Unsurprisingly, the level of cyber activity continued to be quite sustained even during the second half of September. In this timeline I have collected 140 events, corresponding to 9.33 events per day, a number in line with the previous weeks.
At least one indicator seems to be slowing down, and it is the impact of ransomware that in this timeline accounted for 19.3% of events (corresponding to 27 out of 140). A sharp decrease compared to 27.7% of the previous timeline.
The impact of vulnerabilities continues to be stable around 11% (precisely 11.4% corresponding to 16 out of 140 events) in line with the previous timeline when it was 10.9%.
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July…
One of the trends that are characterizing this year from an infosec perspsective is the resurgence of massive hacks against fintech platform, and this timeline was no exception: unfortunately this time it was the turn of the Wintermute platform, which lost the equivalent of $162.2 million.
The situation in Ukraine continues to characterize the cyber space, despite the impact of the events (at least the ones that were discovered) seems to have taken a decreasing trend: Ukraine continued to be the target of multiple operations driven by hacktivism and cyber espionage (for example UAC-0113, linked to Sandworm) but even the pro-Ukraine hacktivists stroke back, for example allegedly breaching a website belonging to the infamous mercenary Wagner group.
And once again, but this is not a novelty at all, the cyber espionage front continued to be pretty crowded, with multiple operations carried out by well-known threat actors such as APT41, APT37, APT28, TA413, and the Lazarus Group, and new groups, such as the mysterious Metador, Witchetty, and UNC3886.
Even in this fortnight, the list is too long to be summarized in few words (this one in particular), so my suggestion is to enjoy the interactive timeline and the tabular format, and obviously thanks for sharing it, and supporting my work in spreading the risk awareness across the community. As always, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
Expand for details
Geo Map September H2 2022
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
16/09/2022
-
-
TeaPots
Uber
Uber suffers a cyberattack with an allegedly 18-year-old hacker (likely part of the Lapsus$ gang) downloading HackerOne vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server.
Account Takeover
Professional, scientific and technical
CC
US
Uber, Lapsus$, TeaPots
2
16/09/2022
10/09/2022
10/09/2022
?
Revolut
Revolut suffers a cyberattack that gave an unauthorized third party access to personal information of tens of thousands of clients.
Account Takeover
Finance and insurance
CC
UK
Revolut
3
16/09/2022
-
05/07/2022
?
American Airlines
American Airlines notifies customers of a data breach after attackers compromised an undisclosed number of employee email accounts and gained access to sensitive personal information.
Account Takeover
Transportation and storage
CC
US
American Airlines
4
16/09/2022
-
10/09/2022
?
Starbucks Singapore
The Singapore division of Starbucks, the popular American coffeehouse chain, admits that it suffered a data breach incident impacting over 219,000 of its customers.
Unknown
Accommodation and food service
CC
SG
Starbucks
5
16/09/2022
-
-
?
GitHub users
GitHub warns of an ongoing phishing campaign, targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform.
Account Takeover
Multiple Industries
CC
>1
GitHub, CircleCI
6
16/09/2022
Between 17/06/2022 and 30/06/2022
-
?
Tessie Cleveland Community Services
Tessie Cleveland Community Services discloses a breach due to a phishing attack.
Account Takeover
Human health and social work
CC
US
Tessie Cleveland Community Services
7
16/09/2022
08/06/2022
?
Berry, Dunn, McNeil & Parker
Berry, Dunn, McNeil & Parker confirm that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data through a compromised employee email account.
Account Takeover
Administration and support service
CC
US
Berry, Dunn, McNeil & Parker
8
16/09/2022
-
-
?
Country Doctor Community Clinic
Country Doctor Community Clinic files an official notice of a data breach after the company experienced a hacking/IT incident that compromised consumer data.
Unknown
Human health and social work
CC
US
Country Doctor Community Clinic
9
16/09/2022
-
-
LockBit 3.0
Independence
The LockBit 3.0 ransomware gangs claims to have exfiltrated 180 GB of information from Independence, a Colombian firm that provides drilling and maintenance services for oil and gas wells.
Malware
Administration and support service
CC
CO
The LockBit 3.0, Independence, Ransomware
10
16/09/2022
-
-
LockBit 3.0
Quintal
The LockBit 3.0 ransomware gangs claims to have exfiltrated information from Quintal, a Colombian firm that provides manufacturing and distribution of manganese-based chemicals.
Malware
Manufacturing
CC
CO
The LockBit 3.0, Quintal, Ransomware
11
16/09/2022
-
-
LockBit 3.0
Makler
The LockBit 3.0 ransomware gangs claims to have hacked Makler, a Venezuelan insurance brokerage firm.
Malware
Finance and insurance
CC
CO
The LockBit 3.0, Makler, Ransomware
12
16/09/2022
-
16/09/2022
LockBit 3.0
Software Line
Software Line is hit with a Lockbit ransomware attack.
Malware
Professional, scientific and technical
CC
IT
Software Line, Lockbit 3.0, ransomware
13
16/09/2022
-
-
STORMOUS
University Roma Tor Vergata
The STORMOUS cyber criminal gang claims to have hacked the university of Rome Tor Vergata
Account Takeover
Education
CC
IT
STORMOUS, Rome Tor Vergata
14
17/09/2022
Since January 2022
Since August 2022
DEV-0796
Multiple organizations
VMware and Microsoft warn of an ongoing, widespread Chromeloader malware campaign that has evolved into a more dangerous threat, seen dropping malicious browser extensions, node-WebKit malware, and even ransomware in some cases.
Malware
Multiple Industries
CC
>1
VMware, Microsoft, Chromeloader
15
17/09/2022
19/07/2022
19/07/2022
?
NYSARC Columbia County Chapter (COARC)
NYSARC Columbia County Chapter (COARC) discloses a ransomware incident.
Malware
Human health and social work
CC
US
NYSARC Columbia County Chapter, COARC, ransomware
16
18/09/2022
-
-
TeaPots
Rockstar Games
Grand Theft Auto 6 gameplay videos and source code are leaked after a hacker breached Rockstar Game's Slack server and Confluence wiki.
