The second cyber attacks timeline of January 2023 is out (first timeline here). In the second half of the month I collected 149 events (corresponding to 9.31 events/day), nearly a 10% increase compared to the previous timeline. This 2023 doesn’t look good from an infosec perspective.
After a few timelines stable around 30%, events characterized by ransomware drop to 22.8% (34 out of 149 events), on the other hand, 10 events were characterized by the exploitation of vulnerabilities (corresponding to 6.7%), an important decrease compared to the previous timeline where vulnerabilities were leveraged in 15 events.
However the most important aspect of this timeline is maybe the concerning frequency of attacks carried our via malvertising taking advantage of SEO poisoning: 7 events were characterized by this techinque, and even if this seems a small number, it’s an important novelty per se.
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July…
In the fintech space, FTX suffered another blow, with the claimed theft of $415M of cryptocurrency…
And the mega breaches continue to characterize the threat landscape: T-Mobile suffered another breach that led to the compromise of 37 million records due to an API vulnerability, JD Sports suffered the compromise of 10 million customer records, 2.6 million records were stolen from the language learning platorm DuoLingo, and finally a U.S. No Fly list with over 1.5 million records of banned flyers was shared publicly on a hacking forum, probably because of a cloud storage misconfiguration by CommuteAir.
In the Cyber Espionage space, Gamaredon was particularly active against targets in Ukraine, and Latvia, but it was not the only one. The timeline also reports campaigns carried out by APT29, APT15, and APT42.
And Ukraine was also hit by three attacks launched by the Sandworm group and carried out via destructive malware: SwiftSlicer, NikoWiper, and an additional sample against the Ukraine national news agency (Ukrinform). But Ukraine was not the only one… The SideWinder APT launched a cyber attack against the National Power Transmission Company of Pakistan (NTDC) leaving millions of people without power.
And last but not least, the hacktivist front was always hot, fueled by the campaigns of pro-Russian threat actors such as Killnet.
Even in this fortnight, the list is too long to be summarized in few words (this one in particular), so my suggestion is to enjoy the interactive timeline and the tabular format, and obviously thanks for sharing it, and supporting my work in spreading the risk awareness across the community. As always, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
Expand for details
Geo Map January H2 2023
No Data Found
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
16/01/2023
During November 2022
During November 2022
Vice Society
University of Duisburg-Essen (UDE)
The Vice Society ransomware claims responsibility for a November 2022 cyberattack on the University of Duisburg-Essen (UDE) and also leaks files they claim to have stolen from the university during the breach, exposing potentially sensitive details about the university's operations, students, and personnel.
Malware
Education
CC
DE
Vice Society, ransomware, University of Duisburg-Essen, UDE
2
16/01/2023
-
21/06/2022
?
Undisclosed software development vendor
Nissan North America begins sending data breach notifications informing customers of a breach at a third-party service provider that exposed customer information.
Misconfiguration
Professional, scientific and technical
CC
N/A
Nissan North America
3
16/01/2023
16/01/2023
16/01/2023
?
Danish smartphone users
Numerous Danish smartphone users report suspicious SMS-type content originating from a questionable source, allegedly related to Danske Spil, a gambling site.
Malware
Individual
CC
DK
Danske Spil
4
17/01/2023
Early January 2023
Early January 2023
?
Individuals
Attackers setup up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results.
Malware
Individual
CC
>1
Google Search
5
17/01/2023
Since at least 17/01/2023
17/01/2023
Multiple threat actors
Multiple organizations
Researchers at Rapid7 reveal that a critical remote code execution (RCE) vulnerability affecting multiple Zoho ManageEngine products (CVE-2022-47966) is now being exploited in attacks.
CVE-2022-47966 Vulnerability
Multiple Industries
N/A
>1
Rapid7, Zoho ManageEngine, CVE-2022-47966
6
17/01/2023
-
-
?
Costa Rica Ministerio de Obras Públicas y Transportes (MOPT)
Costa Rica’s Ministry of Public Works and Transport (MOPT) says in a statement that it suffered a ransomware attack encrypting 12 of its servers.
Malware
Public admin and defence, social security
CC
CR
Costa Rica, Ministerio de Obras Públicas y Transportes, MOPT, Ministry of Public Works and Transport
7
17/01/2023
-
-
?
Mscripts
Mscripts files notice of a data breach after determining confidential consumer information entrusted to the company was accessible by an unauthorized party.
Unknown
Professional, scientific and technical
CC
US
Mscripts
8
17/01/2023
-
-
?
Diligent Corporation
The University of Colorado Hospital Authority (“UCHealth”) files notice of a data breach after learning about a cybersecurity incident at one of the organization’s vendors, Diligent Corporation.
Unknown
Professional, scientific and technical
CC
US
University of Colorado Hospital Authority, UCHealth, Diligent Corporation
9
17/01/2023
-
-
Earth Boogle
Organizations across the Middle East and North Africa
Researchers from Trend Micro discover an active campaign using Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) has been spotted infecting victims across the Middle East and North Africa.
