In the second timeline of November, I have collected 141 events (corresponding to 9.4 events per day), a value slightly higher than the previous timeline but in line with the last months. The level of activity continues to be quite sustained, and as a consequence the breachometer turns to the red.
The impact of Ransomware is back at the highs of 2022, exceeding 30% (32.6% corresponding to 41 out of 141 events), while the 5.7% (8 out of 141 events) have been characterized by the exploitation of vulnerabilities.
At least during the second fortnight of November no massive hacks against Decentralized Finance platforms were reported, despite crypto investors continue to be targets of multiple campaign, predominantly phishing, but also a deepfake of Sam Bankman-Fried, the former CEO of the bankrupted platform FTX.
But if the massive hacks against crypto platforms had an apparent break, the same can’t be said for mega breaches. in this timeline, two events are related to two apparent massive breaches targeting Twitter and WhatsApp users.
In comparison to the previous timelines, only 5% of events (7 out of 141) were characterized by cyber espionage. The main characters of the cyber espionage front include old acquaintances such as Mustang Panda and the cyber mercenaries from Bahamut, but also new threat actors such as UNC4191. Additionally the exploitation of commercial spyware continues with the discovery of a new operation tied to a Spanish vendor named Variston.
Instead, apparently, the impact of cyber campaigns related to Ukraine continues to fade, and except a new operation by the Sandworm threat actor carried out via the RansomBoggs ransomware, the only visible events are those related to the DDoS attacks carried out by the Pro-Russian Killnet collective.
As usual the list is too long to be summarized in few words, so my usual suggestion is to enjoy the interactive timeline and the table with a praise to share them and spread the awareness.
Thanks for supporting my work and don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
Expand for details
Geo Map November H2 2022
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
16/11/2022
From mid-June through mid-July 2022
Mid-June 2022
Iranian APT
Undisclosed Federal Civilian Executive Branch (FCEB) organization
The FBI and CISA reveal in a joint advisory that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware, exploiting the Log4j vulnerability.
Researchers from BlackBerry reveal that the ARCrypter ransomware is expanding its operations against multiple organizations worldwide.
Malware
Multiple Industries
CC
>1
BlackBerry, ARCrypter, ransomware
3
16/11/2022
From mid-September to the end of October 2022
From Mid-September 2022
?
Individuals in North America
Researchers from Akamai discover a sophisticated phishing kit has been targeting North Americans, using lures focused on holidays like Labor Day and Halloween.
Account Takeover
Individual
CC
>1
Akamai, Labor Day, Halloween
4
16/11/2022
During 2022
During 2022
?
Individuals in North America
The U.S. Department of Justice seizes seven domains that hosted websites linked to "pig butchering" scams, where fraudsters trick victims of romance scams into investing in cryptocurrency via fake investment platforms.
Account Takeover
Individual
CC
US
U.S. Department of Justice
5
16/11/2022
'Recently'
'Recently'
?
Multiple organizations
The Microsoft Detection and Response Team (DART) sees an increase in attackers utilizing token theft.
Account Takeover
Multiple Industries
CC
>1
Microsoft Detection and Response Team, DART, token
6
16/11/2022
Between 05/09/2022 and 07/09/2022
07/09/2022
?
AAA Collections (Advanced Asset Alliance)
AAA Collections reports a data breach after the company learned that an unauthorized party was able to access sensitive consumer data contained on its computer system.
Unknown
Finance and insurance
CC
US
AAA Collections, Advanced Asset Alliance
7
16/11/2022
-
25/10/2022
Hive
Lake Charles Memorial Health System (LCMH)
Lake Charles Memorial Health System (LCMH) confirms to have been hit with a Hive ransomware attack.
Malware
Human health and social work
CC
US
Lake Charles Memorial Health System, LCMH, Hive
8
16/11/2022
03/06/2022
-
?
Innovative Service Technology Management Services
Innovative Service Technology Management Services reports a data breach after the company experienced a ransomware attack targeting its computer system.
Malware
Administration and support service
CC
US
Innovative Service Technology Management Services, ransomware
9
16/11/2022
Between 31/08/2022 and 01/09/2022
01/09/2022
?
Native American Rehabilitation Association of the Northwest (NARA NW)
Native American Rehabilitation Association of the Northwest (NARA NW) reports a breach of the email accounts of seven employees.
Account Takeover
Human health and social work
CC
US
Native American Rehabilitation Association of the Northwest, NARA NW
10
16/11/2022
-
-
?
Government of Moldova
A newly-registered website called Moldova Leaks releases damaging private exchanges of at least two prominent political figures, causing a major political scandal.
Unknown
Public admin and defence, social security
H
MD
Moldova Leaks
11
16/11/2022
-
10/11/2022
?
San Gorgonio Memorial Hospital (SGMH)
San Gorgonio Memorial Hospital (SGMH) is hit with a malware attack.
Malware
Human health and social work
CC
US
San Gorgonio Memorial Hospital, SGMH
12
16/11/2022
Since early 2022
Since early 2022
Disneyland Team
Bank customer in multiple countries
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.
Account Takeover
Finance and insurance
CC
>1
Disneyland Team, Punycode
13
16/11/2022
16/03/2022
-
?
Tuloso Midway Independent School District
Tuloso Midway Independent School District discloses that one employee’s email account was accessed without authorization.
Account Takeover
Education
CC
US
Tuloso Midway Independent School District
14
17/11/2022
17/11/2022
17/11/2022
Killnet
Website of the White House (Whitehouse.gov)
The Russian collective Killnet claims to have taken down briefly the website of the White House (whitehouse.gov).