Unknown
Arts entertainment, recreation
CC
US
Grand Theft Auto 6, Rockstar Games, TeaPots
17
19/09/2022
19/09/2022
19/09/2022
Ukraine IT Army
Wagner group
The hacktivist group known as the Ukraine IT Army publishes a screenshot that showed the group hacked into a website allegedly linked to the Wagner group.
Unknown
Administration and support service
H
RU
Ukraine IT Army, Wagner group, Russia
18
19/09/2022
Since August 2022
Since August 2022
UAC-0113 (linked to Sandworm)
Entities in Ukraine
Researchers from Recorded Future reveal that the Russian state-sponsored hacking group known as Sandworm has been observed masquerading as telecommunication providers to target Ukrainian entities with malware.
Malware
Multiple Industries
CE
UA
Sandworm, Recorded Future, UAC-0113, Russia, Ukraine
19
19/09/2022
Since at least mid-2019
During July 2022
?
U.S. government contractors
Researchers from Cofense reveal that an ongoing phishing campaign targeting the Microsoft 365 accounts of U.S. government contractors, spoofing the Department of Transportation and the Department of Commerce, has expanded its operation to push higher-quality lures and better-crafted documents.
Account Takeover
Public admin and defence, social security
CC
US
Cofense, U.S., Department of Transportation, Department of Commerce, Microsoft 365
20
19/09/2022
27/06/2022
27/06/2022
?
Undisclosed Chinese telecommunications service provider
Imperva announces its DDoS mitigation solution has broken a new record, defending against a single attack that sent over 25.3 billion requests to one of its customers.
DDoS
Information and communication
CC
CN
Imperva, China
21
19/09/2022
During September 2022
During September 2022
?
Healthcare providers in the U.S.
The Health Sector Cybersecurity Coordination Center (HC3) warns the healthcare sector of a new monkeypox-themed phishing scheme targeting healthcare providers.
Account Takeover
Human health and social work
CC
US
Health Sector Cybersecurity Coordination Center, HC3, monkeypox
22
19/09/2022
'Recently'
'Recently'
?
Multiple organizations
Researchers from Fortinet discover a campaign distributing a malicious Excel document exploiting CVE-2017-11882 to execute malicious code to deliver and execute malware on a victim’s device.
CVE-2017-11882 Vulnerability
Multiple Industries
CC
>1
Fortinet, Excel, CVE-2017-11882
23
19/09/2022
During August 2022
During August 2022
APT37 (aka: Ricochet Chollima, InkySquid, ScarCruft, Reaper, and Group123)
Government Organization in Russia
Researchers from Fortinet discover a campaign allegedly carried out by APT37, distributing the Konni Remote Access Trojan.
Researchers from Cyble discover a campaign targeting Zoom users and distributing the Vidar stealer.
Malware
Multiple Industries
CC
>1
Cyble, Zoom, Vidar
25
19/09/2022
-
-
?
redONE Network Sdn Bhd
DESORDEN claims to have hit redONE Network Sdn Bhd, a Malaysian telco company, and leaks databases and source code.
Unknown
Information and communication
CC
MY
DESORDEN, redONE Network Sdn Bhd
26
20/09/2022
14/03/2020
?
Data
Ask.FM?
A seller called “Data,” lists a database on a forum with the data of 350 million users allegedly obtained from Ask.FM.
Vulnerability
Information and communication
CC
LV
Data, Ask.FM
27
20/09/2022
-
-
?
Wintermute
Digital assets trading firm Wintermute is hacked and loses $162.2 million in DeFi operations.
Vulnerability
Fintech
CC
N/A
Wintermute
28
20/09/2022
20/09/2022
20/09/2022
?
2K
American video game publisher 2K confirms that its help desk platform was hacked and used to target customers with fake support tickets pushing malware via embedded links, after an unauthorized third party illegally accessed the credentials of one of the vendors to the help desk platform.
Account Takeover
Arts entertainment, recreation
CC
US
2K
29
20/09/2022
Over the past two years
Over the past two years
?
e-commerce sites
Researchers from Recorded Future discover that attackers are abusing Google’s Tag Manager (GTM) containers to install malicious e-skimmers that steal payment card data and personally identifiable information of shoppers on e-commerce sites.
Malicious Script Injection
Wholesale and retail
CC
>1
Recorded Future, Google’s Tag Manager, GTM
30
20/09/2022
20/09/2022
20/09/2022
Anonymous
Several websites in Iran, including for the central bank and the national government portal and state-owned media sites
Hacktivists from the Anonymous collective claim to be behind attacks on several websites affiliated with the Iranian government amid protests following the death of 22-year-old Mahsa Amini.
DDoS
Public admin and defence, social security
H
IR
Anonymous, Iran, Mahsa Amini
31
20/09/2022
-
-
Everest
Government of Brazil
The Everest ransom group adds the Government of Brazil to their leak site, claiming they got their hands on the access of gov.br network, a government services website, and stole 3TB of sensitive data.
Malware
Public admin and defence, social security
CC
BR
Everest, Brazil, ransomware
32
20/09/2022
Between 14/07/2022 and 08/08/2022
25/08/2022
?
Tift Regional Medical Center
Tift Regional Medical Center is the victim of a Hive ransomware attack.
Malware
Human health and social work
CC
US
Tift Regional Medical Center, Hive, Ransomware
33
20/09/2022
-
-
?
Individuals in the UK
Individuals in the UK are warned to look out for fake emails and texts claiming to offer discounts on energy bills, after the government has announced that a ÂŁ400 energy bill discount will be available to all households.
Account Takeover
Individual
CC
UK
UK
34
20/09/2022
17/09/2022
17/09/2022
?
Office 365 users
Researchers from Perception Point discover a campaign that attempts to trick users into playing a malicious video from the Powtoon platform, serving up a spoofed Microsoft page to steal credentials.
