT29 AKA Cozy Bear
NATO countries
Researchers from Mandiant reveal that the Russian cyber espionage group APT29 (Cozy Bear) is targeting Microsoft 365 accounts of NATO countries, disabling 'Advanced Audit' to go undetected.
Targeted Attack
Public admin and defence, social security
CE
>1
Mandiant, Russia, APT29, Cozy Bear, Microsoft 365, NATO, Advanced Audit
31
18/08/2022
-
-
?
General Bytes
Bitcoin ATM manufacturer General Bytes confirms that it was a victim of a cyberattack that exploited a previously unknown flaw in its software to plunder cryptocurrency from its users.
Vulnerability
Fintech
CC
US
General Bytes
32
18/08/2022
-
-
?
Individuals
Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge.
Account Takeover
Individual
CC
US
PayPal
33
18/08/2022
Since July 2022
Since July 2022
BianLian
Multiple organizations
Researchers from Cyble discover a new ransomware strain dubbed BianLian.
Malware
Multiple Industries
CC
>1
Cyble, ransomware, BianLian
34
18/08/2022
17/08/2022
17/08/2022
?
Puerto Rico’s Oficina de Servicios Legislativos (Office of Legislative Services, OLS)
Puerto Rico’s Oficina de Servicios Legislativos (OLS) confirms to have suffered a cyber attack
Unknown
Public admin and defence, social security
CC
US
Puerto Rico’s Oficina de Servicios Legislativos, OLS
35
18/08/2022
-
-
?
Henderson & Walton Women’s Center (HWWC)
Henderson & Walton Women’s Center (HWWC) notifies 34,306 patients that some of their protected health information may have been compromised as a result of a hacker gaining access to the email account of one of its employees.
Account Takeover
Human health and social work
CC
US
Henderson & Walton Women’s Center, HWWC
36
18/08/2022
July 2, 2022 through July 6, 2022, as well as on July 30-31 and August 1, 2, 7 and 8.
-
?
SF Fire Credit Union
SF Fire Credit Union reports a data breach impacting affected members’ names, credit card numbers, CVV numbers, card expiration dates, and PIN numbers.
Unknown
Finance and insurance
CC
US
SF Fire Credit Union
37
18/08/2022
Between 27/04/2022 and 03/05/2022
-
?
Newcourse Communications
Newcourse Communications reports a data breach after the company’s computer systems were hacked.
Unknown
Professional, scientific and technical
CC
US
Newcourse Communications
38
18/08/2022
-
29/04/2022
?
Lionel Holdings
Lionel Holdings reports a data breach after the company fell victim to a ransomware attack.
Malware
Manufacturing
CC
US
Lionel Holdings, ransomware
39
19/08/2022
-
-
?
Whitworth University
The Whitworth University is hit with a ransomware attack.
Malware
Education
CC
US
Whitworth University, ransomware
40
19/08/2022
24/04/2022
24/04/2022
?
Sferra Fine Linens
Textile company Sferra Fine Linens announces that it has started notifying individuals of a cybersecurity incident involving their personal information.
Unknown
Manufacturing
CC
US
Sferra Fine Linens
41
19/08/2022
28/07/2022
28/07/2022
?
Holdcroft Motor Group
Holdcroft Motor Group, one of the UK’s largest family-run car dealerships, admits suffering a serious ransomware attack, which resulted in data theft (two years' worth of data) and the damage “beyond repair” of some core systems.
Malware
Wholesale and retail
CC
UK
Holdcroft Motor Group, ransomware
42
19/08/2022
17/08/2022
17/08/2022
BlackCat AKA ALPHV
Fremont County
Fremont County is hit by a BlackCat ransomware attack.
Malware
Public admin and defence, social security
CC
US
Fremont County, BlackCat, ALPHV, ransomware
43
19/08/2022
28/06/2022
-
?
North Dakota’s Department of Workforce Safety & Insurance (WSI)
North Dakota’s Department of Workforce Safety & Insurance (WSI) discloses a phishing incident compromising the personal information of 182 individuals.
Account Takeover
Public admin and defence, social security
CC
US
North Dakota’s department of Workforce Safety & Insurance, WSI
44
19/08/2022
-
-
Evilcoder
Multiple organizations
Researchers from Cyble discover a new sophisticated XWorm RAT with HNVC and ransomware capabilities.
Malware
Multiple Industries
CC
>1
Cyble, XWorm RAT, Evilcoder, HNVC, ransomware
45
19/08/2022
-
19/08/2022
?
