In the first timeline of December, I have collected 147 events (corresponding to 9.8 events/day), a result slightly higher, but substantially in line with the previous timeline, which confirms the sustained level of activity that is characterizing this end of 2022.
Ransomware continues to characterize the threat landscape, but its percentage slides back under 30% (25.8% vs. 32.6% of the second timeline of November, corresponding to 38 out of 147 events). Quite the opposite of the exploitation of vulnerabilities that characterized 10.2% of events (corresponding to 15 out of 147 events), nearly the double of the second timeline of November.
Another Decentralized Finance platform has joined the list of the ones suffering massive hacks: this time it was the turn of Ankr, which suffered a loss of $5M worth.
What is reallty crowded this month, is the cyber espionage front, with an (un)usual number of campaigns by well-known threat actors from the likes of China, Iran, and North Korea, such as: APT37, APT42 (AKA Charming Kitten), Cloud Atlas, Cobalt Mirage, Evilnum, MuddyWater and Mustang Panda. And of course even Ukraine was hit by a campaign by a threat actor named UNC4166, and by multiple wipers launched by the Belorussian threat actor Sandworm (but in this case we are crossing the boundaries of cyber warfare). By the way even Russian mayor’s offices and courts were hit by a wiper dubbed CryWiper. Of course the situation in Ukraine also affected the hacktivism, with several DDoS against targets in Italy launched by the Pro-Russian NoName057(16) group (but a DDoS attack launched by the IT Army of Ukraine hit the Russian VTB Bank.)
Even in this fortnight, the list is too long to be summarized in few words (this one in particular), so my suggestion is to enjoy the interactive timeline and the tabular format, and obviously thanks for sharing it, and supporting my work in spreading the risk awareness across the community. As always, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
Expand for details
Geo Map December H1 2022
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
01/12/2022
Since at least fall 2022
During fall 2022
CryWiper
Russian mayor's offices and courts
Researchers from Kaspersky discover CryWiper, a previously undocumented data wiper, masquerading as ransomware, but in reality, destroying data beyond recovery in attacks against Russian mayor's offices and courts.
Malware
Public admin and defence, social security
CW
RU
Kaspersky, CryWiper, Russia
2
01/12/2022
Since November 2022
During January 2020
Cuba
Multiple organizations
The FBI and CISA reveal in a new joint security advisory that the Cuba ransomware gang raked in over $60 million in ransoms as of August 2022 after breaching more than 100 victims worldwide.
Malware
Multiple Industries
CC
>1
Cuba, FBI, CISA, Ransomware
3
01/12/2022
'Recently'
'Recently'
DuckLogs
Multiple organizations
Researchers from Cyble discover 'DuckLogs', a new malware-as-a-service (MaaS) operation giving low-skilled attackers easy access to multiple modules to steal information, log keystrokes, access clipboard data, and remote access to the compromised host.
Malware
Multiple Industries
CC
>1
Cyble, DuckLogs
4
01/12/2022
Since 2018
-
Schoolyard Bully
Android users
Researchers from Zimperium discover 'Schoolyard Bully', an Android malware campaign that infected 300,000 devices, masquerading as reading and education apps, ongoing since 2018, attempting to steal Facebook account credentials from infected devices.
Malware
Individual
CC
>1
Zimperium, Schoolyard Bully, Android
5
01/12/2022
-
-
Black Panthers
Individuals
The Spanish National Police arrest 55 members of the 'Black Panthers' cybercrime group, dedicated to social engineering, vishing, phishing, and carding, having a very organized structure.
Account Takeover
Individual
CC
>1
Black Panther
6
01/12/2022
Since at least June 2022
-
Lazarus Group
Crypto users
Researchers from Volexity discover a new campaign by the North Korean 'Lazarus' hacking group, spreading fake cryptocurrency apps under the made-up brand, "BloxHolder," to install the AppleJeus malware for initial access to networks and steal crypto assets.
Malware
Fintech
CC
>1
Volexity, North Korea, Lazarus, BloxHolder, AppleJeus
7
01/12/2022
-
-
?
Vulnerable Redis servers
Researchers at Aqua Security discover Redigo, a new backdoor targeting Redis servers, written in Go and exploiting CVE-2022-0543.
CVE-2022-0543 Vulnerability
Multiple Industries
CC
>1
Aqua Security, Redigo, Redis, Go, CVE-2022-0543
8
01/12/2022
07/08/2022
-
?
Wing Financial
Wing Financial reports a data breach after confirming that an unauthorized party was able to access confidential consumer information that had been entrusted to the company.
Unknown
Finance and insurance
CC
US
Wing Financial
9
01/12/2022
-
-
?
San Diego Unified School District
The offices of San Diego Unified School District experience a computer-network security breach.
Unknown
Education
CC
US
San Diego Unified School District
10
01/12/2022
Since 29/11/2022
29/11/2022
?
Monroe Township School District
The Monroe Township School District cancels classes for three days due to technical problems caused by an “unauthorized third party,”
Unknown
Education
CC
US
Monroe Township School District
11
01/12/2022
-
-
Hive
Undisclosed Brazilian debt collection firm
An undisclosed Brazilian debt collection firm is hit with a hive ransomware attack.
Malware
Finance and insurance
CC
BR
Hive, ransomware
12
01/12/2022
-
19/11/2022
?
FanDuel
The FBI investigates on a cyber attack hitting the online betting company FanDuel.
Credential Stuffing
Arts entertainment, recreation
CC
US
FanDuel
13
01/12/2022
29/11/2022
29/11/2022
?
Vancouver Film School
Vancouver Film School is hit with a paralyzing cyber attack.
Unknown
Education
CC
CA
Vancouver Film School
14
01/12/2022
15/11/2022
15/11/2022
?
Adams-Friendship Area School District (AFASD)
The Adams-Friendship Area School District (AFASD) is hit by a Royal ransomware attack.
Malware
Education
CC
US
Adams-Friendship Area School District, AFASD, Royal, ransomware
15
02/12/2022
02/11/2022
02/11/2022
?