Account Takeover
Multiple Industries
CC
>1
Perception Point, Powtoon, Microsoft
35
20/09/2022
-
12/09/2022
Hive and Spy
Sigmund Software
Sigmund Software is hit by two ransomware attacks by Hive and Spy.
Malware
Professional, scientific and technical
CC
US
Sigmund Software, ransomware, Hive, Spy
36
20/09/2022
-
-
?
South Redford School District
The South Redford School District postes a notice saying that school is closed because of a cyberattack.
Unknown
Education
CC
US
South Redford School District
37
20/09/2022
Mid September 2022
-
?
Scholars’ Education Trust
The Scholars’ Education Trust suffers a breach and many of its internal systems remain offline. The trust runs six schools: Buntingford First School, Harpenden Academy, Priory Academy, Robert Barclay Academy, Samuel Ryder Academy and Sir John Lawes School.
Unknown
Education
CC
UK
Scholars’ Education Trust, Buntingford First School, Harpenden Academy, Priory Academy, Robert Barclay Academy, Samuel Ryder Academy and Sir John Lawes School
38
20/09/2022
-
-
BlackCat AKA ALPHV
Deutscher Caritasverband
The Deutscher Caritasverband (German branch of the Caritas catholic association, is hit with a BlackCat ransomware attack.
Malware
Human health and social work
CC
DE
Deutscher Caritasverband, Caritas, BlackCat, ransomware, ALPHV
39
21/09/2022
During August 2022
During August 2022
?
Undisclosed target in the Insurance and Finance sector
Researchers from Cofense reveal that phishing actors are abusing LinkedIn’s Smart Link feature to bypass email security products and successfully redirect targeted users to phishing pages that steal payment information.
Account Takeover
Finance and insurance
CC
SK
Cofense, Linkedin
40
21/09/2022
-
-
FIN11 (aka Cl0p)
Multiple organizations worldwide
Researchers from Cyfirma reveal that the threat actors known as FIN11 (and Cl0p) may have impersonated web download pages of the Zoom Application to conduct phishing campaigns against targets worldwide.
Malware
Multiple Industries
CC
>1
FIN11, Cl0p, Cyfirma, Zoom
41
21/09/2022
15/07/2022
-
?
Anesthesia Associates
Anesthesia Associates provides notice of a data security incident impacting its Management Company that may have resulted in the compromise of protected health information for the Provider’s patients.
Unknown
Human health and social work
CC
US
Anesthesia Associates
42
21/09/2022
Since July 2022
During July 2022
?
Multiple organizations
Researchers from Trend Micro warn of an ongoing crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 vulnerability.
CVE-2022-26134 Vulnerability
Multiple Industries
CC
>1
Trend Micro, Atlassian Confluence, CVE-2022-26134
43
21/09/2022
-
-
?
OLAF (European Anti-Fraud Office)
The OLAF (European Anti-Fraud Office) warns of a campaign of emails, letters and scam phone calls purporting to be from OLAF.
Account Takeover
Multiple Industries
CC
>1
OLAF
44
21/09/2022
-
-
?
Customers of Indian banks
Researchers from Microsoft discover an SMS-based phishing campaign targeting customers of Indian banks with information-stealing malware that masquerades as a rewards application.
Account Takeover
Finance and insurance
CC
IN
Microsoft, India
45
21/09/2022
Since 2012
-
APT41
Healthcare sector in the U.S.
A new Department of Health and Human Services Cybersecurity Coordination Center alert warns the healthcare sector is continuing to be targeted by APT41, a Chinese state-sponsored threat actor group.
Targeted Attack
Human health and social work
CE
US
Department of Health and Human Services Cybersecurity Coordination Center, APT41, China
46
21/09/2022
-
-
?
The Hampton Public Library is hacked, redirecting people to an adult retail store website.
Unknown
Public admin and defence, social security
CC
US
Hampton Public Library
47
22/09/2022
-
-
?
Multiple organizations
Researchers from Sansec observe a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites.
CVE-2022-24086 vulnerability
Wholesale and retail
CC
>1
Sansec, CVE-2022-24086, Magento 2
48
22/09/2022
'Recently'
'Recently'
?
Multiple organizations
Microsoft says a threat actor gained access to cloud tenants hosting Microsoft Exchange servers in credential stuffing attacks, with the end goal of deploying malicious OAuth applications and sending phishing emails.
Credential Stuffing
Multiple Industries
CC
>1
Microsoft, Microsoft Exchange, OAuth
49
22/09/2022
-
-
Multiple threat actors
Organizations in the U.S.
The Cybersecurity and Infrastructure Security Agency (CISA) adds a critical severity Java deserialization vulnerability (CVE-2022-35405 vulnerability) affecting multiple Zoho ManageEngine products to its catalog of bugs exploited in the wild.
CVE-2022-35405 vulnerability
Multiple Industries
N/A
US
Cybersecurity and Infrastructure Security Agency, CISA, CVE-2022-35405, Zoho ManageEngine
50
22/09/2022
Since December 2021
-
Metador
Telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
Researchers from SentinelOne reveal the details of Metador, a previously unknown threat actor breaching telecommunications, internet services providers (ISPs), and universities for about two years.
Targeted Attack
Information and communication
CE
>1
SentinelOne, Metador
51
22/09/2022
-
-
optusdata
Optus
Australia telecoms giant Optus says current and former 11 million customer data was accessed following a cyberattack on its systems.
Misconfiguration
Information and communication
CC
AU
Optus, optusdata
52
22/09/2022
'In recent months'
'In recent months'
Coreid (aka FIN7, Carbon Spider)
Multiple organizations
Researchers from Symantec/Broadcom reveal the details of the latest campaigns by the Coreid group, behind the Noberus (aka BlackCat, ALPHV) ransomware, using new versions of the Exmatter data exfiltration tool, and Eamfo malware.
Multiple organizations, often with particular business or political interests tied to Russia.
Researchers from SentinelOne reveal the details of the latest campaigns of the mercenary group Void Balaur.