DDoS
Public admin and defence, social security
H
US
Russia, Killnet, White House, whitehouse.gov
15
17/11/2022
Since June 2021
-
Hive
Over 1,300 organizations worldwide
The Federal Bureau of Investigation (FBI) says that the notorious Hive ransomware gang has successfully extorted roughly $100 million from over a thousand companies since June 2021.
Malware
Multiple Industries
CC
>1
Federal Bureau of Investigation, FBI, Hive, ransomware
16
17/11/2022
-
-
QBot AKA QackBot
Multiple organizations
A new QBot phishing campaign exploits the Windows Mark of the Web zero-day vulnerability by distributing JS files signed with malformed signatures.
Mark of the Web zero-day vulnerability
Multiple Industries
CC
>1
Qbot, QackBot, Windows, Control Panel, Mark of the Web, MotW
17
17/11/2022
Since June 2020
-
Iran and Venezuela
Individuals in South America
Researchers from Recorded Future reveal that Iran and Venezuela have allegedly been orchestrating a years-long influence campaign to free Alex Saab, a well-known Colombian businessman with ties to both countries.
Coordinated Inauthentic Behavior
Individual
CW
>1
Recorded Future, Iran, Venezuela, Alex Saab
18
17/11/2022
Since at least late October 2022
Late October 2022
DEV-0569 (Royal)
Multiple organizations
Researchers from Microsoft discover a “malvertising” campaign where the attackers, tracked as DEV-0569, used Google Ads to redirect users to a download site distributing the Royal ransomware, and abusing the traffic distribution system to Google.
Malware
Multiple Industries
CC
>1
Microsoft, malvertising, DEV-0569, Google Ads Royal, ransomware
19
17/11/2022
During October 2022
During October 2022
?
Individuals in the Middle East
Researchers from Trellix reveal that email-based phishing attacks targeting the Middle East doubled in October in the lead up to the World Cup in Qatar.
Account Takeover
Individual
CC
>1
Trellix, World Cup, Qatar
20
17/11/2022
17/6/2022
28/6/2022
?
Radio Free Asia
Radio Free Asia, a U.S. government-sponsored news outlet, announces a breach that affected almost 4,000 people – leaking troves of personal information including Social Security and passport numbers, as well as financial data.
Account Takeover
Information and communication
CC
US
Radio Free Asia
21
17/11/2022
During October 2022
17/11/2022
?
National educational institutions in the U.S.
Researchers from Armorblox discover a campaign targeting students at national educational institutions in the US, impersonating Instagram.
Account Takeover
Education
CC
US
Armorblox, Instagram
22
17/11/2022
-
-
?
Rosewood Corporation
The Rosewood Corporation reports a data breach after an unauthorized party was able to access sensitive consumer information in the company’s possession.
Unknown
Real estate
CC
US
Rosewood Corporation
23
17/11/2022
-
-
?
Multiple organizations
Researchers from Cisco Talos discover new variants of the LodaRAT Remote Access Tool.
Malware
Multiple Industries
CC
>1
Cisco Talos. LodaRAT
24
17/11/2022
-
-
?
Individuals
Researchers from Check Point discover a sharp increase in fake shopping related websites in the run up to Black Friday sales.
Account Takeover
Individual
CC
>1
Check Point, Black Friday
25
17/11/2022
09/04/2022
Between 18/11/2021 and 09/04/2022
?
County of Tehama
The county of Tehama announces that it has addressed a data security incident that resulted in unauthorized access to files on its systems.
Unknown
Public admin and defence, social security
CC
US
County of Tehama
26
17/11/2022
-
08/11/2022
?
Pearland Independent School District
Pearland ISD alerts parents and others associated with the district that parties responsible for a recent breach of its computer system may try to contact them.
Unknown
Education
CC
US
Pearland Independent School District
27
18/11/2022
18/11/2022
18/11/2022
Killnet
Starlink
The Russian hacktivists from the Killnet collective claim to have take down the Elon Musk's Starlink website.
DDoS
Information and communication
H
US
Killnet, Starlink, Russia, Elon Musk
28
18/11/2022
-
-
?
Individuals
A new campaign abuses Google's Looker Studio (formerly Google Data Studio) to boost search engine rankings for their illicit websites that promote spam, torrents, and pirated content.
SEO Poisoning
Individual
CC
>1
Google's Looker Studio, Google Data Studio
29
18/11/2022
Between March and October 2022
-
Mustang Panda (AKA Bronze President, TA416, Earth Preta).
Government, academic, foundations, and research sectors of multiple countries including Myanmar, Australia, the Philippines, Japan, and Taiwan.
Researchers from Trend Micro discover a new campaign, conducted between March and October 2022, targeting government, academic, foundations, and research sectors of multiple countries including Myanmar, Australia, the Philippines, Japan, and Taiwan.
Targeted Attack
Public admin and defence, social security
CE
AU
MM
PH
TW
JP
Trend Micro,
30
18/11/2022
-
-
AXLocker
Individuals
Researchers from Cyble discover a new version of the AXLocker ransomware stealing the Discord accounts of infected users.
Malware
Individual
CC
>1
Cyble, AXLocker, ransomware, Discord
31
18/11/2022
-
-
Octocrypt
Individuals
Researchers from Cyble discover Octocrypt, a new ransomware targeting all Windows versions.
Malware
Individual
CC
>1
Cyble, Octocrypt, ransomware, Discord
32
18/11/2022
-
-
Alice
Individuals
Researchers from Cyble discover Alice, a new Ransomware-as-a-service (RaaS)
Malware
Individual
CC
>1
Cyble, Alice, ransomware, Discord
33
18/11/2022
Since Early November 2022
During November 2022
?