Rackspace
American cloud computing services provider Rackspace is hit with a ransomware attack.
Malware
Professional, scientific and technical
CC
US
Rackspace, Ransomware
16
02/12/2022
-
-
?
Undisclosed organization(s)
Google releases Chrome 108.0.5359.94/.95 for Windows, Mac, and Linux users to address CVE-2022-4262, a single high-severity security flaw, the ninth Chrome zero-day exploited in the wild patched since the start of the year.
Researchers from Dr.Web discover a new set of Android malware, phishing, and adware apps, infiltrating the Google Play store, tricking over two million people into installing them.
Malware
Individual
CC
>1
Android, Dr.Web
18
02/12/2022
Since June 2022
-
Scattered Spider
Telecommunications and business process outsourcing (BPO) organizations
Researchers at CrowdStrike discover an intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies actively reversing defensive mitigations applied when the breach is detected.
>1
Information and communication
CC
>1
CrowdStrike
19
02/12/2022
01/12/2022
01/12/2022
?
Ankr
Decentralized finance (DeFi) protocol Ankr confirms it has been hit by a multi-million dollar exploit. Losses amount to $5M worth.
Vulnerability
Fintech
CC
N/A
Ankr
20
02/12/2022
02/12/2022
02/12/2022
Hive
Knox College
The Knox College is ht with a ransomware attack. The Hive group claims responsibility.
Malware
Education
CC
US
Hive, ransomware, Knox College
21
02/12/2022
-
-
?
Multiple organizations
Researchers from Sucuri discover a massive black hat SEO campaign related to the Qatar 2022 FIFA World Cup, compromising websites to promote Chinese gambling, sports betting sites, and mobile apps.
Vulnerability
Multiple Industries
CC
>1
Sucuri, Black Hat SEO, Qatar 2022 FIFA World Cup
22
02/12/2022
'Recently'
'Recently'
Mustang Panda
Organizations in Myanmar
Researchers from Avast discover a distribution point hosting a malware toolset used by the Chinese threat actor Mustang Panda to target organizations in Myanmar.
Targeted Attack
Multiple Industries
CE
MM
Avast, China, Mustang Panda
23
02/12/2022
22/12/2022
-
Three Cube IT Lab India
Three Cube IT Lab India, an Indian provider of business and consulting services, is compromised, and as a consequence patient data of Sree Saran Medical Centre is on sale by a threat actor.
Unknown
Professional, scientific and technical
CC
IN
Three Cube IT Lab India, Sree Saran Medical Centre
24
03/12/2022
Since at least 08/10/2022
-
Sandworm (AKA Iridium)
Critical infrastructures in Ukraine
Researchers at Microsoft discover a new wave of destructive attacks against critical infrastructures in Ukraine, carried out via multiple wipers such as FoxBlade, Caddywiper, and Prestige.
Malware
Electricity, gas steam, air conditioning
CW
UA
Microsoft, Sandworm, IRIDIUM, Ukraine, FoxBlade, Caddywiper, and Prestige.
25
03/12/2022
During November 2022
During November 2022
?
Safdarjung Hospital
Safdarjung Hospital is hit with a cyber-attack.
Unknown
Human health and social work
CC
IN
Safdarjung Hospital
26
03/12/2022
03/12/2022
03/12/2022
NoName057(16)
Italian Ministry of Agricultural, Food, and Forestry Policies (MIPAAF).
NoName057(16), a Russian hacking group, claims to have launched a DDoS attack against the official website of the Italian Ministry of Agricultural, Food, and Forestry Policies (MIPAAF).
DDoS
Public admin and defence, social security
H
IT
NoName057(16), Russia, Italy, Ministry of Agricultural, Food, and Forestry Policies, MIPAAF
27
04/12/2022
03/12/2022
03/12/2022
?
Hospital Centre of Versailles
The Hospital Centre of Versailles shuts down its phone and computer systems because of a ransomware attack.
Malware
Human health and social work
CC
FR
Hospital Centre of Versailles, ransomware
28
04/12/2022
-
-
Bl00dy
Lucchini Group
Lucchini Group, one of the main producers of steel in Italy is hit with a Bl00dy ransomware attack.
Malware
Manufacturing
CC
IT
Lucchini Group, Bl00dy, ransomware
29
05/12/2022
-
-
Russia-affiliated threat actors
Multiple organizations in the US, the UK, France
Researchers from Lupovis reveal that Russia-affiliated threat actors have compromised systems belonging to multiple organizations in the US, the UK, France, and other countries and are using them to launch attacks against targets in Ukraine.
>1
Multiple Industries
CW
FR
UK
US
Lupovis, Russia, Ukraine
30
05/12/2022
'Recently'
'Recently'
?
Multiple organizations
Researchers at Sysdig discover threat actors leveraging an open source tool called PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts.
Malware
Multiple Industries
CC
>1
Sysdig, PRoot, Linux
31
05/12/2022
Since at least 05/10/2022
05/10/2022
Threat actor from China
Amnesty International Canada
Amnesty International Canada branch discloses a security breach detected in early October and linked to a threat group likely sponsored by China.
Targeted Attack
Extraterritorial orgs and bodies
CE
CA
Amnesty International Canada, China
32
05/12/2022
Between 15/09/2022 and 25/11/2022
-
APT42 AKA Charming Kitten
Human rights activists, journalists, diplomats and politicians working in the Middle East
The Human Rights Watch (HRW) discovers a well-resourced and ongoing international cyber espionage campaign targeting human rights activists, journalists, diplomats and politicians working in the Middle East.
Targeted Attack
Individual
CE
>1
Human Rights Watch, HRW, APT42, Charming Kitten
33
05/12/2022
During 2022
During 2022
Group X
Over 40 e-commerce sites
Researchers from Jscrambler discover a new web skimming campaign compromising over 40 e-commerce sites.