Targeted Attack
Multiple Industries
CE
>1
Trend Micro, NjRAT, Bladabindi
10
17/01/2023
During December 2022
During December 2022
Multiple threat actors
Multiple organizations
Researchers at Sonatype reveal that during December 2022 they uncovered 422 malicious npm packages focused mainly on data exfiltration via typosquatting or “dependency confusion attacks.
Malware
Multiple Industries
CC
>1
Sonatype, NPM
11
17/01/2023
After 11/11/2022
After 11/11/2022
?
FTX
Embattled cryptocurrency exchange FTX claims that $415m worth of digital currency has been stolen by hackers.
Unknown
Fintech
CC
N/A
FTX
12
17/01/2023
During Q4 2022
During Q4 2022
?
Multiple organizations
Researchers from Trend Micro discover multiple campaigns distributing the Batloader malware.
Malware
Multiple Industries
CC
>1
Trend Micro, Batloader
13
17/01/2023
During November 2022
During November 2022
?
Undisclosed retailer
Researchers from IBM X-Force discover a PoS malware using Discord as the command and control infrastructure.
Malware
Wholesale and retail
CC
N/A
IBM X-Force, Discord
14
18/01/2023
-
17/01/2023
Genesis Day
Samsung
A group of Russian hacktivists going by the name “Genesis Day” claims it attacked Samsung’s offices in South Korea because of the country’s recent opening of a mission to the North Atlantic Treaty Organization (NATO). The group said it hacked the internal File Transfer Protocol service of the Samsung Group in South Korea as well as the internal employee system and the Samsung Group intranet.
Unknown
Manufacturing
H
KR
Russia, Genesis Day, Samsung, North Atlantic Treaty Organization, NATO, FTP
15
18/01/2023
17/01/2023
17/01/2023
Sandworm
Ukraine national news agency (Ukrinform)
The Computer Emergency Response Team of Ukraine (CERT-UA) links a destructive malware attack targeting the country's national news agency (Ukrinform) to Sandworm Russian military hackers.
Malware
Information and communication
CW
UA
Computer Emergency Response Team of Ukraine, CERT-UA, Ukrinform, Sandworm, Russia, Ukraine
16
18/01/2023
18/01/2023
18/01/2023
?
Yum! Brands
Yum! Brands, the fast food brand operator of KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill fast-food restaurant chains, is targeted by a ransomware attack that forces the closure of 300 locations in the United Kingdom.
PayPal sends out data breach notifications to approximately 35,000 users who had their accounts accessed through credential stuffing attacks that exposed some personal data.
Credential Stuffing
Wholesale and retail
CC
US
PayPal
18
18/01/2023
31/05/2022
31/05/2022
?
Farmers Investment Company (FICO)
Farmers Investment Company (FICO), doing business as Green Valley Pecan Company, files notice of a data breach after learning that an unauthorized party was able to access confidential consumer information stored on the company’s computer network.
Unknown
Accommodation and food service
CC
US
Farmers Investment Company, FICO, Green Valley Pecan Company
19
18/01/2023
Between July and December 2022
-
APT15 (AKA Playful Taurus, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL)
Iranian government
Researchers from Palo Alto Networks discover a new campaign by APT15 targeting the Iranian government.
Researchers from Zerofox discover an uptick in layoffs across industries has seen increased efforts by threat actors to target job seekers with employment scams.
Account Takeover
Individual
CC
>1
Zerofox
21
18/01/2023
-
17/01/2023
?
School District 42
The School District 42 has 19,126 records released in a breach when the documents appear to have been uploaded to a popular hacker forum.
Account Takeover
Education
CC
US
School District 42
22
18/01/2023
Since at least 16/01/2022
16/01/2023
Aurora
Multiple organizations
Researchers from Cyble discover a new campaign distributing the Aurora infostealer in disguise of legitimate applications.
Malware
Multiple Industries
CC
>1
Cyble, Aurora
23
18/01/2023
Early January 2023
Early January 2023
?
Lorenzi
Lorenzi, an Italian manufacturer of microfiber products for the shoes industry, is paralyzed by a ransomware attack.
Unknown
Manufacturing
CC
IT
Lorenzi, ransomware
24
19/01/2023
Since 25/11/2022
05/01/2023
?
T-Mobile
T-Mobile discloses a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs).
API Vulnerability
Information and communication
CC
US
T-Mobile
25
19/01/2023
SInce at least 2020
-
Vastflux
Individuals
Researchers at HUMAN disclose a massive ad fraud operation dubbed 'Vastflux' that spoofed more than 1,700 applications from 120 publishers, mostly for iOS.
Malvertising
Individual
CC
>1
HUMAN, Vastflux, iOS
26
19/01/2022
-
-
?
Multiple organizations
Researchers at Avanan discover an unusual phishing technique, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents.
Malware
Multiple Industries
CC
>1
Avanan, SVG, HTML, DocuSign
27
19/01/2023
Since at last September 2022
During September 2022
Roaming Mantis (AKA Shaoye)
Multiple organizations
Researchers from Kaspersky reveal that Roaming Mantis malware distribution campaign has updated Wroba.o/XLoader, its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.