Twitter users
Researchers at ProofPoint record a noticeable increase in phishing campaigns targeting the credentials of Twitter users following Elon Musk’s takeover of the company.
Account Takeover
Individual
CC
>1
ProofPoint, Twitter, Elon Musk
34
18/11/2022
Since at least 04/11/2022
04/11/2022
?
Crypto users
Researchers from Bitdefender discover a QR code phishing campaign targeting Binance users.
Account Takeover
Fintech
CC
>1
Bitdefender, Binance
35
18/11/2022
'Recently'
'Recently'
?
Wright & Filippis
Wright & Filippis reports a data breach after the company learned it had been the target of a ransomware attack.
Malware
Manufacturing
CC
US
Wright & Filippis, ransomware
36
18/11/2022
-
13/06/2022
?
Gateway Rehabilitation Center
Gateway Rehabilitation Center reports a data breach after the company learned that an unauthorized party was able to access sensitive consumer information contained on its computer network.
Unknown
Human health and social work
CC
US
Gateway Rehabilitation Center
37
18/11/2022
18/11/2022
18/11/2022
?
Central Depository Services Limited (CDSL)
India’s leading central securities depository, Central Depository Services Limited, or CDSL, says its systems have been compromised by malware.
Malware
Other service activities
CC
IN
Central Depository Services Limited, CDSL
38
18/11/2022
-
-
?
Municipality of Torre del Greco (Comune di Torre del Greco)
The Municipality of Torre del Greco is hit with a ransomware attack.
Malware
Public admin and defence, social security
CC
IT
Comune di Torre del Greco, Municipality of Torre del Greco, ransomware
39
19/11/2022
-
18/11/2022
Belarusian Cyber Partisans
Roskomnadzor
A unit of the Russian internet and media regulator Roskomnadzor confirms that hackers had breached its systems after the Belarusian hacktivist group known as the Cyber Partisans claimed to attack the organization.
Unknown
Information and communication
H
RU
Roskomnadzor, Belarusian Cyber Partisans
40
19/11/2022
14/11/2022
14/11/2022
?
Ticketmaster
Ticketmaster releases a statement attributing the Taylor Swift concert ticketing issues to bots overloading their website.
Bot attack
Arts entertainment, recreation
CC
US
Ticketmaster,Taylor Swift
41
19/11/2022
11/11/2022 and 12/11/2022
-
Daixin Team
AirAsia
AirAsia falls victim of a ransomware attack carried out by the Daixin Team gang.
Malware
Transportation and storage
CC
MY
AirAsia, ransomware, Daixin Team
42
19/11/2022
14/11/2022
14/11/2022
?
ESO
ESO, a company that provides record management system software, allowing emergency responders and paramedic agencies, receives an alert from its security team and shuts down its system.
Unknown
Professional, scientific and technical
CC
US
ESO
43
21/11/2022
During 2022
During 2022
VenomSoftX
Individuals
Researchers from Avast discover a new version of the new information-stealing Google Chrome browser extension named 'VenomSoftX', being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web.
Malicious Browser Extension
Individual
CC
>1
Avast, Google Chrome, VenomSoftX
44
21/11/2022
21/11/2022
21/11/2022
?
DraftKings
Sports betting company DraftKings reveals that it would make whole customers affected by a credential stuffing attack that led to losses of up to $300,000.
Credential Stuffing
Arts entertainment, recreation
CC
US
DraftKings
45
21/11/2022
Since 2021
During November 2022
?
Users of Coinbase, MetaMask, Crypto.com, and KuCoin
Researchers from PIXM discover a crypto-stealing phishing campaign is underway to bypass multi-factor authentication and gain access to accounts on Coinbase, MetaMask, Crypto.com, and KuCoin and steal cryptocurrency.
Account Takeover
Fintech
CC
>1
PIXM, Coinbase, MetaMask, Crypto.com, KuCoin
46
21/11/2022
Since at least late August 2022
Late August 2022
At least seven hacking groups
Individuals
Researchers from SEKOIA reveal that cybercriminals are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.
Malware
Individual
CC
>1
SEKOIA, Go, Aurora
47
21/11/2022
-
-
Luna Moth/Silent Ransom
Organizations in multiple sectors including legal and retail
Researchers from Palo Alto Networks reveal the details of the Luna Moth/Silent Ransom Group callback phishing extortion campaign, targeting businesses in multiple sectors including legal and retail.
Account Takeover
Multiple Industries
CC
>1
Palo Alto Networks, Luna Moth, Silent Ransom
48
21/11/2022
Between 10/06/2022 and 24/08/2022
20/06/2022
?
Hope Health Systems (HHS)
Hope Health Systems (HHS) reports a data breach after the company learned that sensitive patient information stored on its network was leaked following a ransomware attack.
Malware
Human health and social work
CC
US
Hope Health Systems, HHS, ransomware
49
21/11/2022
12/05/2021
12/05/2021
?
Receivables Performance Management
Receivables Performance Management reports a data breach after the company learned that it had been the target of a 2021 ransomware attack compromising sensitive consumer information stored on its computer network.
Malware
Finance and insurance
CC
US
Receivables Performance Management, ransomware
50
21/11/2022
-
30/05/2022
?
South Walton Fire District (SWFD)
South Walton Fire District discloses an unauthorized access to their network, potentially affecting sensitive information such as: names, addresses, Social Security numbers, dates of birth, treatment dates, medical diagnostic and treatment information, and health insurance information.
Unknown
Human health and social work
CC
US
South Walton Fire District, SWFD
51
21/11/2022
-
-
Lorenz
Healthcare organizations in the US
The Health Sector Cybersecurity Coordination Center (HC3) issues a warning about the Lorenz ransomware targeting healthcare organizations.