Account Takeover
Multiple Industries
CC
RU
SentinelOne, Void Balaur
54
22/09/2022
-
`
TA413 (AKA LuckyCat)
Uyghurs minority in China
Researchers from Recorded Future discover a China-linked cyberespionage group, tracked as TA413 (aka LuckyCat), exploiting recently disclosed flaws in Sophos Firewall (CVE-2022-1040) and Microsoft Office (CVE-2022-30190) to deploy a never-before-detected backdoor called LOWZERO in attacks aimed at Tibetan entities.
CVE-2022-1040) and CVE-2022-30190 vulnerabilities
Individual
CE
CN
Recorded Future, China, TA413, LuckyCat, Sophos Firewall, CVE-2022-1040, Microsoft Office, CVE-2022-30190, LOWZERO, Tibet, Uyghurs
55
22/09/2022
-
-
?
Capital One customers
Researchers from Vade discover a new campaign impersonating American bank holding Capital One to steal identities.
Account Takeover
Finance and insurance
CC
US
Vade, Capital One
56
22/09/2022
Since 2020
-
Harly
Android users
Researchers from Kaspersky reveal the details of Harly, similar to the Joker Trojan, targeting Android users.
Malware
Individual
CC
>1
Kaspersky, Android, Harly
57
22/09/2022
Since at least 12/07/2022
12/07/2022
Mysterious Team Bangladesh
Government Organizations in India
Researchers from CloudSEK discover a new campaign by a group of Bangladeshi hacktivists targeting multiple government organizations in India.
DDoS
Public admin and defence, social security
H
IN
CloudSEK, Mysterious Team Bangladesh
58
22/09/2022
Late August 2022
Late August 2022
?
Multiple organizations
Researchers from Deepwatch discover a SEO poisoning campaign using the GootLoader downloader to target employees from multiple industries and government sectors when they search for specific terms that are relevant to their work.
Malware
Multiple Industries
CC
>1
Deepwatch, SEO poisoning, GootLoader
59
22/09/2022
-
-
DESORDEN
PT CARE TECHNOLOGIES
DESORDEN takes responsibility for the hack and data breach of PT CARE TECHNOLOGIES, an insurance software and IT vendor, stealing 2.2 GB of databases from their network.
Unknown
Professional, scientific and technical
CC
ID
DESORDEN, PT CARE TECHNOLOGIES
60
22/09/2022
-
20/09/2022
Everest
Argentina’s Ministry of Economy
The Everest group claims to have hacked the Argentina’s Ministry of Economy and puts on sale the access to its network.
Unknown
Public admin and defence, social security
CC
AR
Everest, Ransomware, Argentina, Ministry of Economy.
61
22/09/2022
29/08/2022
-
?
City of Wheat Ridge
The City of Wheat Ridge is hit with a ransomware attack.
Malware
Public admin and defence, social security
CC
US
City of Wheat Ridge, ransomware
62
22/09/2022
-
-
LockBit 3.0
Your Private Italy
Your Private Italy, an Italian luxury travel agency, is hit by the LockBit 3.0 ransomware.
Malware
Arts entertainment, recreation
CC
IT
Your Private Italy, Ransomware, LockBit 3.0
63
22/09/2022
-
15/07/2022 and 09/08/2022
?
Berkshire Farm Center & Services for Youth
Berkshire Farm Center & Services for Youth confirms that an unauthorized third party gained access to certain servers and potentially viewed or obtained files containing protected health information
Account Takeover
Human health and social work
CC
US
Berkshire Farm Center & Services for Youth
64
23/09/2022
-
23/09/2022
Anonymous
Russian Ministry of Defense
Hacktivist collective Anonymous claims to have leaked the personal data of over 300,000 individuals from the Russian Ministry of Defense likely to be mobilized by the Russian government to fight in Ukraine.
Unknown
Public admin and defence, social security
H
RU
Anonymous, Russia, Ukraine, Russian Ministry of Defense
65
23/09/2022
Since early 2022
-
XakNet Team
Organizations in Ukraine
Researchers from Mandiant discover XakNet Team, a group of pro-Russian hacktivists targeting organizations in Ukraine.
DDoS
Multiple Industries
H
UA
Mandiant, XakNet Team, Russia, Ukraine
66
23/09/2022
Since early 2022
-
Infoccentr
Organizations in Ukraine
Researchers from Mandiant discover Infoccentr, a group of pro-Russian hacktivists targeting organizations in Ukraine.
DDoS
Multiple Industries
H
UA
Mandiant, Infoccentr, Russia, Ukraine
67
23/09/2022
Since early 2022
-
Infoccentr
Organizations in Ukraine
Researchers from Mandiant discover CyberArmyofRussia_Reborn, a group of pro-Russian hacktivists targeting organizations in Ukraine.
Researchers from ReasonLabs expose a massive operation that has reportedly siphoned millions of USD from credit cards, considered responsible for losses for tens of thousands of victims.
Account Takeover
Individual
CC
>1
ReasonLabs
69
23/09/2022
-
-
Pro-Russian attackers
Individuals in Ukraine and the European Union
The cyber department of Ukraine's Security Service (SSU) takes down a group of Pro-Russian hackers that stole accounts of about 30 million individuals and sold them on the dark web.
Malware
Individual
CC
UA
Cyber department of Ukraine's Security Service, SSU
70
23/09/2022
Since 14/09/2022
-
?
Multiple organizations
Multiple npm packages published by the crypto exchange, dYdX, and used by at least 44 cryptocurrency projects appear to have been compromised.
Malware
Multiple Industries
CC
>1
npm, dYdX
71
23/09/2022
-
-
?
Multiple organizations primarily in the South Asia region
Sophos warns that a critical code injection security vulnerability in the company's Firewall product is being exploited in the wild.
CVE-2022-3236 Vulnerability
Multiple Industries
N/A
>1
Sophos, CVE-2022-3236
72
23/09/2022
Between 17/05/2022 and 31/05/2022
29/05/2022
?
City of Tucson
The City of Tucson discloses a data breach affecting the personal information of more than 123,000 individuals.