Researchers at ThreatFabric discover Hook, a new Android malware sold by cybercriminals that can remotely take over mobile devices in real-time using VNC (virtual network computing).
Malware
Individual
CC
>1
ThreatFabric, Hook, Android, VNC
29
19/01/2023
19/01/2023
19/01/2023
Vice Society
Guildford County School
The Guildford County School is hit with a Vice Society ransomware attack.
Malware
Education
CC
UK
Guildford County School, Vice Society, ransomware
30
19/01/2023
15/01/2023
15/01/2023
?
Qulliq Energy Corporation
Qulliq Energy Corporation (QEC) in Canada’s Nunavut territory suffers a cyber attack that cripples the company’s administrative offices.
Unknown
Electricity, gas steam, air conditioning
CC
CA
Qulliq Energy Corporation, QEC, Canada, Nunavut
31
19/01/2023
-
17/01/2023
ALPHV AKA BlackCat
NextGen Healthcare
Hospital technology giant NextGen Healthcare said it is responding to a cyberattack after a the ALPHV AKA BlackCat ransomware group adds the company to its list of victims.
Malware
Professional, scientific and technical
CC
US
NextGen Healthcare, ALPHV, BlackCat, ransomware
32
19/01/2023
-
17/01/2023
ALPHV AKA BlackCat
Fresh Del Monte
Fresh Del Monte is added to the list of victims of the ALPHV AKA BlackCat ransomware group
Malware
Accommodation and food service
CC
US
Fresh Del Monte, ALPHV, BlackCat, ransomware
33
19/01/2023
-
17/01/2023
ALPHV AKA BlackCat
PharmaCare Services
PharmaCare Services is added to the list of victims of the ALPHV AKA BlackCat ransomware group
Malware
Human health and social work
CC
US
PharmaCare Services, ALPHV, BlackCat, ransomware
34
19/01/2023
Between 25/09/2022 and 26/10/2022
26/10/2022
?
Zendesk
Customer service solutions provider Zendesk suffers a data breach that resulted from employee account credentials getting phished by hackers.
Account Takeover
Professional, scientific and technical
CC
US
Zendesk
35
19/01/2023
During January 2022
During January 2022
Multiple threat actors
Multiple organizations
Researchers at Abnormal Security detect multiple campaigns in which threat actors use HR policy announcements and benefits updates to lure victims and steal employees credentials.
Account Takeover
Multiple Industries
CC
>1
Abnormal Security
36
19/01/2023
'Recently'
'Recently'
Multiple threat actors
Multiple organizations
Researchers from SentinelOne report an increase in malicious search engine advertisements (SEO Poisoning) in recent weeks.
Malvertising
Multiple Industries
CC
>1
SentinelOne, SEO Poisoning
37
19/01/2023
-
-
?
Vulnerable WordPress sites
Researchers from Sucuri discover a malicious campaign targeting vulnerable WordPress sites via a database injection with two different pieces of malware.
Malicious script injection
Multiple Industries
CC
>1
Sucuri, WordPress
38
19/01/2023
-
-
CrySIS/Dharma
Multiple organizations
Researchers from Fortinet discover a new variant of the CrySIS/Dharma ransomware.
Malware
Multiple Industries
CC
>1
Fortinet, CrySIS, Dharma, ransomware.
39
19/01/2023
-
-
Gigabud
Android users in Thailand, Peru, and the Philippines
Researchers from Cyble discover a new campaign where threat actors are distributing a new Android malware, named Gigabud, impersonating government agencies, financial institutions, and other organizations from Thailand, Peru, and the Philippines.
Malware
Individual
CC
PE
PH
TH
Cyble, Android, Gigabud
40
19/01/2023
Since 20/12/2022
'Recently'
Remcos
Multiple organizations
Researchers from Minerva discover a new version of the Remcos RAT being dropped via an NSIS installer file.
Malware
Multiple Industries
CC
>1
Remcos, Minerva
41
20/01/2023
Since at least October 2022
During December 2022
Chinese threat actors
European government
Researchers from Mandiant reveal that suspected Chinese hackers exploited CVE-2022-42475, a recently disclosed FortiOS SSL-VPN vulnerability as a zero-day in December, targeting a European government with a new custom 'BOLDMOVE' Linux and Windows malware.
CVE-2022-42475 Vulnerability
Public admin and defence, social security
CE
N/A
Mandiant, China, CVE-2022-42475, FortiOS, BOLDMOVE, Linux, Windows
42
20/01/2023
Since at least October 2022
During December 2022
Chinese threat actors
African MSP
Researchers from Mandiant reveal that suspected Chinese hackers exploited CVE-2022-42475, a recently disclosed FortiOS SSL-VPN vulnerability as a zero-day in December, targeting an African MSP with a new custom 'BOLDMOVE' Linux and Windows malware.
CVE-2022-42475 Vulnerability
Public admin and defence, social security
CE
N/A
Mandiant, China, CVE-2022-42475, FortiOS, BOLDMOVE, Linux, Windows
43
20/01/2023
Mid-January 2023
Mid-January 2023
?