Malicious script injection
Wholesale and retail
CC
>1
Jscrambler, Group X
34
05/12/2022
Since mid-2020
-
APT41
U.S. Government
The U.S. Secret Service reveals that the Chinese state-sponsored group APT41 has stolen at least $20m from US COVID-relief funds, in what appears to be a first-of-its kind campaign, according to the Secret Service.
Account Takeover
Public admin and defence, social security
CC
US
APT41, COVID-19
35
05/12/2022
-
-
Team Mysterious Bangladesh
Indian Central Board of Higher Education (CBHE)
Researchers from CloudSEK reveal that a threat actor group named “Team Mysterious Bangladesh” has claimed to have compromised the Indian Central Board of Higher Education (CBHE) systems.
Unknown
Public admin and defence, social security
H
IN
CloudSEK, Team Mysterious Bangladesh, Indian Central Board of Higher Education, CBHE
36
05/12/2022
02/10/2022
-
?
Hartnell Community College District
Hartnell Community College District reports a data breach after the school experienced what appears to have been a cyberattack that resulted in sensitive student information being leaked.
Unknown
Education
CC
US
Hartnell Community College District
37
05/12/2022
Between 31/08/2022 and 10/09/2022
-
?
Black, Gould & Associates (BGA)
Black, Gould & Associates (BGA) reports a data breach after the company discovered that consumer information stored on its computer system was compromised after an unauthorized party gained access to its network.
Unknown
Finance and insurance
CC
US
Black, Gould & Associates (BGA)
38
05/12/2022
25/06/2022
25/06/2022
?
Macmillan
Macmillan reports a data breach after an unauthorized party was able to bypass its data security system and gain access to sensitive consumer information on the company’s computer system after a ransomware attack.
Malware
Information and communication
CC
US
Macmillan, ransomware
39
05/12/2022
-
-
?
Snap Finance
Snap Finance reports a data breach after the company learned that an unauthorized party was able to access confidential information that was stored on its computer network.
Unknown
Finance and insurance
CC
US
Snap Finance
40
05/12/2022
-
09/09/2022
?
Polsinelli PC
Polsinelli PC, a law firm that provides corporate legal services to hospitals, says files that contained patient information were accessed from two locations by unauthorized individuals.
Unknown
Professional, scientific and technical
CC
US
Polsinelli PC
41
05/12/2022
Between 05/07/2022 and 13/07/2022
08/08/2022
?
Orlando Health
An employee email account from Orlando Health is accessed by an unauthorized user, which may have compromised the information of 3,662 patients.
Account Takeover
Human health and social work
CC
US
Orlando Health
42
05/12/2022
11/11/2022
11/11/2022
?
Little Rock School District
The Little Rock School District approves a $250K payment for a ransomware attack.
Malware
Education
CC
US
Little Rock School District, ransomware
43
05/12/2022
-
26-27/11/2022
?
29 Israeli transportation, logistics services and forwarding firms
A group of hackers posts a trove of approximately 50GB of data for sale on two online forums and a Telegram group, belonging to 29 Israeli transportation, logistics services and forwarding firms.
Unknown
Transportation and storage
CC
IL
Israel
44
05/12/2022
Since 20/11/2022
-
?
New World TV
New World TV, the company that holds the World Cup broadcasting rights for sub-Saharan Africa says it has suffered a series of cyber-attacks since the tournament began.
Unknown
Information and communication
CC
TG
New World TV
45
05/12/2022
05/12/2022
05/12/2022
?
Instituto Nacional de Estadísticas y Censos (Indec)
The Argentinian National Institute of Statistics and Census (INDEC) is hit with a malware.
Malware
Public admin and defence, social security
CC
AR
Instituto Nacional de Estadísticas y Censos, INDEC
46
05/12/2022
02/12/2022
02/12/2022
?
Cetrogar
Cetrogar, an Argentinian retailer of technology, household items, and appliances, is hit with a ransomware attack.
Malware
Wholesale and retail
CC
AR
Cetrogar, ransomware
47
06/12/2022
'Recently'
'Recently'
Mustang Panda
Organizations in Europe and the Asia Pacific
Researchers from Blackberry reveal that the China-linked nation-state hacking group Mustang Panda is using lures related to the ongoing Russian-Ukrainian War to attack entities in Europe and the Asia Pacific.
Targeted Attack
Multiple Industries
CE
>1
Blackberry, Mustang Panda, Russia, Ukraine, China
48
06/12/2022
06/12/2022
06/12/2022
IT Army of Ukraine
VTB Bank
Russia's second-largest financial institution VTB Bank says it is facing the worst cyber attack in its history after its website and mobile apps were taken offline due to an ongoing DDoS attack.
DDoS
Finance and insurance
H
RU
Russia, VTB Bank, IT Army of Ukraine
49
06/12/2022
During October 2022
During October 2022
DEV-0139
Cryptocurrency investment companies
Researchers at Microsoft reveal that cryptocurrency investment companies have been targeted by a threat group it tracks as DEV-0139 via Telegram groups used to communicate with the firms' VIP customers.
Malware
Fintech
CC
>1
Microsoft, DEV-0139, Telegram
50
06/12/2022
05/12/2022
05/12/2022
Play
Digipolis
The city of Antwerp, Belgium, is working to restore its digital services that were disrupted by a ransomware attack on Digipolis, its digital provider.
Malware
Professional, scientific and technical
CC
BE
Antwerp, ransomware, Digipolis, Play
51
06/12/2022
-
05/12/2022
Unnamed cybersecurity company
CloudSEK
Indian cybersecurity firm CloudSEK says a threat actor gained access to its Confluence server using stolen credentials for one of its employees' Jira accounts.
Account Takeover
Professional, scientific and technical
CC
IN
CloudSEK, Confluence, Jira
52
06/12/2022
Since at least mid-November 2022
During mid-November 2022
Zerobot
Multiple organizations
Researchers from Fortinet discover a new Go-based malware named ‘Zerobot’, using exploits for almost two dozen vulnerabilities in a variety of devices that include F5 BIG-IP, Zyxel firewalls, Totolink and D-Link routers, and Hikvision cameras.