Unknown
Public admin and defence, social security
CC
US
City of Tucson
73
23/09/2022
Between January and February 2022
During Q3 2022
APT28 AKA Fancy Bear
The Organisation for Economic Co-operation and Development (OECD)
Researchers from Cluster25 reveal that APT28 have started using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script, exploiting the CVE-2021-40444 vulnerability.
Targeted Attack
Extraterritorial orgs and bodies
CE
N/A
Cluster25, APT28, Fancy Bear. CVE-2021-40444
74
23/09/2022
-
-
Multiple threat actors
Vulnerable BitBucket servers
The Cybersecurity and Infrastructure Security Agency (CISA) adds a critical BitBucket Server RCE zero-day (CVE-2022-36804) to the list of exploited vulnerabilities.
CVE-2022-36804 Vulnerability
Unknown
N/A
N/A
Cybersecurity and Infrastructure Security Agency, CISA, BitBucket, RCE, CVE-2022-36804
75
23/09/2022
Since 2016
'Recently'
Scarlet Mimic
Uyghurs minority in China
Researchers from Check Point discover a long running mobile surveillance campaign, targeting the largest minority in China, the Uyghurs.
Targeted Attack
Individual
CE
CN
Check Point, Scarlet Mimic, China, Uyghurs
76
23/09/2022
Between 10/07/2022 and 14/08/2022
24/07/2022
?
Dyersburg Family Walk-In Clinic
Family Walk-In Clinic discloses to have suffered a data security incident that resulted in information being taken from its systems.
Unknown
Human health and social work
CC
US
Family Walk-In Clinic, Reelfoot Family Walk-In Clinic
77
23/09/2022
05/04/2022
26/07/2022
?
Physician’s Business Office (PBO)
Physician’s Business Office (PBO) reveals to have suffered a data breach that impacted 196,573 individuals.
Unknown
Administration and support service
CC
US
Physician’s Business Office, PBO
78
23/09/2022
'Recently'
'Recently'
?
Northern California Fertility Medical Center (NCFMC)
Northern California Fertility Medical Center (NCFMC) files an official notice of a data breach after an unauthorized party accessed the company’s network and attempted to encrypt certain files.
Malware
Human health and social work
CC
US
Northern California Fertility Medical Center, NCFMC, ransomware
79
23/09/2022
-
-
?
Resource Anesthesia of California
Resource Anesthesia of California reports a data breach following a Network IT / Hacking incident that compromised sensitive information patients entrusted to the practice.
Unknown
Human health and social work
CC
US
Resource Anesthesia of California
80
23/09/2022
-
26/07/2022
?
FMC Services (Family Medical Center Services)
FMC Services confirms that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on its network.
Unknown
Human health and social work
CC
US
FMC Services, Family Medical Center Services
81
23/09/2022
-
-
?
Diodes Incorporated
Diodes Incorporated confirms that the company experienced a data breach after consumer data entrusted to the company was accessible to an unauthorized party.
Unknown
Manufacturing
CC
US
Diodes Incorporated
82
23/09/2022
-
-
?
Apex Capital Corp.
Apex Capital Corp. confirms that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data that had been entrusted to the company.
Unknown
Transportation and storage
CC
US
Apex Capital Corp.
83
23/09/2022
-
-
?
Multiple organizations
Researchers from ReversingLabs discover a malicious NPM package masquerading as the legitimate software library for Material Tailwind, distributing malicious code in open source software repositories.
Malware
Multiple Industries
CC
>1
ReversingLabs, NPM, Material Tailwind
84
23/09/2022
-
-
?
Multiple organizations
Researchers from Kaspersky discover a new campaign distributing the Agent Tesla malware.
Malware
Multiple Industries
CC
>1
Kaspersky, Agent Tesla
85
23/09/2022
'Recently'
'Recently'
Sparta Blog
Sercom Informatica SL
Sparta Blog lists Sercom Informatica SL on their leak site. They also provided samples of files exfiltrated from Sercom customers, including the Hospital Puigcerda.
Attackers allegedly steal over $8,000 in paychecks following an email hack from the Reidville Fire Department.
Unknown
Public admin and defence, social security
CC
US
Reidville Fire Department.
87
23/09/2022
-
-
?
RP Consulting SpA
An archive of 7.3 Gb of data and 13,000 files belonging to RP Consulting SpA is leaked on Breach Forums.
Unknown
Administration and support service
CC
IT
RP Consulting SpA, Breach Forums.
88
23/09/2022
-
-
?
Delta Dental of Washington announces that the protected health information of 6,361 members of its dental benefits plans has potentially been compromised in a cyberattack on its mail and printing vendor, Kaye-Smith
Malware
Human health and social work
CC
US
Delta Dental of Washington, ransomware, Kaye-Smith
89
24/09/2022
Since August 2022
Since August 2022
?
FARGO AKA TargetCompany
Researchers from AhnLab Security Emergency Response Center (ASEC) reveal that Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware.
Malware
Multiple Industries
CC
>1
AhnLab Security Emergency Response Center, ASEC, Microsoft SQL, FARGO, TargetCompany, ransomware
90
24/09/2022
-
-
?
BankingLab
A threat actor claims to have breached the BankingLab banking platform exploiting the CVE-2022-35405 vulnerability affecting multiple Zoho ManageEngine products.
CVE-2022-35405 vulnerability
Fintech
CC
LT
BankingLab, CVE-2022-35405, Zoho, ManageEngine
91
26/09/2022
-
-
RaHDIt
Ukrainian foreign intelligence service
The Russian hacker group RaHDIt posts the data of 1,500 employees of the Ukrainian foreign intelligence service.
Unknown
Public admin and defence, social security
CW
UA
RaHDIt, Ukrainian foreign intelligence service, Russia
92
26/09/2022
-
-
Scylla
Android and iOS users
Researchers from HUMAN reveal the details of Scylla, an operation consisting of 75 applications on Google Play and another ten on Apple’s App Store engaged in ad fraud with 13 million installations.