Riot Games
Riot Games, the video game developer and publisher behind League of Legends and Valorant, says it will delay game patches after its development environment was compromised
Unknown
Arts entertainment, recreation
CC
US
Riot Games
44
20/01/2023
-
19/02/2022
?
Livingston Memorial VNA Health Corporation
Livingston Memorial VNA Health Corporation files notice of a data breach after the company experienced what appears to have been a ransomware attack.
Malware
Human health and social work
CC
US
Livingston Memorial VNA Health Corporation, ransomware
45
20/01/2023
Between 08/09/2022 and 14/09/2022
15/09/2022
?
Bank of Eastern Oregon
The Bank of Eastern Oregon files notice of a data breach after learning that employee email accounts containing confidential customer information were accessed by an unauthorized party.
Account Takeover
Finance and insurance
CC
US
Bank of Eastern Oregon
46
20/01/2023
-
-
?
Members Trust of the Southwest Federal Credit Union
Members Trust of the Southwest Federal Credit Union files notice of a data breach after confirming that the confidential information of some bank customers was accessible by an unauthorized party.
Unknown
Finance and insurance
CC
US
Members Trust of the Southwest Federal Credit Union
Researchers from Blackberry discover new attacks by the Gamaredon group leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.
Politriz, which sells cleaning, care and scented cleaning products, has been added to the LockBit 3.0 leak page.
Malware
Wholesale and retail
CC
BR
Politriz, LockBit 3.0
51
21/01/2023
-
-
?
Multiple organizations
A new campaign is using OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.
Malware
Multiple Industries
CC
>1
OneNote
52
21/01/2023
-
-
?
Grand Theft Auto (GTA) Online players
Grand Theft Auto (GTA) Online players report losing game progress, in-game money being stolen, and being banned from game servers due to an alleged vulnerability in the game's PC version.
Vulnerability
Arts entertainment, recreation
CC
>1
Grand Theft Auto, GTA
53
21/01/2023
Since at least November 2022
21/01/2023
DEV-0569
Multiple organizations
The threat actor tracked as DEV-0569 is using Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims' passwords, and ultimately breach networks for ransomware attacks.
Malvertising
Multiple Industries
CC
>1
DEV-0569, Google Ads
54
21/01/2023
11/01/2023
11/01/2023
?
Prison of Draguignan
The French Prison of Draguignan is hit with a cyber attack.
Unknown
Public admin and defence, social security
CC
FR
Prison of Draguignan
55
21/01/2023
-
21/01/2023
ALPHV AKA BlackCat
Instituto Federal Do Pará (IFPA)
The Instituto Federal Do Pará (IFPA), a public education institution in Brazil, is added to the leaks site of the ALPHV (BlackCat) ransomware gang.
Malware
Education
CC
BR
Instituto Federal Do Pará, IFPA, ALPHV, BlackCat, ransomware
56
21/01/2023
Between 18/01/2023 and 19/01/2023
Between 18/01/2023 and 19/01/2023
?
Benetton Group
Renowned Italian clothing company the Benetton Group reportedly is hit with a cyberattack from an unknown threat group
Researchers from Sekoia discover a phishing attack on Latvia’s Ministry of Defense carried out by the Russian Gamaredon group, pretending to be Ukrainian government officials.
A new campaign abuses Google Ads invites to deliver email messages promoting spam and sex websites.
Malvertising
Individual
CC
US
Google Ads
59
23/01/2023
During December 2022
During December 2022
?
Individuals in China
Researchers at Fortinet discover a phishing campaign using a variety of QR codes to target Chinese language users.
Account Takeover
Individual
CC
CN
Fortinet, QR code
60
23/01/2023
22/01/2023
22/01/2023
?
Audifarma
Audifarma, a Colombian pharmacy chain, announces that it had been the victim of a cyber attack.
Unknown
Wholesale and retail
CC
CO
Audifarma
61
23/01/2023
20/01/2023
20/01/2023
BlackCat
Wawasee Community School Corporation
The Wawasee Community School Corporation is hit with a ransomware attack.
Malware
Education
CC
US
Wawasee Community School Corporation
62
24/01/2023
'Recently'
'Recently'
DragonSpark
Organizations in East Asia
Researchers from SentinelOne discover a Chinese-speaking hacking group tracked as ‘DragonSpark’ employing SparkRAT and Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.
Targeted Attack
Multiple Industries
CE
>1
SentinelOne, DragonSpark, SparkRAT, Golang
63
24/01/2023
In the second half of 2022
In the second half of 2022
Multiple threat actors
Multiple organizations
Researchers from Palo Alto Networks reveal that attackers have leveraged CVE-2021-35394, a critical remote code execution vulnerability in Realtek Jungle SDK to launch 134 million attacks trying to infect smart devices in the second half of 2022.
Bitwarden and other password manager users are being targeted in Google ads phishing campaigns to steal users' password vault credentials.
Malvertising
Individual
CC
>1
Bitwarden, Google Ad
65
24/01/2023
Since at least 24/01/2023
24/01/2023
?