Malware
Human health and social work
CC
US
Health Sector Cybersecurity Coordination Center, HC3, Lorenz, ransomware
52
21/11/2022
18/11/2022
18/11/2022
?
Crypto users on Twitter
A deepfake of FTX founder Sam Bankman-Fried circulates on Twitter from a verified account, appearing to claim he could make users whole again by doubling their cryptocurrency in a typical giveaway scam.
DeepFake
Fintech
CC
>1
FTX, Sam Bankman-Fried, Twitter
53
21/11/2022
-
-
?
Kannur University
The personal data of over 30,000 students at Kannur University is reportedly leaked.
Unknown
Education
CC
IN
Kannur University
54
21/11/2022
-
-
?
Generali España
Generali España confirms that a security incident might have affected former customers.
Unknown
Finance and insurance
CC
ES
Generali España
55
21/11/2022
17/11/2022
17/11/2022
?
Klinikum Lippe hospital
The Klinikum Lippe hospital is hit with a ransomware attack.
Malware
Human health and social work
CC
DE
Klinikum Lippe hospital, ransomware
56
22/11/2022
22/11/2022
22/11/2022
Killnet
Website of the Prince of Wales (princeofwales.gov.uk)
The Killnet Russian collective claims to have taken down the website of the Prince of Wales over the UK's continued support for Ukraine.
DDoS
Public admin and defence, social security
H
UK
Killnet, Prince of Wales, princeofwales.gov.uk
57
22/11/2022
-
-
SharkBot
Android users
Researchers from Bitdefender discover a new campaign distributing the SharkBot malware from the Google Play app store, via malicious Android apps posing as harmless file managers.
Malware
Individual
CC
>1
Bitdefender, SharkBot, Google Play
58
22/11/2022
Since at least 2020
-
Multiple threat actors
Organizations in the energy sector
Researchers from Microsoft reveal that the security vulnerabilities found to impact the Boa web server discontinued since 2005 (CVE-2017-9833 and CVE-2021-33558) have been used to target and compromise organizations in the energy sector.
CVE-2017-9833 and CVE-2021-33558 vulnerabilities
Electricity, gas steam, air conditioning
>1
>1
Microsoft, Boa, CVE-2017-9833, CVE-2021-33558
59
22/11/2022
-
-
Donut AKA D0nut
Multiple organizations
The Donut (D0nut) extortion group has been confirmed to deploy ransomware in double-extortion attacks on the enterprise.
Malware
Multiple Industries
CC
>1
Donut, D0nut, ransomware
60
22/11/2022
Since July 2022
During November 2022
DuckTail
Facebook Business accounts
Researchers at WithSecure discover a new wave of attacks of the DuckTail phishing campaign targeting Facebook Business accounts.
Malware
Multiple Industries
CC
>1
DuckTail, WithSecure, Facebook
61
22/11/2022
31/10/2022
31/10/2022
@yanluowangleaks
Yanluowang ransomware gang
The TOR site of the Yanluo Wang ransomware gang is hacked and the chats are leaked.
Unknown
Other service activities
CC
N/A
Yanluowang, ransomware, @yanluowangleaks
62
22/11/2022
-
During September 2022
?
Southampton County
Southampton County in Virginia starts informing individuals that their personal information might have been compromised in a ransomware attack.
Malware
Public admin and defence, social security
CC
US
Southampton County, ransomware
63
22/11/2022
-
'Recently'
?
Mena Regional Health System
Mena Regional Health System reports a data breach after the healthcare provider learned that patients’ confidential information was leaked after an unauthorized party gained access to its computer system and removed certain data.
Unknown
Human health and social work
CC
US
Mena Regional Health System
64
22/11/2022
During June 2022
Late October 2022
?
Xavier College
The Xavier College discloses to have suffered a cyber attack, with the attackers threatening to release the stolen data.
Unknown
Education
CC
AU
Xavier College
65
22/11/2022
-
-
?
The Smith Family
Children's charity The Smith Family has been hit with a cyberattack, with some personal information of donors potentially stolen.
Unknown
Human health and social work
CC
AU
The Smith Family
66
22/11/2022
Over the last three months
-
?
Individuals in New Zealand
The New Zealand Government’s cyber security agency records a “massive” jump in online fraud, with scammers draining nearly $9 million from unsuspecting victims in just three months.
Account Takeover
Individual
CC
NZ
New Zealand
67
22/11/2022
-
20/11/2022
LockBit 3.0
City of Westmount
The LockBit 3.0 cyber criminal group claims responsibility for the ransomware attack that halted municipal services and shut down employee email accounts in Westmount, Quebec
Malware
Public admin and defence, social security
CC
CA
LockBit 3.0, ransomware, Westmount
68
22/11/2022
-
-
Multiple threat actors
Individuals
Researchers from Zscaler observe a significant spike in new streaming sites with newly registered domains related to the Qatar 2022 World Cup.
Malware
Individual
CC
>1
Zscaler, Qatar 2022 World Cup
69
22/11/2022
-
-
?
Individuals
Researchers from Malwarebytes discover a massive malvertising campaign in theme with Black Friday, carried out via Google ads for the popular Walmart brand.
Malvertising
Individual
CC
US
Malwarebytes, Black Friday, Google ads, Walmart
70
23/11/2022
23/11/2022
23/11/2022
Anonymous Russia
European Parliament
The website of the European Parliament is taken down following a DDoS attack claimed by Anonymous Russia, part of the pro-Russian hacktivist group Killnet.
DDoS
Extraterritorial orgs and bodies
H
EU
European Parliament, Anonymous Russia, Killnet
71
23/11/2022
-
23/11/2022
?