Multiple organizations
Researchers from Sonatype discover 186 malicious packages flooding the npm registry that infect Linux hosts with cryptominers by downloading a malicious Bash script from the threat actor's server.
Malware
Multiple Industries
CC
>1
Sonatype, npm, crypto
46
19/08/2022
15/08/2022
15/08/2022
?
Prefeitura do Rio
The Prefeitura do Rio confirms to have hit by a cyber attack.
Unknown
Public admin and defence, social security
CC
BR
Prefeitura do Rio
47
20/08/2022
20/08/2022
20/08/2022
Ragnar Locker
DESFA
Greece’s national natural gas operator DESFA confirms that it was hit with a cyberattack but said it will not negotiate with the people behind the incident. The Ragnar Locker ransomware gang adds the organization to its leak site.
Malware
Electricity, gas steam, air conditioning
CC
GR
DESFA, Ragnar Locker, ransomware
48
20/08/2022
-
-
?
Sierra College
Sierra College discloses to have been hit with a ransomware attack.
Malware
Education
CC
US
Sierra College, ransomware
49
21/08/2022
Since at least 26/01/2022
-
Escanor
Multiple organizations
Researchers from Resecurity identify a new RAT advertised in Dark Web and Telegram called Escanor with Android-based and PC-based versions of RAT, along with an HVNC module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.
Malware
Multiple Industries
CC
>1
Resecurity, Dark Web, Telegram, Escanor, Android, RAT, HVNC, Microsoft Office, Adobe
50
21/08/2022
-
-
?
BESCOM users
BESCOM (Bangalore Electricity Supply Company Limited) warns consumers of fraudulent messages or phone calls, saying that the power supply to their houses will be disconnected owing to payment failure.
Account Takeover
Individual
CC
IN
BESCOM, Bangalore Electricity Supply Company Limited
51
21/08/2022
21/08/2022
21/08/2022
?
LockBit
After claiming responsibility for the attack against Entrust, the blog of the ransomware gang LockBit is taken down by a DDoS attack.
DDoS
Other service activities
CC
N/A
Ransomware, LockBit, Entrust
52
21/08/2022
20/08/2022
20/08/2022
LockBit
South Francilien Hospital Center (CHSF)
The South Francilien Hospital Center (CHSF) is hit with a LockBit ransomware attack.
Malware
Human health and social work
CC
FR
South Francilien Hospital Center, CHSF, LockBit, ransomware
53
21/08/2022
During August 2022
20/08/2022
Bjorka
IndiHome
A threat actor under the moniker of Bjorka leaks the browser history of 26M Indonesian people, allegedly hacked from IndiHome.
Unknown
Information and communication
CC
ID
Bjorka, IndiHome, Telkom Indonesia
54
22/08/2022
-
During July 2022
?
WhatsApp and WhatsApp Business users
Researchers from Doctor Web discover a malware dubbed Android.BackDoor.3104, targeting WhatsApp and WhatsApp Business users, installed on counterfeit Android devices.
Malware
Multiple Industries
CC
>1
Doctor Web, Android, Android.BackDoor.3104, WhatsApp, WhatsApp Business
55
22/08/2022
'Recently'
'Recently'
?
Telecommunications agency in South Asia
Researchers from Fortinet discover a campaign delivering the PivNoxy and Chinoxy malware.
Targeted Attack
Information and communication
CE
N/A
Fortinet, PivNoxy, Chinoxy
56
22/08/2022
From April 2022
-
XCSSET
Multiple organizations
Researchers from Sentinel One discover a new version of the XCSSET malware upgraded to target macOS Monterey users.
Malware
Multiple Industries
CC
>1
Sentinel One, XCSSET, macOS, Monterey
57
22/08/2022
During January 2022
-
?
California Department of Corrections and Rehabilitation (CDCR)
The California Department of Corrections and Rehabilitation discloses a potential exposure of medical information, for employees and visitors who were tested for the coronavirus, after discovering some suspicious activity in a file transfer system.
Unknown
Public admin and defence, social security
CC
US
California Department of Corrections and Rehabilitation, CDCR
58
22/08/2022
-
-
?
Mansfield Independent School District
Mansfield Independent School District is hit with a ransomware attack.
Researchers from Google TAG (Threat Analysis Group) reveal the details of HYPERSCRAPE, a tool used to download email messages from targeted Gmail, Yahoo, and Microsoft Outlook accounts used by the State-sponsored Iranian hacking group Charming Kitten.