Crypto users
After Porsche cut its minting of a new NFT collection, threat actors fill the void by creating phishing sites that steal digital assets from cryptocurrency wallets.
Account Takeover
Fintech
CC
>1
Porsche, NFT
66
24/01/2023
-
24/01/2023
?
DuoLingo
Language learning platform DuoLingo says it is investigating a post on a hacking forum offering information on 2.6 million customer accounts for $1,500.
Misconfiguration
Education
CC
US
DuoLingo
67
24/01/2023
During January 2023
24/01/2023
?
Hilton Hotels?
A database of 3.7 million users belonging to the Hilton Hotels Honors is leaked in a forum. After analyzing the sample, the company confirms the leaks contains approximately 500,000 Hilton Honors accounts without passwords or financial data.
Unknown
Accommodation and food service
CC
US
Hilton Hotels, Hilton Honors
68
24/01/2023
Mid-January 2023
-
LockBit 3.0
Circleville Municipal Court
The Circleville Municipal Court is hit with a LockBit 3.0 ransomware attack.
Malware
Public admin and defence, social security
CC
US
Circleville Municipal Court, LockBit, Ransomware
69
24/01/2023
23/01/2023
23/01/2023
SideWinder APT
Pakistan National Transmission & Despatch Company (NTDC)
The National Power Transmission Company of Pakistan (NTDC) suffers a cyber attack allegedly carried out by the Indian SideWinder APT and as a result, the country suffers a nationwide blackout which leaves millions of people without power.
Targeted Attack
Electricity, gas steam, air conditioning
CW
PK
Pakistan, India, National Power Transmission Company of Pakistan, NTDC, SideWinder APT
70
24/01/2023
-
-
?
Planet Ice
The ice rink operator Planet Ice suffers a data breach, and approximately 200,000 people have their details stolen.
Unknown
Arts entertainment, recreation
CC
UK
Planet Ice
71
24/01/2023
Since 26/12/2022
Late December 2022
?
Vulnerable WordPress sites
Researchers from Sucuri discover a massive campaign infecting over 4,500 WordPress websites with the purpose to redirect the users to malicious websites.
Multiple vulnerabilities
Multiple Industries
CC
>1
WordPress, Sucuri
72
24/01/2023
Since at least November 2021
During November 2021
GuLoader
e-commerce industry located in South Korea and the United States
Researchers at Trellix discover a GuLoader campaign targeting e-commerce industries located in South Korea and the United States, and distributing the malware via NSIS files.
Malware
Wholesale and retail
CC
KR
US
Trellix, GuLoader, NSIS
73
24/01/2023
Since at least November 2022
During November 2021
Multiple threat actors
Organizations in the U.S., Poland, Austria, Kuwait, and Turkey
Researchers from Bitdefender Labs notice an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments.
Private data allegedly belonging to more than 230,000 Puma customers in Chile is found on a hacker forum.
Malware
Manufacturing
CC
CL
Puma
75
24/01/2023
-
23/01/2023
ePublic
The database of ePublic, an IT service provider offering services to multiple Italian municipalities, is leaked online.
Unknown
Professional, scientific and technical
CC
IT
ePublic
76
25/01/2023
25/01/2023
25/01/2023
Killnet
Germany's government, banking, and airport sites
After Berlin agreed to send its advanced Leopard 2 tanks to Ukraine, Russia-backed threat group Killnet retaliates with DDoS attacks aimed at Germany's government, banking, and airport sites.
DDoS
Public admin and defence, social security
H
DE
Killnet, Leopard 2, Russia, Ukraine
77
25/01/2023
Since August 2022
-
PY#RATION
Multiple organizations
Researchers from Securonix discover PY#RATION, a new Python-based malware featuring remote access trojan (RAT) capabilities.
Malware
Multiple Industries
CC
>1
Securonix, PY#RATION, Python
78
25/01/2023
During June 2022
During October 2022
?
Undisclosed federal civilian agency
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Multi-State Information Sharing and Analysis Center (MS-ISAC) discover a refund scam campaign perpetrated through the use of remote monitoring and management (RMM) software like ScreenConnect and AnyDesk.
Account Takeover
Public admin and defence, social security
CC
US
Cybersecurity and Infrastructure Security Agency, CISA, National Security Agency, Multi-State Information Sharing and Analysis Center, MS-ISAC ScreenConnect, AnyDesk
79
25/01/2023
During September 2022
During October 2022
?
Undisclosed federal civilian agency
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Multi-State Information Sharing and Analysis Center (MS-ISAC) discover a refund scam campaign perpetrated through the use of remote monitoring and management (RMM) software like ScreenConnect and AnyDesk.
Account Takeover
Public admin and defence, social security
CC
US
Cybersecurity and Infrastructure Security Agency, CISA, National Security Agency, Multi-State Information Sharing and Analysis Center, MS-ISAC ScreenConnect, AnyDesk
80
25/01/2023
During 2022
During 2022
TA444
Crypto users
Researchers from Proofpoint reveal the details of TA444, a North Korea state-sponsored threat actor focused on financially-motivated operations.