Roblox players
Chrome browser extension 'SearchBlox' installed by more than 200,000 users has been discovered to contain a backdoor that can steal Roblox credentials and assets.
Malicious Browser Extension
Arts entertainment, recreation
CC
>1
Chrome, SearchBlox, Roblox
72
23/11/2022
'Recently'
'Recently'
?
Windows gamers and power users
Researchers from Cyble discover a new campaign infecting Windows gamers and power users via fake MSI Afterburner download portals to infect users with cryptocurrency miners and the RedLine information-stealing malware.
Malware
Arts entertainment, recreation
CC
>1
Cyble, Windows, MSI Afterburner, RedLine
73
23/11/2022
Since January 2022
-
Bahamut
Multiple organizations
ESET researchers identify an active campaign targeting Android users, conducted by the Bahamut APT group, with fake VPN software for Android that is a trojanized version of legitimate software SoftVPN and OpenVPN.
Researchers from Sysdig discover over 1,600 publicly available Docker Hub images hiding malicious behavior, including cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors.
Malicious Docker Hub Images
Multiple Industries
CC
>1
Sysdig, Docker Hub
75
23/11/2022
-
-
RansomExx
Multiple organizations
IBM Security X-Force Threat Researchers discover a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language.
Malware
Multiple Industries
CC
>1
IBM Security X-Force, RansomExx, ransomware, Rust
76
23/11/2022
Since at least March 2021
01/03/2021
34 different Russian-speaking cyber-criminal groups
Individuals primarily in US, Brazil, India, Germany, and Indonesia
Researchers at Group-IB discover a password-stealing campaign, attributed to 34 different Russian-speaking cyber-criminal groups involved in distributing info-stealing malware such as Racoon and Redline stealers to obtain passwords for gaming accounts on Steam and Roblox, credentials for Amazon and PayPal.
Researchers from Cybereason reveal that the Black Basta ransomware group is using the Qakbot malware, also known as QBot, to perpetrate an aggressive and widespread campaign.
Malware
Multiple Industries
CC
US
Cybereason, Black Basta, ransomware, Qakbot, QBot
78
23/11/2022
-
14/11/2022
?
Sonder
Hospitality company Sonder confirms a data breach that has potentially compromised guest records.
Unknown
Accommodation and food service
CC
US
Sonder
79
23/11/2022
'No earlier than 2021'
23/11/2022
?
Twitter?
Over five million Twitter user accounts may have been compromised in Europe and the US after a new data breach emerges.
Unknown
Information and communication
CC
US
Twitter
80
23/11/2022
-
23/06/2022
?
Upper Peninsula Power Company (UPPCO)
Upper Peninsula Power Company (UPPCO) reports a data breach after the company learned that an unauthorized party was able to access sensitive consumer information by gaining access to its computer network.
Unknown
Electricity, gas steam, air conditioning
CC
US
Upper Peninsula Power Company, UPPCO
81
23/11/2022
Between 27/09/2022 and 28/09/2022
28/09/2022
?
Dallam Hartley Counties Hospital District
Dallam Hartley Counties Hospital District reports a data breach after the organization learned that an unauthorized party was able to access confidential patient information contained on its computer
Unknown
Human health and social work
CC
US
Dallam Hartley Counties Hospital District
82
23/11/2022
-
31/10/2022
?
Ingalls & Snyder
Ingalls & Snyder reports a data breach after an unauthorized party was able to bypass the company’s data security system and access sensitive client information stored on the company’s computer network.
Unknown
Finance and insurance
CC
US
Ingalls & Snyder
83
23/11/2022
-
21/03/2022
?
Columbia Grain International
Columbia Grain International reports a data breach after the company experienced a data security incident that compromised sensitive consumer information stored on its computer network.
Unknown
Accommodation and food service
CC
US
Columbia Grain International
84
23/11/2022
-
15/07/2022
?
HomeTrust Mortgage
HomeTrust Mortgage reports a data breach after hackers carried out a successful ransomware attack against the company, compromising consumer data stored on the company’s computer system.
Malware
Finance and insurance
CC
US
HomeTrust Mortgage, ransomware
85
23/11/2022
28/09/2022
-
?
Disability Services of the Southwest
Disability Services of the Southwest suffers a ransomware attack after unauthorized individuals gained access to its employment and training website.
Malware
Human health and social work
CC
US
Disability Services of the Southwest, ransomware
86
23/11/2022
-
16/11/2022
?
Individuals
Researchers from Adex discover a suspicious-looking link leading to a subdomain of the official website of FC Barcelona.
Account Takeover
Individual
CC
>1
FC Barcelona
87
23/11/2022
-
-
Cryptonite
Multiple organizations
Researchers from Fortinet reveal the details of Cryptonite, a new ransomware kit.
Malware
Multiple Industries
CC
>1
Fortinet, Cryptonite, ransomware
88
23/11/2022
23/11/2022
23/11/2022
?
All India Institute of Medical Sciences (AIIMS)
The All India Institute of Medical Sciences (AIIMS) is hit with a ransomware attack.
Malware
Human health and social work
CC
IN
All India Institute of Medical Sciences, AIIMS, Ransomware
89
23/11/2022
Since at least October 2022
During October 2022
WannaRen
Organizations in India
Researchers from Trend Micro discover a new version of the WannaRen ransomware targeting organizations in India.
Malware
Multiple Industries
CC
IN
Trend Micro, WannaRen, ransomware
90
23/11/2022
Between 25/05/2022 and 30/05/2022
Late May 2022
?
Ontario Secondary School Teachers’ Federation (OSSTF)
The Ontario Secondary School Teachers’ Federation (OSSTF) says it was the victim of a ransomware attack earlier this year that compromised members’ personal information.