Targeted Attack
Multiple Industries
CE
>1
Google TAG, Threat Analysis Group, HYPERSCRAPE, Gmail, Yahoo, Microsoft Outlook, Charming Kitten, PHOSPHORUS, UNC788, Yellow Garuda
60
23/08/2022
23/08/2022
23/08/2022
?
QuickLaunch
The identity management and authentication platform QuickLaunch is hit with a DDoS attack.
DDoS
Professional, scientific and technical
CC
US
QuickLaunch
61
23/08/2022
Since at least June 2022
-
?
Multiple organizations
Researchers from Zscaler discover multiple ongoing malware distribution campaigns that target internet users who seek to download copies of pirated software.
Malware
Multiple Industries
CC
>1
Zscaler
62
23/08/2022
During Juòy 2022
During July 2022
?
Multiple organizations
Researchers from Cofense discover a new phishing campaign exploiting the Monkeypox outbreak.
Account Takeover
Multiple Industries
CC
US
Cofense, Monkeypox
63
23/08/2022
-
15/08/2022
BlackCat AKA ALPHV
Accelya
Accelya, a technology provider for many of the world’s largest airlines, confirms to have been hit with a ransomware attack impacting some of its systems.
Malware
Professional, scientific and technical
CC
US
BlackCat, ALPHV, Accelya
64
23/08/2022
During June 2022
-
Donut Leaks
Sando
The Donut Leaks ransomware gang is behind the ransomware attack against the multinational construction company Sando.
Malware
Professional, scientific and technical
CC
SG
Donut Leaks, Sando, ransomware
65
23/08/2022
23/08/2022
23/08/2022
?
Baker & Taylor,
Baker & Taylor, which describes itself as the world's largest distributor of books to libraries worldwide, is hit by a ransomware attack.
Malware
Arts entertainment, recreation
CC
US
Baker & Taylor, ransomware
66
23/08/2022
19/08/2022
19/08/2022
?
Asl Città di Torino (National Health of the City of Turin)
The Asl Città di Torino is hit with a ransomware attack.
Malware
Human health and social work
CC
IT
Asl Città di Torino, ransomware
67
23/08/2022
During July 2022
During July 2022
?
Multiple organizations
Researchers from CYFIRMA reveal that both government and criminal hacking groups are still targeting Hikvision cameras with CVE-2021-36260.
CVE-2021-36260 Vulnerability
Multiple Industries
>1
>1
CYFIRMA, Hikvision, CVE-2021-36260
68
23/08/2022
Between February 8, 2022 to March 7, 2022
-
?
Axel Royal
Axel Royal reports a data breach after an unauthorized party gained access to the company’s computer network.
Unknown
Manufacturing
CC
US
Axel Royal
69
23/08/2022
-
-
?
CiCi’s Pizza
CiCi’s Pizza confirms that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on its network.
Unknown
Accommodation and food service
CC
US
CiCi’s Pizza
70
23/08/2022
-
-
?
Community Loan Servicing (CLS)
Community Loan Servicing (CLS) confirms that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on its network.
Unknown
Finance and insurance
CC
US
Community Loan Servicing, CLS
71
23/08/2022
-
22/08/2022
?
Illinois K-12 School District
A threat actor leaks 750 records from an Illinois K-12 School District.
Unknown
Education
CC
US
Illinois K-12 School District
72
23/08/2022
-
-
Vice Society
Moon Area School District
Moon Area School District is hit with a ransomware attack. Vice Society claims responsibility for the attack.
Malware
Education
CC
US
Moon Area School District, ransomware, Vice Society
73
24/08/2022
During August 2022
During August 2022
?
Dozens of organizations worldwide
Researchers from Cofense discover an elaborate and rather unusual phishing campaign spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.
Account Takeover
Multiple Industries
CC
>1
Cofense, eFax, Dynamics 365
74
24/08/2022
Since at least June 2019
During August 2022
?
Single Individuals
A malicious Google Chrome extension called 'Internet Download Manager' and installed by more than 200,000 users is adware.
Malicious Browser Extension
Individual
CC
>1
Internet Download Manager, Chrome
75
24/08/2022
Since the last week of July 2022
Since the last week of July 2022
?
Genshin Impact players
Researchers from Trend Micro discover that a vulnerable anti-cheat driver for the Genshin Impact video game ("mhyprot2.sys") has been leveraged by a cybercrime actor to disable antivirus programs to facilitate the deployment of ransomware.
Plex begins notifying users via email of a data breach.