Account Takeover
Finance and insurance
CC
ES
JP
PL
UK
US
Proofpoint, TA444, North Korea
81
25/01/2023
Since at least 21/01/2023
21/01/2023
Multiple threat actors
Multiple organizations
Exploitation attempts targeting CVE-2022-21587, a critical-severity Oracle E-Business Suite vulnerability, are observed shortly after proof-of-concept (PoC) code was published.
CVE-2022-21587 Vulnerability
Multiple Industries
N/A
N/A
CVE-2022-21587, Oracle E-Business Suite
82
25/01/2023
-
-
?
South Dakota Gov. Kristi Noem
South Dakota Gov. Kristi Noem says that her personal cell phone number has been hacked and blamed it on the release of her Social Security number.
Unknown
Individual
CE
US
South Dakota, Kristi Noem
83
25/01/2023
Between 31/12/2021 and 27/01/2022
27/01/2022
?
Lutheran Social Services of Illinois (LSSI)
Lutheran Social Services of Illinois (LSSI) files notice of a data breach following a ransomware attack that compromised confidential patient information stored on the company’s computer network.
Malware
Human health and social work
CC
US
Lutheran Social Services of Illinois, LSSI, ransomware
84
25/01/2023
Late 2022
Late 2022
Kronos
Financial institutions in Mexico
Researchers at IBM Security Trusteer discover an increase in Kronos malware activity in Mexico, used to launch JavaScript web-injects on financial institutions with a malicious chrome extension.
Malware
Finance and insurance
CC
MX
IBM Security Trusteer, Kronos
85
25/01/2023
Since at least November 2022
During November 2022
Titan
Multiple organizations
Researchers at Cyble discover a new infostealer written in GO, named Titan.
Malware
Multiple Industries
CC
>1
Titan, Cyble, GO
25/01/2023
19/11/2022
19/11/2022
?
Andrews McMeel Universal (AMU)
Andrews McMeel Universal (AMU) files a notice of data breach with the Attorney General of New Hampshire after discovering that an unauthorized party was able to access confidential consumer information maintained on the company’s IT network.
Unknown
Information and communication
CC
US
Andrews McMeel Universal, AMU
86
26/01/2023
During 2022
During 2022
Dragonbridge AKA Spamouflage Dragon
Individuals worldwide
Google’s Threat Analysis Group terminates 100,960 accounts across its platforms, including YouTube, Blogger, and AdSense, linked to a group known as "Dragonbridge" or "Spamouflage Dragon" disseminating pro-Chinese disinformation across multiple online platforms.
The U.K. National Cyber Security Centre (NCSC) issued a warning of state-sponsored Russian attackers from SEABORGIUM increasingly targeting organizations and individuals.
Targeted Attack
Multiple Industries
CE
UK
SEABORGIUM, TA446, U.K. National Cyber Security Centre, NCSC, Russia
88
26/01/2023
During 2022
During 2022
APT42 AKA TA453
Organizations in the U.K.
The U.K. National Cyber Security Centre (NCSC) issued a warning of state-sponsored Iranian attackers from APT42 increasingly targeting organizations and individuals.
Targeted Attack
Multiple Industries
CE
UK
APT42, TA453, U.K. National Cyber Security Centre, NCSC, Iran
89
26/01/2023
Since at least June 2022
During June 2022
Mimic
Multiple organizations
Researchers from Trend Micro discover a new ransomware strain named Mimic that leverages the APIs of the 'Everything' file search tool for Windows to look for files targeted for encryption.
Malware
Multiple Industries
CC
>1
Trend Micro, ransomware, Mimic Everything, file search, Windows
90
26/01/2023
'Recently'
'Recently'
PlugX
Multiple organizations
Researchers from Palo Alto Networks discover a variant of the PlugX malware that can hide malicious files on removable USB devices and then infect the Windows hosts they connect to.
Malware
Multiple Industries
CC
>1
Palo Alto Networks, PlugX, USB
91
26/01/2023
Since at least November 2022
During November 2022
UNC2565
Multiple organizations
Researchers from Mandiant discover a new variant of the GOOTLOADER malware, named GOOTLOADER.POWERSHELL, implementing new obfuscation techniques.
Abraham's Ax, an Iran-linked APT group affiliated to Moses Staff (AKA COBALT SAPLING) leaks data stolen from Saudi Arabia government ministries.
Unknown
Public admin and defence, social security
H
SA
Abraham's Ax, APT, Moses Staff, Saudi Arabia, COBALT SAPLING
93
26/01/2023
Between 13/01/2023 and 20/01/2023
Between 13/01/2023 and 20/01/2023
?
Individuals in Canada
Researchers from Bitdefender discover a new campaign delivering the AsyncRat credential-stealing Trojan via OneNote attachments impersonating Ultramar, a well-known Canadian gas and home fuel retailer.
Malware
Individual
CC
CA
Bitdefender, AsyncRat, OneNote, Ultramar
94
26/01/2023
26/08/2023
29/12/2023
Avos Locker?
Stratford University
Stratford University, discloses a ransomware attack, probably by the Avos Locker gang.
Malware
Education
CC
US
Stratford University, ransomware, Avos Locker
95
26/01/2023
01/03/2022
-
?