Malware
Individual
CC
>1
HUMAN, Scylla, Google Play, Apple, App Store, Android, iOS
93
26/09/2022
'Recently'
'Recently'
Lazarus Group
Developers and artists in the crypto space
Researchers at Sentinel One discover Operation In(ter)ception, a new campaign by the North Korean Lazarus hacking group, using fake 'Crypto.com' job offers to hack developers and artists in the crypto space, likely with a long-term goal of stealing digital assets and cryptocurrency.
Researchers from Kaspersky discover NullMixer, a new malware dropper infecting Windows devices with a dozen different malware families simultaneously through fake software cracks promoted on malicious sites in Google Search results.
Malware
Multiple Industries
CC
BR
DE
EG
FR
IN
IT
RU
US
TR
Kaspersky, NullMixer, Google Search
95
26/09/2022
-
-
Bl00dy
Undisclosed victim in Ukraine
The Bl00dy ransomware, built from the LockBit 3.0 Builder, hits an undisclosed victim in Ukraine.
Malware
Unknown
CC
UA
Bl00dy, LockBit 3.0, ransomware
96
26/09/2022
-
Late August 2022
?
Auth0
Authentication service provider Auth0 discloses what it calls a "security event" involving some of its code repositories (from 2020 and earlier) obtained by unknown means from its environment.
Unknown
Professional, scientific and technical
CC
US
Auth0
97
26/09/2022
'Recently'
'Recently'
?
Multiple organizations
Researchers from Proofpoint reveal that threat actors have recently conducted phishing campaigns using Microsoft Sway and used the platform to distribute malware within organizations.
Malware
Multiple Industries
CC
>1
Proofpoint, Microsoft Sway
98
26/09/2022
-
08/07/2022
?
CSI Laboratories
CSI Laboratories discloses to have been hit by a phishing attack.
Account Takeover
Human health and social work
CC
US
CSI Laboratories
99
26/09/2022
Between 21/08/2022 and 27/08/2022
-
?
Netflix users
Researchers from INKY detect Netflix being impersonated in a PII data harvesting campaign utilizing malicious HTML attachments compressed in zip files.
Account Takeover
Arts entertainment, recreation
CC
>1
Netflix, INKY
100
26/09/2022
-
-
?
Watchfinder
Luxury pre-owned watch website Watchfinder warns its user base that their personal data has been accessed after an employee’s account was broken into and a customer list accessed.
Account Takeover
Arts entertainment, recreation
CC
UK
Watchfinder
101
26/09/2022
-
-
?
Poder Judicial de Chile
The Poder Judicial de Chile issues an alert about a computer virus.
Malware
Public admin and defence, social security
CC
CL
Poder Judicial de Chile, ransomware
102
27/09/2022
Since May 2022
-
Russia
Germany, France, Italy, Ukraine and the United Kingdom.
Researchers from Meta take down a large network (1,633 accounts, 703 Pages, one Group on Facebook and 29 accounts on Instagram) that originated in Russia, centered around a sprawling network of over 60 websites carefully impersonating legitimate news organizations in Europe.
Coordinated Inauthentic Behavior
Individual
CW
DE
FR
IT
UA
UK
Meta, Facebook, Instagram, Russia
103
27/09/2022
Since July 2022
Late August 2022
Threat actor from Russia
Individuals in Germany
Researchers from DisinfoLab discover Doppelgänger, a series of websites that had cloned the look-and-feel of several major news sites mainly in Germany, but also the UK, France and Italy.
Coordinated Inauthentic Behavior
Individual
CW
DE
Doppelgänger, Russia, Germany
104
27/09/2022
Since September 2021
-
China
United States, Czech Republic and Chinese- and French-speaking audiences around the world.
Researchers from Meta take down a small network that originated in China and targeted the United States, the Czech Republic and, to a lesser extent, Chinese- and French-speaking audiences around the world.
Coordinated Inauthentic Behavior
Individual
CW
US
CZ
Mata, Facebook, Instagram, China
105
27/09/2022
-
-
?
Multiple organizations
Researchers from Zscaler observe a campaign delivering Agent Tesla, a .NET based keylogger and remote access trojan, using a builder named “Quantum Builder” sold on the dark web.
Malware
Multiple Industries
CC
>1
Zscaler, Agent Tesla, Quantum Builder
106
27/09/2022
-
-
?
Multiple organizations
Researchers from Sucuri discover a new variant of the campaign exploiting compromised WordPress sites to display fake Cloudflare DDoS protection pages to distribute malware.
Malware
Multiple Industries
CC
>1
Sucuri, WordPress, Cloudflare, DDoS
107
27/09/2022
Early August 2022
Early August 2022
?
Multiple organizations
Researchers from Palo Alto Networks discover a new campaign using a polyglot Microsoft Compiled HTML Help (CHM) to distribute the information stealer IcedID.
Malware
Multiple Industries
CC
>1
Palo Alto Networks, Microsoft Compiled HTML Help, CHM, IcedID
108
27/09/2022
27/09/2022
27/09/2022
?
Ethereum arbitrage trading bot
An Ethereum arbitrage trading bot is able to earn 800 ETH and loses 1100 ETH (around $1.41 million) one hour later when an unknown attacker exploits a vulnerability.
Vulnerability
Fintech
CC
N/A
Ethereum
109
27/09/2022
23/09/2022
23/09/2022
?
Cox Communications
Cox Communications reveals that an internet outage that affected the city of Tucson over the weekend was due to a cyber attack.
Unknown
Information and communication
CC
US
Cox Communications, Tucson
110
27/09/2022
-
-
Vice Society
Jaime Câmara Group (JCG)
Brazilian media conglomerate Jaime Câmara Group (JCG) is the victim of a ransomware attack.
Malware
Information and communication
CC
BR
Jaime Câmara Group, JCG, ransomware, Vice Society
111
28/09/2022
Since mid-June
24/12/2021
Chaos
Multiple organizations
Researchers from Black Lotus Labs expose a quickly expanding botnet called Chaos, a Go-based malware targeting and infecting Windows and Linux devices to use them for cryptomining and launching DDoS attacks.