Unknown
Professional, scientific and technical
CC
US
Plex
77
24/08/2022
-
-
Quantum
Dominican Republic's Instituto Agrario Dominicano
The Dominican Republic's Instituto Agrario Dominicano is hit by a Quantum ransomware attack.
Malware
Public admin and defence, social security
CC
DO
Dominican Republic's Instituto Agrario Dominicano, Quantum, ransomware
78
24/08/2022
24/08/2022
24/08/2022
?
Python Developers
The Python Package Index, PyPI, warns developers about an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to legitimate packages.
Account Takeover
Multiple Industries
CC
>1
PyPI
79
24/08/2022
SInce June 2022
-
Karakurt
Organizations in the healthcare sector
An alert from the Department of Health and Human Services Cybersecurity Coordination Center (HC3) warns about the growing number of Karakurt ransomware attacks against the healthcare sector.
Malware
Human health and social work
CC
>1
Department of Health and Human Services Cybersecurity Coordination Center, HC3, Karakurt, ransomware
80
24/08/2022
During July 2022
During July 2022
?
Multiple organizations
Researchers from Mitiga discover a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations using Office 365. The attackers combine high-end spear-phishing with an adversary-in-the-middle (AiTM) attack to circumvent multi-factor authentication (MFA).
Securities and Exchange Commission of Pakistan (SECP)
The Securities and Exchange Commission of Pakistan (SECP) suffers a security breach.
Unknown
Public admin and defence, social security
CC
PK
Securities and Exchange Commission of Pakistan, SECP
82
24/08/2022
Since at least mid-August 2022
Mid-August 2022
AgentTesla
Multiple organizations
Researchers from Avast discover a new campaign distributing the AgentTesla.
Malware
Multiple Industries
CC
>1
Avast, AgentTesla
83
24/08/2022
-
30/09/2021
?
Northeast Rehabilitation Hospital Network
The Northeast Rehabilitation Hospital Network discloses a cyber incident in their network.
Unknown
Human health and social work
CC
US
Northeast Rehabilitation Hospital Network
84
24/08/2022
Between August 25, 2021, and December 10, 2021.
-
?
Gifted Healthcare
Gifted Healthcare reports a security breach involving the protected health information of its patients following a phishing attack.
Account Takeover
Human health and social work
CC
US
Gifted Healthcare
85
24/08/2022
'In recent weeks'
'In recent weeks'
?
Social media users in the Middle East and Central Asia
Meta and Twitter take down accounts connected to a years-long, pro-Western covert influence network originating in the U.S. that targeting the Middle East and Central Asia.
Coordinated Inauthentic Behavior
Individual
CC
>1
Meta, Twitter, Middle East, Central Asia
86
24/08/2022
-
-
APT29 AKA Cozy Bear, NOBELIUM
Government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia
Microsoft security researchers discover a post-compromise capability called MagicWeb, used by APT29 AKA NOBELIUM to maintain persistent access to compromised environments.
Targeted Attack
Multiple Industries
CE
>1
Microsoft, MagicWeb, APT29, NOBELIUM, Cozy Bear
87
24/08/2022
End of July 2022
-
?
Whitman-Hanson School District
Whitman-Hanson School District investigates a data security incident that occurred at the end of July.
Unknown
Education
CC
US
Whitman-Hanson School District
88
24/08/2022
?
?
Users of Cash App
Multiple users of the hugely popular Cash App report hackers stealing their funds, and fraudsters are selling access to accounts on the dark web.
Account Takeover
Finance and insurance
CC
>1
Cash App
89
24/08/2022
-
-
LockBit 3.0
Studio Barba
Studio Barba, an Italian Accounting firm, is hit by a LockBit 3.0 ransomware attack.
Malware
Professional, scientific and technical
CC
IT
Studio Barba, LockBit 3.0, ransomware
90
24/08/2022
22/10/2021
-
?
Warner Norcross & Judd
Warner Norcross & Judd reports a hacking/IT incident involving a network server and affecting the PHI of 255,160 individuals.
Unknown
Professional, scientific and technical
CC
US
Warner Norcross & Judd, WNJ
91
25/08/2022
-
During mid-August 2022
?
LastPass
LastPass discloses a data breach where internal source code and documents have been stolen from an intruder.
Account Takeover
Professional, scientific and technical
CC
US
LastPass
92
25/08/2022
Since at least March 2022
-
?
More than 130 organizations worldwide
Researchers from Group-IB reveal the details of Roasting 0ktapus, a massive phishing campaigns targeting the Okta identities of more than 130 organizations including Twilio and Cloudflare.
Healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand
Researchers from Trend Micro discover Agenda, a targeted ransomware created in the Go programming language.
Malware
Multiple Industries
CC
ID
SA
ZA
TH
Qilin, Agenda, Ransomware, Trend Micro
94
25/08/2022
During July 2022
-
?
Undisclosed sports corporation
Researchers from Avanan reveal the details of a BEC attack targeting an undisclosed sports corporation.
Business Email Compromise
Wholesale and retail
CC
N/A
Avanan
95
25/08/2022
Since early 2022
-
Kimsuky (AKA Thallium, Black Banshee and Velvet Chollima)
Political and diplomatic entities in South Korea
Researchers from Kaspersky discover GoldDragon, a new campaign by the North Korean nation-state group Kimusky directed against political and diplomatic entities located in its Southern counterpart.
Targeted Attack
Public admin and defence, social security
CE
KR
Kaspersky, GoldDragon, Thallium, Black Banshee, Velvet Chollima
96
25/08/2022
-
-
?
Ally Bank customers
Customers and e-commerce website sites across the United States report a sharp increase in fraudulent charges to accounts issued by the online consumer bank Ally Bank.
Scripting attack
Finance and insurance
CC
US
Ally Bank
97
25/08/2022
-
-
Multiple threat actors
Multiple organizations
The US Cybersecurity and Infrastructure Security Agency (CISA) urges organizations to patch CVE-2021-3840, a high-severity remote code execution vulnerability affecting the Delta Electronics DOPSoft 2 software exploited in the wild.
CVE-2021-3840 Vulnerability
Multiple Industries
N/A
US
US Cybersecurity and Infrastructure Security Agency, CISA, CVE-2021-3840, Delta Electronics, DOPSoft 2
98
25/08/2022
'In recent weeks'
'In recent weeks'
MERCURY AKA MuddyWater
Organizations located in Israel
Microsoft warns that the Iranian state-based threat actor Mercury is using the Log4Shell flaws in applications from IT vendor SysAid against organizations located in Israel.
Food delivery firm DoorDash discloses a data breach exposing customer and employee data that is linked to the recent cyberattack on Twilio.
Account Takeover
Accommodation and food service
CC
US
DoorDash, Twilio
100
25/08/2022
Since 15/08/2022
25/08/2022
?
Single Individuals
Hackers create a fake 'Cthulhu World' play-to-earn community, including websites, Discord groups, social accounts, and a Medium developer site, to distribute the Raccoon Stealer, AsyncRAT, and RedLine password-stealing malware infections on unsuspecting victims.
Researchers from Resecurity discover leaked PII stolen from Thailand’s Department of Medical Sciences containing information about citizens with COVID-19.
SQLi
Public admin and defence, social security
CC
TH
Resecurity, Thailand’s Department of Medical Sciences, COVID-19
102
25/08/2022
-
Since at least mid-August
Moisha
Multiple organizations
Researchers from Cyble reveal the details of Moisha, a .Net-based ransomware.
Malware
Multiple Industries
CC
>1
Cyble, Moisha, .Net-based, ransomware
103
25/08/2022
-
10/11/2021
?
CorrectHealth
CorrectHealth discloses a data breach it suffered on November 2021 after external intruders accessed some employees' email accounts.
Account Takeover
Human health and social work
CC
US
CorrectHealth
104
25/08/2022
16/05/2022
17/06/2022
?
Ancora Holdings Group
Ancora Holdings Group reports a data breach when an unauthorized party had gained access to one employee’s email account.
Account Takeover
Finance and insurance
CC
US
Ancora Holdings Group
105
25/08/2022
01/07/2022
Between 30/06/2022 and 01/07/2022
?
Valex Corporation
Valex Corporation files an official notice of a data breach after the company reportedly experienced a malware attack that leaked consumer data.
Malware
Manufacturing
CC
US
Valex Corporation
106
25/08/2022
-
23/08/2022
DESORDEN
PT JASAMARGA TOLLROAD OPERATOR (JMTO)
PT JASAMARGA TOLLROAD OPERATOR, Indonesia’s largest major tollway and highway operator is hit by the DESORDEN threat actor, who dump 252 GB of data.
Unknown
Transportation and storage
CC
ID
JASAMARGA TOLLROAD OPERATOR, JMTO, DESORDEN
107
25/08/2022
-
-
LockBit 3.0
Don Serafino Ronchi
The clinic Don Serafino Ronchi, a clinic focused on Physiotherapy is hit by a LockBit 3.0 ransomware attack.