Matco Tools Corporation
Matco Tools Corporation files notice of a data breach following a cybersecurity incident that leaked confidential consumer information that was in the company’s possession.
Unknown
Wholesale and retail
CC
US
Matco Tools Corporation
96
26/01/2023
25/01/2023
25/01/2023
Cyber Security Team
A dozen university websites in South Korea
A Chinese group named Cyber Security Team defaces a dozen of university websites in North Korea.
Defacement
Education
H
KR
Cyber Security Team
97
26/01/2023
-
-
?
Several hundred individuals in West Africa
Researchers at Domaintools discover a malicious campaign impersonating American financial advisors targeting several hundred individuals in West Africa.
Account Takeover
Finance and insurance
CC
>1
Domaintools, Pig-butchering
98
26/01/2023
Since January 2023
During January 2023
Godfather
Mobile banking users in Europe
Researchers at EclectiqIQ discover a new campaign by the Godfather mobile banking trojan targeting European countries using approximately 400 different banking and cryptocurrency applications spread across 15 international banks, 94 cryptocurrency wallets, and 110 cryptocurrency exchange platforms.
Malware
Finance and insurance
CC
>1
EclectiqIQ, Godfather
99
26/01/2023
-
?
South East Regional Health Authority (SERHA)
The South East Regional Health Authority (SERHA) in Jamaica is hit with a ransomware attack.
Malware
Human health and social work
CC
JM
South East Regional Health Authority, SERHA
100
26/01/2023
Since January 2022
Since January 2022
?
Jobseekers
Researchers from Zscaler observe multiple suspicious job portals and surveys used by attackers to solicit information from job seekers under the guise of employment application forms.
Account Takeover
Individual
CC
>1
Zscaler
101
27/01/2023
25/01/2023
25/01/2023
Sandworm
Organization in Ukraine
Researchers from ESET discover a new data-wiping malware, named SwiftSlicer, deployed by the Russian group Sandworm, and used against an organization un Ukraine, and aiming to overwrite crucial files used by the Windows operating system.
Malware
Unknown
CW
UA
ESET, SwiftSlicer, Sandworm, Russia, Ukraine
102
27/01/2023
Between November 2021 and August 2022
28/12/2022
?
Zacks Investment Research (Zacks)
Zacks Investment Research (Zacks) discloses that threat actors breached Zacks Investment Research and gained access to personal and sensitive information belonging to 820,000 customers.
Unknown
Finance and insurance
CC
US
Zacks Investment Research, Zacks
103
27/01/2023
-
-
?
Android users
Researchers from Dr.Web discover a new category of malicious Android apps downloaded more than 20 million times, tracking the users' activity and forcing them to watch a large number of advertisements.
Malware
Individual
CC
>1
Dr.Web, Android
104
27/01/2023
-
26/01/2023
?
Undisclosed third-party vendor
Telecommunications company Charter Communications says one of its third-party vendors suffered from a security breach after data from the company showed up on a hacking forum.
Unknown
Information and communication
CC
US
Charter Communications
105
27/01/2023
-
-
ALPHV AKA BlackCat
Solar Industries India
The BlackCat Ransomware gang added Solar Industries India to the list of victims published on its Tor leak site.
Malware
Manufacturing
CC
IN
ALPHV, BlackCat, Ransomware, Solar Industries India
106
27/01/2023
-
-
?
Individuals in the U.S.
The Better Business Bureau warns that fraudsters are taking advantage of the US Social Security Administration’s increase in cost of living adjustment payments (COLA).
Account Takeover
Individual
CC
US
Better Business Bureau, US Social Security Administration, COLA
107
27/01/2023
-
-
?
Stroke Scan
Stroke Scan files notice of a data breach \after learning that confidential consumer information stored on the company’s computer network had been compromised.
Unknown
Human health and social work
CC
US
Stroke Scan
108
27/01/2023
Between 11/09/2022 and 11/10/2022
-
?
Morgan Hill Unified School District
Morgan Hill Unified School District in California discloses a breach that occurred when an employee’s email account was accessed without authorization.
Account Takeover
Education
CC
US
Morgan Hill Unified School District
109
27/01/2023
-
14/01/2023
ALPHV AKA BlackCat
Somacis
Somacis, a manufacturer of printed circuit boards, has 252 Gb of data leaked by the ALPHV (BlackCat) ransomware gang.
Malware
Manufacturing
CC
IT
Somacis, ALPHV, BlackCat, ransomware
110
27/01/2023
Between 31/10/2022 and 27/11/2022
Late November 2022
?
DotHouse Health
DotHouse Health files notice of a data breach after learning that an unauthorized party was able to access confidential information stored on the company’s computer systems.
Unknown
Human health and social work
CC
US
DotHouse Health
111
28/01/2023
'Recently'
'Recently'
?
Small Medium Businesses in Belgium
A group of threat actors mimicking the LockBit ransomware gang launches a campaigns against small medium businesses in Belgium, probably using a leaked version of the LockBit encryptor.