Researchers from Recorded Future discover a new campaign by SEABORGIUM (AKA Callisto, COLDRIVER and TA446) using infrastructure, tactics and techniques to further credential harvesting efforts linked to the Russian state.
Account Takeover
Multiple Industries
CC
>1
Recorded Future, SEABORGIUM, Callisto, COLDRIVER, TA446, Russia
54
06/12/2022
-
30/11/2022
?
Mercury IT
A ransomware attack on Mercury IT, a widely used managed service provider in New Zealand, disrupts dozens of organizations in the country, including several government departments and public authorities.
Malware
Professional, scientific and technical
CC
NZ
Mercury IT
55
06/12/2022
Since at least February 2022
During February 2022
?
Blakehurst
Blakehurst, a senior living community, notifies current and former employees and patients of a data security incident after it discovered unusual activity within its email environment
Account Takeover
Human health and social work
CC
US
Blakehurst
56
06/12/2022
Since 19/08/2021
-
BackdoorDiplomacy
Telecommunications firm in the Middle East
Researchers at Bitdefender uncover a new cyber-espionage campaign targeting a telecommunications firm in the Middle East.
Targeted Attack
Information and communication
CE
N/A
Bitdefender, BackdoorDiplomacy
57
06/12/2022
-
-
?
Indian Council of Medical Research (ICMR)
The Indian Council of Medical Research (ICMR) is targeted by attackers allegedly coming from Hong Kong.
Unknown
Human health and social work
N/A
IN
Indian Council of Medical Research, ICMR, Hong Kong
58
06/12/2022
05/12/2022
05/12/2022
?
Hudson County Schools of Technology (HCST)
The Hudson County Schools of Technology (HCST) is hit with a ransomware attack.
Malware
Education
CC
US
Hudson County Schools of Technology, HCST, ransomware
59
06/12/2022
06/12/2022
06/12/2022
?
Trois Cantons Ambulances
The Trois Cantons ambulances in Peyrehorade are hit with a ransomware attack.
Malware
Human health and social work
CC
FR
Trois Cantons ambulances, Peyrehorade, ransomware
60
06/12/2022
06/12/2022
06/12/2022
Play
Jalisco Congress (Congress of Jalisco)
The Jalisco Congress is ht with a Play ransomware attack.
Malware
Public admin and defence, social security
CC
MX
Jalisco Congress, Congress of Jalisco, Play, ransomware
61
06/12/2022
05/12/2022
05/12/2022
?
Iochpe-Maxion
Sao Paulo-based automotive components manufacturer Iochpe-Maxion issues a statement about a cyberattack it experienced.
Unknown
Manufacturing
CC
BR
Iochpe-Maxion
62
07/12/2022
-
-
?
Twitter users
Elon Musk followers are added to a "Deal of the Year" list on Twitter that lures them into depositing small crypto amounts into the attackers' wallet with the false promise of receiving up to 5000 Bitcoin in return.
Account Takeover
Fintech
CC
>1
Elon Musk, Deal of the Year, Twitter
63
07/12/2022
Since October 2018
-
CryptosLabs
Individuals in France, Belgium, and Luxembourg
Researchers at Group-IB discover a previously unknown investment scam group named 'CryptosLabs', having stolen up to €480 million ($505 million) from victims in France, Belgium, and Luxembourg, since the launch of its operation in 2018.
Account Takeover
Individual
CC
BE
FR
LU
Group-IB, CryptosLabs
64
07/12/2022
Since at least 31/10/2022
31/10/2022
APT37 (AKA Reaper, Red Eyes, Erebus, ScarCruft)
Organizations in South Korea
Researchers from Google's Threat Analysis Group (TAG) reveal that a group of North Korean hackers tracked as APT37 exploited a previously unknown Internet Explorer vulnerability to infect South Korean targets with malware.
CVE-2022-41128 Vulnerability
Multiple Industries
CE
KR
APT37, Reaper, Red Eyes, Erebus, ScarCruft, CVE-2022-41128, Google's Threat Analysis Group, TAG
65
07/12/2022
Since February 2022
During February 2022
Agrius
Diamond companies in South Africa, Israel and Hong Kong
Researchers from ESET discover a new campaign by the Iranian Agrius APT hacking group, using a new 'Fantasy' data wiper in supply-chain attacks impacting organizations in Israel, Hong Kong, and South Africa.
Targeted Attack
Mining and quarrying
CW
HK
IL
ZA
Agrius, Iran, ESET, Fantasy
66
07/12/2022
-
-
Royal
Healthcare organizations in the US
The U.S. Department of Health and Human Services (HHS) issues a new warning for the country's healthcare organizations regarding ongoing attacks from a relatively new operation, the Royal ransomware gang.
Malware
Human health and social work
CC
US
U.S. Department of Health and Human Services, HHS, Royal, Ransomware
67
07/12/2022
-
-
?
New York Metropolitan Opera
The Metropolitan Opera confirms that it is dealing with a crippling cyberattack that has shut down their website and box office. The cyberattack impacted their network systems, including their “website, box office, and call center.”
Unknown
Arts entertainment, recreation
CC
US
Metropolitan Opera
68
07/12/2022
Between 07/12/2021 and 08/12/2021
-
Conti
Acuity Brands
Lighting and building management giant Acuity Brands discloses to have suffered a ransomware attack linked to the Conti operation.
Malware
Manufacturing
CC
US
Acuity Brands, Conti, ransomware
69
07/12/2022
-
-
BlackMagic
Transportation and Logistics Industry in Israel
Researchers from Cyble discover a new ransomware group called BlackMagic, believed to be linked to Iran, apparently motivated more by politics than profit.
Malware
Transportation and storage
CW
IL
Cyble, ransomware, BlackMagic, Iran, Israel
70
07/12/2022
During November 2022
During November 2022
Babuk
Undisclosed large-scale organization
Researchers from Morphisec discover a new Babuk ransomware variant used to target a large-scale organization.