Malware
Human health and social work
CC
IT
Don Serafino Ronchi, LockBit 3.0, ransomware
108
25/08/2022
30/06/2022
30/06/2022
Hive
New York Racing Association (NYRA)
The Hive ransomware operation claims responsibility for an attack on the New York Racing Association (NYRA).
Malware
Arts entertainment, recreation
CC
US
Hive, Ransomware, New York Racing Association, NYRA
109
26/08/2022
During July 2022
During July 2022
Russian consulting firm
YouTube users
The Google Threat Analysis Group reveals to have terminated 7 YouTube channels part of a coordinated influence operation linked to Russia and carried out by a Russian consulting firm with content supportive of Russia and critical of Ukraine and the U.S.
Coordinated Inauthentic Behavior
Individual
CW
US
UA
Russia, Ukraine, US, YouTube, Google Threat Analysis Group
110
26/08/2022
During July 2022
?
Russian consulting firm
YouTube users
The Google Threat Analysis Group reveals to have terminated 7 YouTube channels and 3 AdSense accounts part of a coordinated influence operation linked to China, supportive of the Chinese semiconductor and tech industries and critical of the U.S. semiconductor industry and U.S. sanctions on Chinese tech companies.
Coordinated Inauthentic Behavior
Individual
CW
US
China, US, YouTube, AdSense, Google Threat Analysis Group
111
26/08/2022
During July 2022
?
Russian consulting firm
YouTube users
The Google Threat Analysis Group reveals to have 2,150 YouTube channels part of a coordinated influence operation linked to China, uploading spammy content in Chinese about music, entertainment, and lifestyle, and content in Chinese and English about China and U.S. foreign affairs.
Coordinated Inauthentic Behavior
Individual
CW
US
China, US, YouTube, Google Threat Analysis Group
112
26/08/2022
26/08/2022
26/08/2022
Cuba
Montenegro government
Montenegro’s security agency warns that hackers from Russia have launched a massive, coordinated cyber attack against the small nation’s government and its services. The culprit is the Russian Cuba ransomware gang.
Malware
Public admin and defence, social security
CC
ME
Montenegro, Cuba, ransomware, Russia
113
26/08/2022
During 2021
-
Cyber criminals from Nigeria?
Chester Upland School District
Chester Upland School District announces that an international thief or thieves stole approximately $3 million from the school district during 2021.
Business Email Compromise
Education
CC
US
Chester Upland School District, Nigeria
114
26/08/2022
26/08/2022
26/08/2022
?
New Hampshire Lottery
New Hampshire Lottery officials warn of a cyberattack on its website.
DDoS
Arts entertainment, recreation
CC
US
New Hampshire Lottery
115
26/08/2022
Between June and July 2022
-
?
Nelnet Servicing
Data for over 2.5 million individuals with student loans from Oklahoma Student Loan Authority (OSLA) and EdFinancial is exposed after hackers breached the systems of technology services provider Nelnet Servicing.
The Ragnar Locker ransomware gang claims responsibility for an attack on the flag carrier of Portugal, TAP Air Portugal, disclosed by the airline.
Malware
Transportation and storage
CC
PT
Ragnar Locker, Ransomware, TAP Air Portugal
117
26/08/2022
16/07/2022
05/07/2022
?
First Street Family Health
First Street Family Health reveals to have suffered a destructive cyber attack, in which files containing patient information were exfiltrated and then deleted from its systems.
Malware
Human health and social work
CC
US
First Street Family Health, ransomware
118
26/08/2022
-
-
Vice Society
FMC Family Medicine Centers
The Vice Society ransomware gang leaks a confusing dump allegedly belonging to Family Medicine Centers.
Malware
Human health and social work
CC
US
Vice Society, ransomware, Family Medicine Centers
119
26/08/2022
During 2022
-
?
correos.gob.bo (Bolivian postal agency)
A seller lists data from correos.gob.bo, the Bolivian postal agency. The seller claims to have 3 sql files, totaling 1.47 GB of data. The breach appears to be from 2022.
SQLi
Administration and support service
CC
BO
correos.gob.bo, Bolivian postal agency
120
27/08/2022
27/08/2022
27/08/2022
?
Sernac (Chilean National Consumer Service)
The Chilean National Consumer Service is hit with a ransomware attack.
Malware
Public admin and defence, social security
CC
CL
Sernac, Chilean National Consumer Service, ransomware
121
28/08/2022
28/08/2022
-
?