Malware
Education
CC
CA
Ontario Secondary School Teachers’ Federation, OSSTF, ransomware
91
23/11/2022
Since at least 15/11/2022
15/11/2022
SocGholish
Multiple organizations
Researchers from Sucuri discover a new campaign by the SocGholish threat actors.
Malware
Multiple Industries
CC
>1
Sucuri, SocGholish
92
23/11/2022
-
-
Moses Staff
Undisclosed major Israeli security organization
An Iranian hacker group by the name of Moses Staff publishes footage of the bombing attack in Jerusalem on its Telegram group, claiming to have hacked the surveillance cameras belonging to a major Israeli security organization. However Israeli authorities deny the hack.
Unknown
Public admin and defence, social security
H
IL
Moses Staff, Israel, Iran
93
23/11/2022
-
-
?
Individuals
Researchers from Fortinet discover two campaigns capitalizing on Black Friday exploiting an old PDF file and another exploiting typosquatting.
Malware
Individual
CC
US
Fortinet, Black Friday
94
24/11/2022
-
-
?
Undisclosed organization(s)
An emergency Chrome update addresses CVE-2022-4135, an actively exploited zero-day in the popular browser.
CVE-2022-4135 Vulnerability
Unknown
N/A
N/A
Chrome, CVE-2022-4135
95
24/11/2022
-
-
?
Multiple organizations
Security researchers at Cyble observe initial access brokers (IABs) selling access to enterprise networks likely compromised via CVE-2022-40684, a recently patched critical vulnerability in Fortinet products.
CVE-2022-40684 Vulnerability
Multiple Industries
CC
>1
Cyble, CVE-2022-40684, Fortinet
96
24/11/2022
-
-
?
Multiple organizations
Researchers from Kaspersky discover a malicious campaign distributing phishing pages via Google Translate links.
Account Takeover
Multiple Industries
CC
>1
Kaspersky, Google Translate
97
25/11/2022
Since at least 21/11/2022
21/11/2022
Sandworm
Multiple organizations in Ukraine
Researchers at ESET discover a new wave of ransomware attacks carried out by the Sandworm group, targeting organizations in Ukraine via the RansomBoggs ransomware.
Malware
Multiple Industries
CW
UA
ESET, ransomware, Sandworm, RansomBoggs
98
25/11/2022
-
-
Vice Society
Cincinnati State Technical and Community College
The Vice Society ransomware operation claims responsibility for a cyberattack on Cincinnati State Technical and Community College, with the threat actors now leaking data allegedly stolen during the attack.
Malware
Education
CC
US
Vice Society, ransomware, Cincinnati State Technical and Community College
99
25/11/2022
21/11/2022
21/11/2022
?
Island of Guadeloupe
The island of Guadeloupe is dealing with the aftereffects of a ransomware attack.
Malware
Public admin and defence, social security
CC
GP
Guadeloupe, ransomware
100
25/11/2022
During October 2022
25/11/2022
Hive
Guilford College
Guilford College confirms that the Hive ransomware actors attacked their school also stole sensitive data of students, faculty and staff.
Malware
Education
CC
US
Guilford College, Hive, ransomware
101
25/11/2022
'Recently'
'Recently'
Punisher
Organizations in Chile
Researchers from Cyble discover a new variant of Punisher ransomware, spreading through a COVID-19 theme-based phishing website, disguised as a COVID tracking application, targeting Chilean users.
Malware
Multiple Industries
CC
CL
Cyble, Punisher, ransomware, COVID-19
102
25/11/2022
25/11/2022
25/11/2022
Black Reward Team
Iran’s Fars state news agency
Iran’s Fars state news agency is hit with a cyberattack claimed by the hacktivist group Black Reward Team. Hacktivists claim to have deleted nearly 250 terabytes of data.
Malware
Information and communication
H
IR
Iran, Fars, Black Reward
103
25/11/2022
During October 2022
During October 2022
BianLian
Harry Rosen
Canadian menswear retailer Harry Rosen acknowledges being hit by a BianLian ransomware attack.
Malware
Wholesale and retail
CC
CA
Harry Rosen, BianLian, ransomware
104
25/11/2022
-
-
Xenotime and Kamacite
LNG terminals in the Netherlands
Researchers from Dragos report that Russian hackers from Xenotime and Kamacite have been doing “exploratory research” into the systems of the Dutch LNG (Liquid Natural Gas) terminals.
Targeted Attack
Electricity, gas steam, air conditioning
CW
NL
Dragos, Xenotime, Kamacite, Russia, LNG, Liquid Natural Gas
105
25/11/2022
-
19/11/2022
LV
UnitedAuto
LV adds UnitedAuto, a Mexican automotive company, to its leak site, claiming to have more than 2TB of stolen personal information.
Malware
Wholesale and retail
CC
MX
LV, UnitedAuto, ransomware
106
25/11/2022
-
-
BlackByte
La Piamontesa
La Piamontesa food company in Argentina is added to BlackByte’s ransomware leaks site.
Malware
Accommodation and food service
CC
AR
La Piamontesa, BlackByte, ransomware
107
25/11/2022
25/11/2022
25/11/2022
Royal
Comune di Macerata (Municipality of Macerata)
The Italian Municipality of Macerata is hit with an alleged Royal ransomware attack.
Malware
Public admin and defence, social security
CC
IT
Municipality of Macerata, Royal, ransomware
108
26/11/2022
-
16/11/2022
Ragnar Locker
Zwijndrecht Police
The Ragnar Locker ransomware gang publishes stolen data from what they thought was the municipality of Zwijndrecht, but turned out to be stolen from Zwijndrecht police, a local police unit in Antwerp, Belgium.