Malware
Multiple Industries
CC
>1
Black Lotus Labs, Chaos, Windows, Linux, Go
112
28/09/2022
'Recently'
'Recently'
?
Multiple military contractors involved in weapon manufacturing
Researchers from Securonix reveal the details of STEEP#MAVERICK, a campaign targeting military contractors.
Targeted Attack
Manufacturing
CE
>1
Securonix, STEEP#MAVERICK
113
28/09/2022
During 2022
During 2022
?
Taxpayers in the U.S:
The Internal Revenue Service (IRS) warns Americans of an exponential rise in IRS-themed text message phishing attacks trying to steal their financial and personal information in the last few weeks.
Account Takeover
Individual
CC
US
Internal Revenue Service, IRS
114
28/09/2022
25/09/2022
25/09/2022
Thrax
Fast Company
Fast Company takes its website offline after it was hacked to display stories and push out Apple News notifications containing obscene and racist comments.
Account Takeover
Information and communication
CC
US
Fast Company, Thrax
115
28/09/2022
During 2022
During 2022
Prilex
Multiple organizations in Brazil
Researchers from Kaspersky discover three new versions of Prilex PoS-targeting malware during 2022, indicating that its authors and operators are back in action.
Malware
Multiple Industries
CC
BR
Kaspersky, Prilex, PoS
116
28/09/2022
During August 2022
During August 2022
?
US and New Zealand job seekers
Researchers from Cisco Talos discover a new phishing campaign targets US and New Zealand job seekers with malicious documents installing Cobalt Strike beacons for remote access to victims' devices.
Malware
Individual
CC
US
NZ
Cisco Talos, Cobalt Strike, Amadey, RedLine
117
28/09/2022
-
02/08/2022
?
focusIT
focusIT files an official notice of a data breach after the company learned that an unauthorized party gained access to sensitive consumer information in its possession.
Unknown
Administration and support service
CC
US
focusIT
118
28/09/2022
21/03/2022
Between 21/03/2022 and 27/03/2022
?
Johnson Memorial Hospital
Johnson Memorial Hospital announces that the personal and protected health information of some of its patients has been exposed as a result of a malware infection at the law firm, Reid and Riege.
Malware
Human health and social work
CC
US
Johnson Memorial Hospital, Reid and Riege.
119
28/09/2022
-
-
PT_Moisha
Aoyuan Healthy Life Group
The Aoyuan Healthy Life Group is allegedly hit by the PT_Moisha ransomware group.
Malware
Human health and social work
CC
CN
Aoyuan Healthy Life Group, PT_Moisha, Ransomware
120
28/09/2022
-
-
Kelvin Security
GenialMoney
Kelvin Security leaks 68 Gb of data with 23,000 files from GenialMoney.
Unknown
Finance and insurance
CC
IT
Kelvin Security, GenialMoney
121
28/09/2022
-
-
?
Individuals in India
India's Home Ministry asks state governments to crack down on illegal lending apps it says have led to "multiple suicides by citizens owing to harassment, blackmail, and harsh recovery methods."
Malware
Individual
CC
IN
India
122
29/09/2022
Earlier in 2022
Earlier in 2022
UNC3886 (Threat actor suspected to have ties with China)
VMware ESXi, Linux vCenter servers, and Windows virtual machines
Researchers from Mandiant discover that UNC3886, an actor suspected to have ties with China used malicious vSphere Installation Bundles (VIBs) to deliver the VirtualPita, VirtualPie, and VirtualGate malware.
A ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million.
Malware
Multiple Industries
CC
>1
Royal, ransomware
124
29/09/2022
In recent months
In recent months
Lazarus Group (AKA Zinc)
Multiple organizations
Researchers from Microsoft reveal that the North Korean-sponsored Lazarus threat group is trojanizing legitimate open-source software (such as PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer. and using it to backdoor organizations in many industry sectors, such as technology, defense, and media entertainment using the BLINDINGCAN (aka ZetaNile) backdoor.
Targeted Attack
Multiple Industries
CE
>1
Microsoft, Lazarus, ZINC, PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, muPDF/Subliminal Recording, BLINDINGCAN, ZetaNile
125
29/09/2022
Between February and September 2022,
Between February and September 2022,
Witchetty (AKA LookingFrog)
Two governments in the Middle East and a stock exchange in Africa
Researchers from Broadcom/Symantec discover a malicious campaign by the 'Witchetty' hacking group, which uses steganography to hide a backdoor malware in a Windows logo.
Targeted Attack
Public admin and defence, social security
CE
>1
Broadcom, Symantec, Witchetty, LookingFrog, Windows
126
29/09/2022
-
-
Chinese threat actors
Fewer than 10 organizations globally
Researchers at Vietnamese cybersecurity company GTSC reveal that threat actors from China are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution, to deploy the Chinese Chopper web shells. Few days later Microsoft confirms the two vulnerabilities CVE-2022-41040 and CVE-2022-41082.
CVE-2022-41040 and CVE-2022-41082 vulnerabilities
Unknown
CE
N/A
GTSC, China, Microsoft Exchange, Chinese Chopper, CVE-2022-41040, CVE-2022-41082
127
29/09/2022
Between 03/10/2020 and 29/03/2021
-
Three individuals in Germany
Banking users in Germany
The Germany's Bundeskriminalamt (BKA), the country's federal criminal police, carries out raids on the homes of three individuals suspected of orchestrating large-scale phishing campaigns that defrauded internet users of €4,000,000.
Account Takeover
Finance and insurance
CC
DE
Germany, Bundeskriminalamt, BKA
128
29/09/2022
-
-
LeakBase
Swachhata Platform (swachhata.city)
A threat actor claims to have breached the Swachhata Platform and stolen 16 million records.
Unknown
Public admin and defence, social security
CC
IN
Swachhata Platform, swachhata.city, Leakbase
129
29/09/2022
-
-
?