START
Russian media streaming platform ‘START’ (start.ru) confirms rumors of a data breach impacting 7.5 millions of users. The platform’s administrators shared that network intruders managed to steal a 2021 database from its systems and are now distributing samples online.
Undisclosed vulnerability
Information and communication
CC
RU
START
122
28/08/2022
18/05/2022
18/05/2022
?
EmergeOrtho
EmergeOrtho starts sending notification letters to patients whose protected health information may have been accessed during a ransomware attack in May.
Malware
Human health and social work
CC
US
EmergeOrtho, ransomware
123
29/08/2022
29/08/2022
29/08/2022
BlackCat AKA ALPHV
Gestore dei Servizi Energetici SpA (GSE)
The BlackCat/ALPHV ransomware gang claims responsibility for an attack that hits the systems of Italy's energy agency Gestore dei Servizi Energetici SpA (GSE).
Malware
Electricity, gas steam, air conditioning
CC
IT
BlackCat, ALPHV, ransomware, Gestore dei Servizi Energetici SpA, GSE
124
29/08/2022
Since 2019
End of July 2022
Nitrokod
Crypto users
Researchers from Check Point reveal that a Turkish-speaking entity called Nitrokod has been attributed to an active cryptocurrency mining campaign that involves impersonating a desktop application for Google Translate to infect over 111,000 victims in 11 countries since 2019.
Malware
Fintech
CC
>1
Check Point, Turkey, Nitrokod, Google Translate
125
29/08/2022
26/08/2022
26/08/2022
?
Kiwi Farms
Kiwi Farms, a website that hosts user-generated content and discussion forums (accused of doxing, harassment, and cyberbullying) is taken down by a DDOS attack.
DDoS
Other service activities
H
N/A
Kiwi Farms
126
29/08/2022
-
-
?
Chrome Users
Researchers from McAfee discover five Google Chrome extensions that steal track users’ browsing activity. Collectively, the extensions have been downloaded more than 1.4 million times.
Malicious Browser Extension
Individual
CC
>1
McAfee, Chrome
127
29/08/2022
Between 24/08/2022 and 26/08/2022
-
?
Multinational company in India
The chief executive officer’s (CEO’s) email account of a multinational company in India is hacked and the company is duped of Rs54.39 lakh ($68,000) by cyber fraudsters.
Business Email Compromise
Manufacturing
CC
IN
India
128
29/08/2022
-
28/08/2022
?
City of Lexington
The city of Lexington asks the Lexington Police Financial Crimes Unit to investigate the electronic theft of approximately $4 million in federal rent assistance and transitional housing funds.
Business Email Compromise
Public admin and defence, social security
CC
US
City of Lexington
129
29/08/2022
Since at least April 2022
-
?
Crypto users in Mexico
Researchers at AT&T release details about a sophisticated cryptomining attack carried out via malicious attachments with a special emphasis on Mexican institutions and citizens.
Malware
Fintech
CC
MX
AT&T, Crypto, Mexico
130
29/08/2022
During 2022
During 2022
?
Decentralized finance (DeFi) platforms
The FBI warns that vulnerabilities in decentralized finance (DeFi) platforms are being exploited by cybercriminals to steal cryptocurrency.
Multiple vulnerabilities
Fintech
CC
US
FBI, Federal Bureau of Investigation, Decentralized Finance, DeFi
131
29/08/2022
-
05/07/2022
?
SCA Pharmaceuticals
SCA Pharmaceuticals reports a data breach after the company experienced a malware attack.
Malware
Professional, scientific and technical
CC
US
SCA Pharmaceuticals
132
29/08/2022
Between February 24, 2021, and March 4, 2021
04/03/2022
?
Donlen Corporation
Donlen Corporation reports a data breach after the company detected “unusual activity related to the inaccessibility of certain systems” on its computer network.
Malware
Finance and insurance
CC
US
Donlen Corporation, ransomware
133
29/08/2022
-
24/02/2022
?
Ellington Management Group
Ellington Management Group reports a data breach after the company learned that an unauthorized party had gained access to two employee email accounts.
Account Takeover
Finance and insurance
CC
US
Ellington Management Group
134
29/08/2022
-
-
BlackByte
Grande Stevens Law Firm
The BlackByte ransomware group hits the Grande Stevens Law Firm, one of the most important law firms in Italy.
Malware
Professional, scientific and technical
CC
IT
BlackByte, ransomware, Grande Stevens
135
29/08/2022
21/01/2022
-
?
Franklin College.