Malware
Unknown
CC
N/A
Morphisec, Babuk
71
08/12/2022
-
-
Zombinder
Android users
Researchers from ThreatFabric discover a darknet platform dubbed 'Zombinder' allowing threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion.
Malware
Multiple Industries
CC
>1
ThreatFabric, Zombinder, Android
72
08/12/2022
Since at least September 2022
During October 2022
MuddyWater (AKA Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros)
Organizations in Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates
Researchers from Deep Instinct discover a new campaign by the Iranian group MuddyWater using compromised corporate email accounts to deliver phishing messages to their targets.
Targeted Attack
Multiple Industries
CE
AM
AZ
EG
IQ
IL
OM
QA
TJ
UAE
MuddyWater, Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, Deep Instinct, Iran
73
08/12/2022
Since August 2022
During August 2022
Silence Group
Multiple organizations
Researchers from Cisco Talos reveal an increase in infections of Truebot (aka Silence.Downloader) malware, distributing multiple payloads including the Cl0p ransomware.
Ukrainian government agencies and the state railway
Ukraine’s Computer Emergency Response Team (CERT-UA) discover a new campaign targeting Ukrainian government agencies and the state railway via the DolphinCape malware.
Researchers from Fortinet discover a new ransomware family called Aerst.
Malware
Multiple Industries
CC
>1
Fortinet, ransomware, Aerst
76
08/12/2022
-
-
ScareCrow
Multiple organizations
Researchers from Fortinet discover a new ransomware family called ScareCrow.
Malware
Multiple Industries
CC
>1
Fortinet, ransomware, ScareCrow
77
08/12/2022
-
-
Vohuk
Multiple organizations
Researchers from Fortinet discover a new ransomware family called Vohuk.
Malware
Multiple Industries
CC
>1
Fortinet, ransomware, Vohuk
78
08/12/2022
During 2020 and 2021
-
Evilnum AKA DeathStalker
Legal and financial investment institutions in the Middle East and Europe
Researchers from Kaspersky discover a new campaign by the hack-for-hire group Evilnum is targeting legal and financial investment institutions in the Middle East and Europe.
Targeted Attack
Professional, scientific and technical
CE
>1
Kaspersky, Evilnum, DeathStalker
79
08/12/2022
Between 22/09/2022 and 06/10/2022
-
?
Sequoia
Benefits and payroll management company Sequoia says hackers accessed sensitive customer information, including their Social Security numbers and COVID-19 test results.
Misconfiguration
Administration and support service
CC
US
Sequoia
80
08/12/2022
'Recently'
'Recently'
?
Crane Worldwide Logistics
Crane Worldwide Logistics reports a data breach after confirming that a recent cybersecurity event compromised confidential consumer information in the company’s control.
Unknown
Transportation and storage
CC
US
Crane Worldwide Logistics
81
08/12/2022
-
-
?
Teleperformance USA
Teleperformance USA reports a data breach after learning that an unauthorized party had accessed confidential consumer information that was entrusted to the company.
Unknown
Administration and support service
CC
US
Teleperformance USA
82
08/12/2022
-
-
?
Veros Credit
Veros Credit reports a data breach after the company learned that an unauthorized party was able to access confidential consumer information that had been entrusted to the company.
Unknown
Finance and insurance
CC
US
Veros Credit
83
08/12/2022
02/12/2022
06/12/2022
?
Multiple organizations
Researchers from Fortinet discover a 0-day attack in a PyPI package called “shaderz”
Malware
Multiple Industries
CC
>1
Fortinet, PyPI, shaderz
84
08/12/2022
-
-
Venus
Public company executives
The Venus ransomware gangs is adopting a new attack method, carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.
Malware
Multiple Industries
CC
US
Venus, ransomware
85
08/12/2022
-
-
Cl0p
Healthcare organizations in the US
The Cl0p ransomware gang targets healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.”
Malware
Human health and social work
CC
US
Cl0p, Clop, ransomware
86
08/12/2022
06/12/2022
06/12/2022
?
Multiple organizations
Researchers from Trustwave discover a campaign distributing the Formbook malware via trojanized OneNote documents.
Malware
Multiple Industries
CC
>1
Trustwave, Formbook. OneNote
87
08/12/2022
01/12/2022
01/12/2022
?
Automovil Club Argentino
The Automovil Club Argentino discloses it suffered a cyber intrusion.
Unknown
Other service activities
CC
AR
Automovil Club Argentino
88
08/12/2022
08/12/2022
08/12/2022
?
Morgan County School District
Morgan County School District suffers a cyber security incident that forces to cancel 3 classes.
Unknown
Education
CC
US
Morgan County School District
89
09/12/2022
Since March-April 2022
March-April 2022
Cloud Atlas
High profile victims in Russia, Belarus, Transnistria (a pro-Kremlin breakaway region of Moldova), and Russian-annexed territories of Ukraine
Researchers from Check Point reveal that the cyber-espionage group Cloud Atlas has ramped up activities targeting Russia, Belarus and disputed parts of Ukraine and Moldova since Russia’s invasion.
Researchers from Juniper Networks discover a previously undocumented Python backdoor targeting VMware ESXi servers, enabling attackers to execute commands remotely on a compromised system.
The Australian Federal Police (AFP) arrest four suspected members of a financial investment scam syndicate estimated to have stolen $100 million from victims worldwide.
Account Takeover
Finance and insurance
CC
>1
Australian Federal Police, AFP
92
09/12/2022
Since at least February 2022
During February 2022
Cobalt Mirage (AKA Nemesis Kitten or UNC2448)
U.S. Local Government organizations
Researchers from Secureworks reveal that the networks of several local governments in the U.S. have been targeted with the Drokbk malware, allegedly wielded by Iranian government-backed groups exploiting the Log4j vulnerability.
Four men accused of participating in credit card fraud and business email compromise (BEC) schemes are arrested for defrauding businesses, individuals and banks of more than $9.2 million during a three month period in mid-2021.