Malware
Public admin and defence, social security
CC
BE
Ragnar Locker, Ransomware, Municipality of Zwijndrecht, Zwijndrecht Police, Antwerp
109
27/11/2022
25/11/2022
25/11/2022
?
Durham District School Board (DDSB)
The Durham District School Board (DDSB) says it’s currently recovering from what it calls a ‘cyber-incident’, likely a ransomware attack, that has left schools without access to phone or email services as well as emergency contact information.
Malware
Education
CC
CA
Durham District School Board, DDSB, ransomware
110
28/11/2022
-
16/11/2022
?
WhatsApp users
A threat actor posts an ad on a well-known hacking community forum, claiming they are selling a 2022 database of 487 million WhatsApp user mobile numbers.
Unknown
Individual
CC
>1
WhatsApp
111
28/11/2022
-
-
?
Android users
A fake Android SMS application, with 100,000 downloads on the Google Play store, is discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook.
Malware
Individual
CC
>1
Android, Google Play, Microsoft, Google, Instagram, Telegram, Facebook
112
28/11/2022
-
-
CashRewindo
Individuals
Researchers at Confiant discover a sophisticated threat actor named 'CashRewindo' using 'aged' domains in global malvertising campaigns that lead to investment scam sites.
Malvertising
Individual
CC
>1
Confiant, CashRewindo
113
28/11/2022
-
-
UNC4191
Public and private entities in Southeast Asia, Asia-Pacific, Europe, and the US
Researchers from Mandiant discover a China-linked cyberespionage group, tracked as UNC4191, using self-replicating malware on USB drives to infect targets.
Targeted Attack
Multiple Industries
CE
>1
Mandiant, China-linked, UNC4191, USB
114
28/11/2022
Since at least January 2022
-
?
Multiple organizations
The US Cybersecurity and Infrastructure Security Agency (CISA) warns organizations that CVE-2021-35587, a critical Oracle Fusion Middleware vulnerability patched in early 2022 is being exploited in attacks.
CVE-2021-35587 Vulnerability
Multiple Industries
CC
US
US Cybersecurity and Infrastructure Security Agency, CISA, CVE-2021-35587, Oracle Fusion
115
28/11/2022
Since at least July 2022
During July 2022
?
Multiple organizations in UAE
Researchers at CloudSEK discover a massive phishing campaign targeting organizations in UAE.
Account Takeover
Multiple Industries
CC
UAE
CloudSEK, UAE
116
28/11/2022
-
-
?
TikTok users
Researchers from CheckMarx discover a campaign exploiting the TIkTok “Invisible Challenge” to distribute the WASP infostealer.
Malware
Individual
CC
>1
CheckMarx, TIkTok, Invisible Challenge, WASP
117
28/11/2022
-
8/10/2022
?
Oceansview Optical
Oceansview Optical suffers a ransomware attack.
Malware
Human health and social work
CC
US
Oceansview Optical, ransomware
118
28/11/2022
06/09/2022
-
?
Stern Cardiovascular Foundation (SCF)
The Stern Cardiovascular Foundation (SCF) announces that it experienced a data security incident that caused disruption to certain parts of its computer network.
Unknown
Human health and social work
CC
US
Stern Cardiovascular Foundation, SCF
119
28/11/2022
-
-
Unknown mandarin speaking threat actors
Multiple organizations
Researchers from CYFIRMA discover a campaign dubbed “流血你” translating to “bleed you”, targeting CVE-2022-34721, a Windows Internet Key Exchange (IKE) Protocol Extensions vulnerability, suspected to be operated by unknown mandarin speaking threat actors.
CVE-2022-34721 Vulnerability
Multiple Industries
CE
>1
CYFIRMA, 流血你, bleed you, CVE-2022-34721, Windows, Internet Key Exchange, IKE, China
120
28/11/2022
27/11/2022
27/11/2022
BlackCat AKA ALPHV
Ayuntamiento Requena
Ayuntamiento Requena (Requena City Council) discloses a BlackCat ransomware attack.
Malware
Public admin and defence, social security
CC
ES
Ayuntamiento Requena, Requena City Council, BlackCat, ransomware, ALPHV
121
29/11/2022
-
-
XakNet
Ukraine Ministry of Finance
Russian hackers from the XakNet collective claim to have breached the Ukraine Ministry of Finance, gaining access to more than one million documents.
Unknown
Public admin and defence, social security
H
UA
XakNet, Ukraine Ministry of Finance
122
29/11/2022
-
-
Spanish cybercrime organization
300 victims across Europe
The Spanish National Police dismantles a cybercrime organization that used fake investment sites to defraud over €12.3 million ($12.8 million) from 300 victims across Europe.
Account Takeover
Individual
CC
EU
Spanish National Police
123
29/11/2022
Since at least 02/11/2022
02/11/2022
Trigona
Multiple organizations
A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments.
Malware
Multiple Industries
CC
>1
Trigona, ransomware
124
29/11/2022
-
-
Multiple threat actors
Individuals
Researchers at Group-IB discover over 16,000 scam domains and 40 malicious apps in the Google Play, using FIFA World Cup 2022 branding to lure users.
>1
Individual
CC
>1
Group-IB, World Cup 2022
125
29/11/2022
19/11/2022
-
?
One Brooklyn Health
One Brooklyn Health is hit with a cyberattack causing disruption at its three hospitals – Interfaith Medical Center, Brookdale Hospital Medical Center, and Kingsbrook Jewish Medical Center
Unknown
Human health and social work
CC
US
One Brooklyn Health, Interfaith Medical Center, Brookdale Hospital Medical Center, Kingsbrook Jewish Medical Center
126
29/11/2022
-
-
Vice Society
IKEA Morocco
Ransomware cartel Vice Society adds data stolen from IKEA Morocco to the gang’s website. The company confirms it was attacked.