6000 individuals are impacted by a malicious code attack hitting Franklin College.
Malware
Education
CC
US
Franklin College.
136
30/08/2022
Between 12 April 2022, and mid-June 2022,
-
TA423 / Red Ladon
Local and federal Australian Governmental agencies, Australian news media companies, and,
global heavy industry manufacturer
Researchers from Proofpoint and PwC identify a new campaign by TA423 targeting multiple organizations in Australia through the ScanBox exploitation framework.
Targeted Attack
Multiple Industries
CE
AU
Proofpoint, PwC, TA423, Red Ladon, ScanBox
137
30/08/2022
Between March and June 2022
'Recently'
?
Multiple organizations
Researchers from Cisco Talos discover three separate, but related, campaigns delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims.
Malware
Multiple Industries
CC
>1
Cisco Talos, ModernLoader, RedLine, Crypto
138
30/08/2022
Since at least 23/08/2022
23/08/2022
?
Organizations in the US
Researchers from BitDefender discover a new campaign distributing the Snake Keylogger.
Malware
Multiple Industries
CC
US
BitDefender, Snake
139
30/08/2022
-
-
?
Crypto users in Ukraine
The National Police of Ukraine (NPU) takes down a network of call centers used by a cybercrime group focused on financial scams and targeting victims of cryptocurrency scams under the guise of helping them recover their stolen funds.
Account Takeover
Fintech
CC
UA
National Police of Ukraine, NPU, Crypto
140
30/08/2022
26/05/2022
05/072022
?
Overby-Seawell Company (OSC)
Overby-Seawell Company (OSC) reports a data breach when an unauthorized party had gained access to the company’s systems.
Unknown
Finance and insurance
CC
US
Overby-Seawell Company, OSC
141
30/08/2022
-
-
?
Northern Trust Corporation
Northern Trust Corporation confirms that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on its network.
Unknown
Finance and insurance
CC
US
Northern Trust Corporation
142
30/08/2022
29/08/2022
29/08/2022
LockBit 3.0
Comune di Gorizia (Municipality of Gorizia)
The Municipality of Gorizia is hit by a LockBit 3.0 ransomware attack.
Malware
Public admin and defence, social security
CC
IT
Municipality of Gorizia, Comune di Gorizia, LockBit 3.0, ransomware
143
31/08/2022
31/08/2022
31/08/2022
BlackCat AKA ALPHV
Eni
Italian oil giant Eni is hit with a cyber attack. The BlackCat ransomware gangs claims responsibility for the attack.
Unknown
Electricity, gas steam, air conditioning
CC
IT
Eni, BlackCat, ALPHV, ransomware
144
31/08/2022
'Recently'
'Recently'
GO#WEBBFUSCATOR
Multiple organizations
Researchers from Securonix discover a persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR, leveraging the deep field image taken from NASA's James Webb Space Telescope (JWST) as a lure to deploy malicious payloads on infected systems.
Malware
Multiple Industries
CC
>1
Securonix, Golang, GO#WEBBFUSCATOR, NASA, James Webb Space Telescope, JWST
145
31/08/2022
'Recently'
'Recently'
?
MICARD and American Express users in Japan
Researchers from Menlo Security discover a phishing campaign targeting MICARD and American Express users in Japan.
Account Takeover
Finance and insurance
CC
JP
Menlo Security, MICARD, American Express, Japan
146
31/08/2022
-
30/08/2022
Karakurt
International Centre for Migration Policy Development (ICMPD)
The International Centre for Migration Policy Development (ICMPD) confirms it suffered a cyberattack that led to a data breach. The Karakurt ransomware group claims responsibility for the attack.
Malware
Extraterritorial orgs and bodies
CC
N/A
International Centre for Migration Policy Development, ICMPD, Karakurt, ransomware
147
31/08/2022
06/05/2022
08/09/2021
?
Platinum Performance
Platinum Performance reports a data breach after the company was targeted in an email phishing attack.
Account Takeover
Accommodation and food service
CC
US
Platinum Performance
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
SUPPORT MY WORK!
BREACHOMETER
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
As I promised few days ago, I have aggregated and analyzed the events collected in the cyber attacks timelines for the whole 2019, producing some (hopefully) interesting stats. At the end the total sample is composed of 1802 events, which is a sharp increase in ...
Leaky Buckets in 2023
The Biggest Data Breaches of 2023
1-15 April 2023 Cyber Attacks Timeline
April 2023 Cyber Attacks Timeline
2019 Cyber Attacks Statistics