Business Email Compromise
Multiple Industries
CC
US
Business Email Compromise
94
09/12/2022
-
-
?
Python and Javascript developers
Phylum security researchers warn of a new software supply chain attack relying on typosquatting to target Python and JavaScript developers and deliver ransomware.
Kaye-Smith reports a data breach after hackers successfully obtained access to confidential consumer information following a ransomware attack.
Malware
Administration and support service
CC
US
Kaye-Smith, ransomware
96
09/12/2022
Between 19/08/2021 and 15/08/2022
17/10/2022
?
Pediatrics West
Pediatrics West notifies more than 1,300 individuals of a healthcare data breach due to an unauthorized party able to access some of its systems.
Unknown
Human health and social work
CC
US
Pediatrics West
97
09/12/2022
-
-
Magniber
Organizations in South Korea
Researchers from Ahnlab discover a new campaign distributing the Magniber ransomware leveraging COVID-19-related filenames to stealthily execute on victim systems.
Malware
Multiple Industries
CC
KR
Ahnlab, Magniber, ransomware, COVID-19
98
12/12/2022
-
09/12/2022
Multiple threat actors
Multiple organizations
Fortinet urges customers to patch their appliances against CVE-2022-42475, an actively exploited FortiOS SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.
CVE-2022-42475 vulnerability
Unknown
N/A
N/A
Fortinet, CVE-2022-42475, FortiOS SSL-VPN
99
12/12/2022
-
-
?
Teqtivity
Teqtivity, an IT Asset management company reveals that customer data that was compromised due to unauthorized access to an AWS backup server. Other companies such as Uber and TripActions are impacted.
Misconfiguration
Professional, scientific and technical
CC
US
Teqtivity, AWS, Uber, TripActions
100
12/12/2022
Since at least September 2022
During September 2022
GoTrim
WordPress websites
Researchers from Fortinet discover a new Go-based botnet malware named 'GoTrim' scanning the web for self-hosted WordPress websites and attempting to brute force the administrator's password and take control of the site.
Brute-force
Multiple Industries
CC
>1
Fortinet, Go, GoTrim, WordPress
101
12/12/2022
12/12/2022
12/12/2022
LockBit 3.0
California's Department of Finance
The California's Department of Finance is hit with a LockBit ransomware attack. The attackers claim to have stolen 75GB of files.
Malware
Public admin and defence, social security
CC
US
California's Department of Finance, LockBit, ransomware attack
102
12/12/2022
-
-
Play
H-Hotels
The Play ransomware gang claims responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company.
Malware
Accommodation and food service
CC
DE
Play, ransomware, H-Hotels, h-hotels.com
103
12/12/2022
-
-
?
City of Diest
The city of Diest, in Belgium, is impacted by a cyberattack.
Unknown
Public admin and defence, social security
CC
BE
City of Diest
104
12/12/2022
12/12/2022
12/12/2022
?
Municipality of Borgholm
The municipality of Borgholm in Sweden is hit by a severe cyber attack.
Unknown
Public admin and defence, social security
CC
SE
Municipality of Borgholm
105
12/12/2022
12/12/2022
12/12/2022
?
Municipality of Mörbylånga
The municipality of Mörbylånga in Sweden is hit by a severe cyber attack.
Unknown
Public admin and defence, social security
CC
SE
Municipality of Mörbylånga
106
12/12/2022
During November 2022
During November 2022
CHAOS
Linux servers
Researchers from Trend Micro discover a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware.
Malware
Multiple Industries
CC
>1
Trend Micro, Linux, Go, CHAOS
107
12/12/2022
-
-
Kimsuky AKA Thallium
Foreign experts about North Korea
Researchers from Microsoft reveal that a North Korean state hacking group is using impersonation tactics to steal the experts’ thoughts on North Korean security issues or even offer them money to write reports.
Impersonation
Individual
CE
>1
Microsoft, North Korea, Kimsuky, Thallium
108
12/12/2022
23/11/2022
23/11/2022
Hive
Intersport France
The Hive cyber criminal group claims responsibility for a ransomware attack against Intersport France.
Malware
Wholesale and retail
CC
FR
Hive, Intersport, ransomware
109
12/12/2022
-
-
Xnspy
Android and iPhone users
Security researchers reveal that a little-known phone monitoring app called Xnspy has stolen data from tens of thousands of iPhones and Android devices.
Malware
Individual
CC
>1
Xnspy, iPhone, Android
110
12/12/2022
-
-
?
North Star Leasing
North Star Leasing reports a data breach after discovering that certain information that consumers had entrusted to the company was accessible to an unauthorized party.
Unknown
Finance and insurance
CC
US
North Star Leasing
111
12/12/2022
12/12/2022
12/12/2022
?
Daily Loud Twitter account
Hip hop news outlet Daily Loud has its official Twitter account hacked, with the culprit posting scam tweets.
Account Takeover
Information and communication
CC
US
Daily Loud, Twitter
112
13/12/2022
-
-
NLB
Moscow Electronic School
NLB, a group of pro-Ukrainian hackers, releases more than three million personal records from the state-run Moscow Electronic School website — an educational platform used by Moscow public schools.
Unknown
Education
H
RU
NLB, Ukraine, Russia, Moscow Electronic School
113
13/12/2022
Since at least 2020
-
Newsroom for American and European Based Citizens (NAEBC)
Individuals in the U.S.
Researchers from the Stanford Internet Observatory and Graphika reveal that Russian operators linked to election interference in the United States have been identified manipulating audiences on alternative right-wing social media platforms, including Donald Trump’s Truth Social.
Coordinated Inauthentic Behavior
Individual
CW
US
Newsroom for American and European Based Citizens, NAEBC, Russia, Stanford Internet Observatory, Graphika, Truth Social
114
13/12/2022
-
-
State-sponsored threat actors
Multiple Organizations
Citrix strongly urges admins to apply security updates for a 'Critical' zero-day vulnerability (CVE-2022-27518) in Citrix ADC and Gateway that is actively exploited by state-sponsored hackers to gain access to corporate networks.