Multiple organizations
Researchers from eSentire discover a new campaign where Xtreme RAT and Cryptominer have been delivered through pirated copies of the Windows operating system software.
Malware
Multiple Industries
CC
>1
eSentire, Xtreme RAT, Cryptominer, Windows
130
29/09/2022
-
-
BlackCat AKA ALPHV
NJVC
The ALPHV/BlackCat ransomware gang claims to have breached the IT firm NJVC, which supports the federal government and the United States Department of Defense.
Malware
Public admin and defence, social security
CC
US
ALPHV, BlackCat, ransomware, NJVC
131
29/09/2022
During the past three months
During the past three months
SolarMarker
Multiple organizations
Researchers from eSentire discover s new campaign by the infamous SolarMarker threat actor group, leveraging fake Chrome browser updates as part of watering hole attacks to distribute an info-stealing malware with the same name.
Malware
Multiple Industries
CC
>1
eSentire, SolarMarker, Chrome, Watering Hole
132
29/09/2022
-
-
?
Prefetura de Mimoso do Sul
The Prefetura de Mimoso do Sul reports a cyber attack.
Unknown
Public admin and defence, social security
CC
BR
Prefetura de Mimoso do Sul
133
29/09/2022
-
-
Avos Locker
DLS Motors Paraguay
Avos Locker adds DLS Motors Paraguay to its leak site, and claims to have 50 GB of information.
Malware
Wholesale and retail
CC
PY
Avos Locker, DLS Motors Paraguay, ransomware
134
29/09/2022
-
-
VSOP
Ministry of Foreign Affairs of Guatemala
Threat actors calling themselves VSOP add the Ministry of Foreign Affairs of Guatemala to their leak site.
Unknown
Public admin and defence, social security
CC
GT
VSOP, Ministry of Foreign Affairs of Guatemala, ransomware
135
29/09/2022
-
21/09/2022
LockBit 3.0
Universidad Internacional Del Ecuador (UIDE)
Lockbit adds the Universidad Internacional Del Ecuador (UIDE) to its leaks site
Malware
Education
CC
EC
Universidad Internacional Del Ecuador, UIDE, Ransomware, LockBit 3.0
136
29/09/2022
-
-
Hive
Alia Servizi Ambientali
Alia Servizi Ambientali is hit with a Hive ransomware attack.
Malware
Water supply, waste mgmt, remediation
CC
IT
Alia Servizi Ambientali, Hive, Ransomware
137
30/09/2022
During the autumn of 2021
-
Lazarus Group
Aerospace company in the Netherlands, and a political journalist in Belgium
Researchers from ESET unveil a new campaign by the North Korean threat actor Lazarus, exploiting the CVE‑2021‑21551 vulnerability affecting the Dell DBUtil drivers.
Targeted Attack
Multiple Industries
CE
BE
NL
ESET, North Korea, Lazarus, CVE‑2021‑21551, Dell, DBUtil
138
30/09/2022
-
-
Guacamaya
Multiple governments in South America including Mexico, Chile, El Salvador, Peru and Colombia
In name of Operation Repressive Forces, hacktivists from the Guacamaya group leak 10 terabytes including data from military and police agencies across several Latin American countries.
Unknown
Public admin and defence, social security
>1
CL
CO
MX
PE
SV
Guacamaya, Repressive Forces
139
30/09/2022
From at least 26/09/2022 until 29/09/2022
Since at least 29/09/2022
Threat actor linked to China
Undisclosed organization
Researchers from Crowdstrike reveal that the official installer for the Comm100 Live Chat application, was trojanized as part of a new supply-chain attack.
Targeted Attack
Unknown
CE
N/A
Crowdstrike, Comm100 Live Chat, China
140
30/09/2022
between May and July 2022
-
?
Shangri-La
The Shangri-La hotel group says a database containing the personal information of customers at eight of its Asian properties has been hacked.
Unknown
Accommodation and food service
CC
HK
SG
TH
CN
JP
Shangri-La
141
30/09/2022
Between 02/04/2021 and 13/07/2021
21/07/2021
?
Chemonics International
Chemonics International files an official notice of a data breach with the various state attorney general offices after the company was the victim of a sophisticated cyberattack that compromised several email accounts of its employees.
Account Takeover
Administration and support service
CC
US
Chemonics International
142
30/09/2022
Between 07/062022 and 12/07/2022
26/07/2022
?
Coeur Group
The Coeur Group notifies 2,020 patients that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to an employee’s email account.
Account Takeover
Human health and social work
CC
US
Coeur Group
143
30/09/2022
Late May 2022
Late May 2022
?
Geisinger Health System
Geisinger Health System discloses a ransomware attack affecting its email vendor Kaye-Smith.
Malware
Human health and social work
CC
US
Geisinger Health System, ransomware, Kaye-Smith.
144
30/09/2022
Late May 2022
Late May 2022
?
Seattle Children’s Hospital
Seattle Children’s Hospital discloses a ransomware attack affecting its email vendor Kaye-Smith.
Riverside Medical Group reveals that hackers gained access to a legacy server at its clinic in West Orange and may have viewed or obtained files containing patient data.
Unknown
Human health and social work
CC
US
Riverside Medical Group
146
30/09/2022
Between 01/11/2021 and 04/11/2021
04/11/2021
?
City of Fulton
The city of Fulton reveals to have suffered a breach that compromised the personal data of 28,282 people.
Unknown
Public admin and defence, social security
CC
US
City of Fulton
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
SUPPORT MY WORK!
BREACHOMETER
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
After the cyber attacks timelines, it’s time to publish the statistics of June 2023 where I have collected and analyzed 384 events, yet another record number driven...
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July...
I have aggregated the statistics created from the cyber attacks timelines published in the second quarter of 2023. In total I have collected 1040 events...
It's time to publish the statistics derived from the cyber attacks timelines of August (Part I and Part II), a month particularly active from an Information Security perspective, despite the Summer time. As always, let’s start from the Daily Trend Chart, which shows obviously an ...
Pingback: Veille Cyber N412 – 07 novembre 2022 |