Malware
Manufacturing
CC
MA
Ransomware, Vice Society, IKEA Morocco
127
29/11/2022
-
-
Vice Society
IKEA Kuwait
Ransomware cartel Vice Society adds data stolen from IKEA Kuwait to the gang’s website. The company confirms it was attacked.
Malware
Manufacturing
CC
KW
Ransomware, Vice Society, IKEA Kuwait
128
29/11/2022
29/11/2022
29/11/2022
?
Camst
Camst, an Italian company operating in the catering services, is hit with a ransomware attack.
Malware
Accommodation and food service
CC
IT
Camst, ransomware
129
30/11/2022
'Recently'
'Recently'
?
GoTo
Remote access and collaboration company GoTo discloses that they suffered a security breach where threat actors gained access to their development environment and third-party cloud storage service.
Account Takeover
Professional, scientific and technical
CC
US
GoTo
130
30/11/2022
'Recently'
'Recently'
?
LastPass
LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.
Account Takeover
Professional, scientific and technical
CC
US
LastPass
131
30/11/2022
-
-
?
Android users
Researchers at Lookout discover over 280 Android and iOS apps on the Google Play and the Apple App stores trapping users in loan schemes with misleading terms and employed various methods to extort and harass borrowers.
Malware
Individual
CC
>1
Lookout, Android, iOS, Google Play, Apple Store
132
30/11/2022
Since multiple years
-
Variston
Multiple organizations
Researchers from Google's Threat Analysis Group (TAG) links an exploit framework that targets now-patched vulnerabilities in the Chrome and Firefox web browsers and the Microsoft Defender security app to a Variston, a Spanish software company.
Malware
Multiple Industries
CE
>1
Google's Threat Analysis Group, TAG, Chrome, Firefox, Microsoft Defender, Variston
133
30/11/2022
Since at least April 2021
During April 2021
APT 37 (AKA Reaper, Red Eyes, Erebus, ScarCruft)
Multiple organizations
Researchers at ESET discover a previously unknown backdoor called Dolphin used by North Korean hackers in highly targeted operations for more than a year to steal files and send them to Google Drive storage.
Targeted Attack
Multiple Industries
CE
>1
ESET, Dolphin, North Korea, Google Drive, APT 37, Reaper, Red Eyes, Erebus, ScarCruft
134
30/11/2022
27/11/2022
27/11/2022
RansomHouse
Keralty
The Keralty multinational healthcare organization suffers a RansomHouse ransomware attack, disrupting the websites and operations of the company and its subsidiaries.
Malware
Human health and social work
CC
CO
Keralty, RansomHouse, ransomware
135
30/11/2022
Since at least October 2022
During October 2022
Lilac Wolverine
Individuals
Researchers from Abnormal Security reveal the details of Lilac Wolverine, a business email compromise (BEC) gang, hacking people's email accounts and sending messages to their contacts claiming the account owner needs to send a gift to an unwell friend in an attempt to manipulate people into sending online gift cards.
Account Takeover
Individual
CC
>1
Abnormal Security, Lilac Wolverine
136
30/11/2022
-
-
?
Suffolk University
Suffolk University reports a data breach after learning that an unauthorized party was able to access and remove certain files containing sensitive student information from the school’s computer network.
Unknown
Education
CC
US
Suffolk University
137
30/11/2022
30/11/2022
30/11/2022
?
Vatican website
The official Vatican website is taken offline on, following an apparent hacking attack. The suspected hack came a day after Moscow criticised Pope Francis's latest condemnation of Russia's invasion of Ukraine.
Unknown
Education
H
VA
Vatican, Russia
138
30/11/2022
'Recently'
'Recently'
?
Mobile payment users in Japan
Researchers from McAfee analyze a new malware targeting mobile payment users in Japan. The malware is distributed on the Google Play store and pretends to be a legitimate mobile security app,
Malware
Finance and insurance
CC
JP
McAfee, Japan, Google Play, Android
139
30/11/2022
'Recently'
'Recently'
?
Individuals
Researchers from Cyble identify 6 phishing sites impersonating Express VPN, distributing the Redline stealer.
Malware
Individual
CC
>1
Cyble, Express VPN, Redline
140
30/11/2022
-
-
Multiple threat actors
Android users
Google’s Android security team reports that hackers signed malicious applications using several compromised Android platform certificates.
Malware
Individual
CC
>1
Google, Android
141
30/11/2022
29/11/2022
29/11/2022
?
Argentina de Soluciones Satelitales (ARSAT)
Argentina de Soluciones Satelitales (ARSAT) discloses a cyberattack.
Unknown
Unknown
CC
AR
Argentina de Soluciones Satelitales, ARSAT
142
30/11/2022
-
-
Vice Society
Plascar Participações Industriais S.A. (Plascar)
The Vice Society ransomware group adds Plascar Participações Industriais S.A. (Plascar) to their dedicated leak site. The threat actors claim to have 650 GB of information about the company that they have leaked.
As I promised few days ago, I have aggregated and analyzed the events collected in the cyber attacks timelines for the whole 2019, producing some (hopefully) interesting stats. At the end the total sample is composed of 1802 events, which is a sharp increase in ...
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.
After the cyber attacks timelines (part I and part II), it’s time to publish the statistics of March 2023 where I have collected and analyzed 334 events, which...
2019 Cyber Attacks Statistics
2020 Cyber Attacks Statistics
16-30 April 2023 Cyber Attacks Timeline
2022 Cyber Attacks Statistics
March 2023 Cyber Attacks Statistics