CVE-2022-27518 Vulnerability
Unknown
CE
>1
Citrix, CVE-2022-27518, Citrix ADC
115
13/12/2022
-
-
Multiple threat actors
Multiple organizations
Microsoft revokes several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.
Malware
Multiple Industries
CC
>1
Microsoft
116
13/12/2022
Late September 2022
Late September 2022
QBot
Multiple organizations
Researchers at Cisco Talos discover a new QBot phishing campaign adopting a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.
Malware
Multiple Industries
CC
>1
Cisco Talos, QBot, SVG, HTML smuggling
117
13/12/2022
12/12/2022
12/12/2022
BlackCat AKA ALPHV
Empresas Públicas de Medellín (EPM)
Colombian energy company Empresas Públicas de Medellín (EPM) suffers a BlackCat/ALPHV ransomware attack.
Malware
Electricity, gas steam, air conditioning
CC
CO
Empresas Públicas de Medellín, EPM, BlackCat, ALPHV, ransomware
118
13/12/2022
-
10/12/2022
USDoD
Infragard
InfraGard, a program run by the FBI to build cyber and physical threat information sharing partnerships with the private sector, has its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum.
Account Takeover
Public admin and defence, social security
CC
US
USDoD, Infragard, FBI
119
13/12/2022
-
-
Multiple threat actors
Vulnerable Veeam Backup & Replication servers
The US Cybersecurity and Infrastructure Security Agency (CISA) adds two flaws affecting Veeam Backup & Replication product to its Known Exploited Vulnerabilities Catalog.
CVE-2022-26500 and CVE-2022-26501 vulnerabilities
Multiple Industries
N/A
US
Cybersecurity and Infrastructure Security Agency, CISA, Veeam Backup & Replication
120
13/12/2022
-
-
?
Undisclosed organization(s)
Apple publishes 10 new advisories describing vulnerabilities affecting its products, including CVE-2022-42856, a zero-day that has been exploited against iPhone users.
CVE-2022-42856 Vulnerability
Unknown
N/A
N/A
Apple, CVE-2022-42856, iPhone
121
13/12/2022
-
26/10/2022
?
Lakeside Software
Lakeside Software reports a data breach after learning of unauthorized connections between a third party’s device and Lakeside’s computer servers.
Unknown
Professional, scientific and technical
CC
US
Lakeside Software
122
13/12/2022
-
-
APT5
Organizations in the U.S.
The NSA releases an advisory warning about the wild exploitation of the vulnerability (CVE-2022-27518) affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway attributed to the APT5 group.
Queen Elizabeth Hospital in Barbados, suffers a cyber security incident.
Unknown
Human health and social work
CC
BB
Queen Elizabeth Hospital
124
13/12/2022
Between 02/12/2022 and 04/12/2022
04/12/2022
?
Robert S. Miller
A Washington therapist, Robert S. Miller notifies 640 current and former clients about a phishing incident that resulted in the exposure of some of their protected health information.
Account Takeover
Human health and social work
CC
US
Robert S. Miller
125
14/12/2022
Between 10/01/2022 and 14/02/2022
-
?
Multiple organizations
Researchers from Checkmarx and Illustria discover that unknown threat actors have uploaded a massive 144,294 phishing-related packages on open-source package repositories, including NPM, PyPi, and NuGet.
Account Takeover
Multiple Industries
CC
>1
Checkmarx, Illustria, NPM, PyPi, NuGet
126
14/12/2022
Weeks before the House of Councilors election in July 2022
-
MirrorFace
Japanese political entities
Researchers from ESET discover Operation LiberalFace, a spearphishing campaign, targeting Japanese political entities.
Targeted Attack
Other service activities
CE
JP
ESET MirrorFace, Operation LiberalFace
127
14/12/2022
'Recently'
'Recently'
?
Users of the Gemini crypto exchange
Gemini crypto exchange announces t that customers were targeted in phishing campaigns after a threat actor collected their personal information from a third-party vendor.
Account Takeover
Fintech
CC
>1
Gemini
128
14/12/2022
14/12/2022
14/12/2022
?
FuboTV
FuboTV confirms that a streaming outage preventing subscribers from watching the World Cup Qatar 2022 semifinal match between France and Morocco was caused by a cyberattack.
Unknown
Arts entertainment, recreation
CC
US
FuboTV, World Cup Qatar 2022, France, Morocco
129
14/12/2022
Since late 2020
-
TA453 AKA Phosphorus, Charming Kitten and APT42
Medical researchers, an aerospace engineer and even a Florida-based realtor.
Researchers from Proofpoint reveal that the TA453 cyberespionage group aligned with Iran’s Islamic Revolutionary Guard Corps (IRGC) has been observed attacking new targets over the last two years, including medical researchers, an aerospace engineer and even a Florida-based realtor.
Australia’s TPG Telecom announces that a threat actor has gained unauthorized access to a service hosting the email accounts of 15,000 customers.
Account Takeover
Information and communication
CC
AU
TPG Telecom
131
14/12/2022
Before 14/05/2022
-
?
365 Data Centers
Avem Health Partners reports a data breach after the company learned of a cybersecurity incident at 365 Data Centers, a vendor used by one of Avem’s service providers.
Unknown
Professional, scientific and technical
CC
US
Avem Health Partners, 365 Data Centers
132
14/12/2022
-
02/09/2021
?
Epic Management
Epic Management, a healthcare management company, reveals to have experienced a data security incident involving the exposure of some patient information.
Unknown
Administration and support service
CC
US
Epic Management
133
14/12/2022
Since July 2022
-
LockBit 3.0
Healthcare organizations in the US
The HHS Health Sector Cybersecurity Coordination Center (HC3) warns the healthcare organizations in the U.S. of ongoing campaigns carried out by the LockBit 3.0 ransomware.
Malware
Human health and social work
CC
US
HHS Health Sector Cybersecurity Coordination Center, HC3, LockBit 3.0, ransomware
134
14/12/2022
Since November 2021
-
BlackCat AKA ALPHV
Healthcare organizations in the US
The HHS Health Sector Cybersecurity Coordination Center (HC3) warns the healthcare organizations in the U.S. of ongoing campaigns carried out by the BlackCat ransomware.
Malware
Human health and social work
CC
US
HHS Health Sector Cybersecurity Coordination Center, HC3, BlackCat, ALPHV, ransomware
135
15/12/2022
Early December 2022
Early December 2022
Ukraine?
Multiple major Russian cities
Multiple major Russian cities appear to have faced widespread GPS disruption.
Unknown
Multiple Industries
CW
RU
Russia, Ukraine, GPS Jamming
136
15/12/2022
15/12/2022
15/12/2022
NoName057(16)
Italian Ministry of Defense
Pro-Russian hacktivists of the NoName057(16) collective claim to have taken down 9 sites belonging to the Italian Ministry of Defense
DDoS
Public admin and defence, social security
H
IT
NoName057(16), Russia, Italy, Ministry of Defense
137
15/12/2022
Since at least May 2022
-
UNC4166
Government entities in Ukraine
Researchers from Mandiant identify an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply chain attack.
Targeted Attack
Public admin and defence, social security
CE
UA
UNC4166, Mandiant, Ukraine, ISO, Torrent
138
15/12/2022
During September 2022
14/12/2022
?
Social Blade
Social media analytics platform Social Blade confirms they suffered a data breach after its database was breached and put up for sale on a hacking forum.
Undisclosed Vulnerability
Professional, scientific and technical
CC
US
Social Blade
139
15/12/2022
Early December 2022
Early December 2022
?
Multiple organizations
Researchers from Trustwave discover a phishing campaign using Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII).
Account Takeover
Multiple Industries
CC
>1
Trustwave, Facebook
140
15/12/2022
'Recently'
'Recently'
MCCrash
Targets in Russia, Mexico, Italy, India, Kazakhstan, Singapore
A new cross-platform malware botnet named 'MCCrash' is infecting Windows, Linux, and IoT devices to conduct distributed denial of service attacks on Minecraft servers.
Malware
Multiple Industries
CC
IN
IT
MX
SG
KZ
RU
MCCrash, Windows, Linux, Minecraft
141
15/12/2022
-
-
?
Organizations in the food sector in the U.S.
The FBI, the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the U.S. Department of Agriculture (USDA) reveal that organizations in the food sector are now also targeted in business email compromise (BEC) attacks that aim to steal entire shipments of food.
Business Email Compromise
Accommodation and food service
CC
US
FBI, Food and Drug Administration Office of Criminal Investigations, FDA OCI, U.S. Department of Agriculture, USDA, Business Email Compromise, BEC
142
15/12/2022
-
-
Glupteba
Multiple organizations worldwide
Researchers from Nozomi Networks report that the Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago.
Malware
Multiple Industries
CC
>1
Nozomi Networks, Glupteba, Google
143
15/12/2022
-
-
CyberRoot
Multiple organizations
Researchers from Meta expose CyberRoot, an Indian company deploying spyware in multiple campaigns worldwide.
Malware
Multiple Industries
CE
>1
Meta, CyberRoot
144
15/12/2022
-
-
MoneyMonger
Android users
Researchers from Zimperium reveal the details of MoneyMonger, a campaign where threat actors have been exploiting the open-source user interface (UI) software kit Flutter to deploy apps with critical security and privacy risks.
Malware
Individual
CC
>1
Zimperium, Flutter, Android, MoneyMonger
145
15/12/2022
Between 29/07/2022 and 07/09/2022
07/09/2022
?
Order Express
Order Express reports a data breach with several state attorney general offices after the company learned of a data security incident resulting in the sensitive information of more than 63,000 consumers being leaked.
Unknown
Finance and insurance
CC
US
Order Express
146
15/12/2022
-
27/09/2022
?
Hope College
Hope College reports a data breach after the school determined that an unauthorized party had gained access to files containing confidential student information.
Unknown
Education
CC
US
Hope College
147
15/12/2022
-
-
BrasDex
Mobile and desktop Brazilian banking users
Researchers from ThreatFabric discover a new campaign targeting mobile and desktop Brazilian banking users through a new malware dubbed BrasDex
Malware
Finance and insurance
CC
BR
ThreatFabric, BrasDex
148
15/12/2022
-
-
?
Vulnerable FreePBX’s Asterisk
Researchers from Sucuri discover a new campaign targeting FreePBX’s Asterisk Management portal via a backdoor which allows attackers to arbitrarily add and delete users, as well as modify the website’s .htaccess file.
Vulnerability
Multiple Industries
CC
>1
Sucuri, FreePBX’s Asterisk Management
149
15/12/2022
15/12/2022
15/12/2022
?
Huron-Superior Catholic District School
The Huron-Superior Catholic District School Board cancels all classes, due to a cyber incident that shut down its communications systems, including phones.
Unknown
Education
CC
CA
Huron-Superior Catholic District School
150
15/12/2022
'Recently'
'Recently'
W4SP
Python developers
Researchers from Phylum discover another set of 47 packages distributing the W4SP malware on PyPI. However.
Malware
Multiple Industries
CC
>1
Phylum, W4SP, PyPI
151
15/12/2022
-
15/01/2022
?
Heartland Alliance
Heartland Alliance, a social justice and human rights organization, discloses a data breach that potentially involved the protected health information (PHI) of patients, along with employees, directors, and independent contractors.
Unknown
Human health and social work
CC
US
Heartland Alliance
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
SUPPORT MY WORK!
BREACHOMETER
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.
April 2023 Cyber Attacks Timeline
Q1 2023 Cyber Attacks Statistics
The Biggest Data Breaches of 2023
Leaky Buckets in 2023
2020 Cyber Attacks Statistics