Malware
Multiple Industries
CC
BE
LockBit
112
28/01/2023
-
-
Vice Society
Seguros Equinoccial S.A.
Seguros Equinoccial S.A., an insurance firm, is added to Vice Society’s ransomware leak site.
The IT Army of Ukraine claims to have accessed a 1.5 GB archive of files belonging to the Russian state-controlled energy giant, Gazprom.
Unknown
Electricity, gas steam, air conditioning
H
RU
IT Army of Ukraine, Russia, Gazprom
114
29/01/2023
-
29/01/2023
?
Multiple organizations
Researchers from Phylum discover a malicious campaign consisting of 101 malicious NPM packages.
Malware
Multiple Industries
CC
>1
Phylum, NPM
115
30/01/2023
30/01/2023
30/01/2023
Killnet
Websites of dozens of U.S. hospitals
The websites of dozens of U.S. hospitals are taken down by a DDoS attack launched by the pro-Russian Killnet collective.
DDoS
Human health and social work
H
US
Killnet, Russia
116
30/01/2023
-
26/01/2023
?
CommuteAir
A U.S. No Fly list with over 1.5 million records of banned flyers and upwards of 250,000 'selectees' is shared publicly on a hacking forum.
Misconfiguration
Transportation and storage
CC
US
CommuteAir
117
30/01/2023
-
-
?
JD Sports
UK sports apparel chain JD Sports warns customers of a data breach after a server was hacked that contained online order information for 10 million customers.
Unknown
Wholesale and retail
CC
UK
JD Sports
118
30/01/2023
06/12/2022
07/12/2022
?
GitHub
GitHub says unknown attackers stole encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories.
Account Takeover
Professional, scientific and technical
CC
US
GitHub
119
30/01/2023
27/01/2023
Since at least March 2022
Passion
Medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the United Kingdom
Researchers from Radware discover a new DDoS-as-a-Service platform named 'Passion' used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe.
DDoS
Human health and social work
H
ES
FI
NL
NO
PL
PT
UK
US
Radware, Passion, Russia
120
30/01/2023
-
29/03/2022
?
Vice Media
Vice Media suffers a cyber attack and a breach leaking the sensitive information and financial data of more than 1,700 people.
Unknown
Information and communication
CC
US
Vice Media
121
30/01/2023
31/10/2022
23/11/2022
LockBit 3.0
PBS KVIE
The LockBit ransomware group claims responsibility for a ransomware attack on PBS KVIE, a public broadcasting affiliate in Sacramento, California.
Malware
Information and communication
CC
US
LockBit, ransomware, PBS KVIE, Sacramento, California
122
30/01/2023
Since at least October 2022
During October 2022
APT29 AKA Cozy Bear, the Dukes, Nobelium, Yttrium, and BlueBravo
Unknown embassy staff or an ambassador
Researchers from Recorded Future discover a new campaign carried out by the Russian APT29 group targeting embassy-related individuals with the GraphicalNeutrino malware.
Targeted Attack
Public admin and defence, social security
CE
N/A
Recorded Future, Russia, APT29, Cozy Bear, the Dukes, Nobelium, Yttrium, BlueBravo, GraphicalNeutrino
123
30/01/2023
-
30/01/2023
Electronic Quds Force
Israeli chemical companies operating in the occupied territories
Pro-Palestinian threat actors from the Electronic Quds Force, launch a massive hacking campaign aimed at Israeli chemical companies operating in the occupied territories. As a proof the group leaks images industrial Control Systems (ICSs) allegedly belonging to one of the chemical companies that are targets of the cyber attacks.
Unknown
Manufacturing
H
IL
Electronic Quds Force, Palestine, Israel
124
30/01/2023
30/01/2023
30/01/2023
?
Atlantic General Hospital
Atlantic General Hospital is hit with a ransomware attack.
Malware
Human health and social work
CC
US
Atlantic General Hospital, ransomware
125
30/01/2023
Since July 2016
-
TrickGate
Organizations in the manufacturing, education, healthcare, finance sector and business enterprises.
Researchers at Checkpoint reveal that the malicious software service TrickGate is still alive and used by threat actors for over six years to distribute multiple payloads such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla, and bypass endpoint detection and response (EDR) protection software.
An unauthorized person or group gains access to internal systems used by Skyview Networks, disrupting the delivery of the CBS World News Roundup and other programming to radio affiliates.
Unknown
Information and communication
CC
US
Skyview Networks
127
30/01/2023
-
-
LockBit 3.0
Luaces Asesores
The LockBit ransomware gang claims to have attacked Luaces Asesores, an accounting, tax, and labor advisor firm.
Malware
Professional, scientific and technical
CC
ES
LockBit, Luaces Asesores, ransomware
128
30/01/2023
-
-
LockBit 3.0
IT Servicios
Telecommunications firm IT Servicios is also added to LockBit3.0’s ransomware leak site.
Malware
Information and communication
CC
MX
IT Servicios, LockBit3.0, ransomware
129
31/01/2023
31/01/2023
31/01/2023
Anonymous Russia
Convex
In name of #OpRussia, the Anonymous leak 128GB of data stolen from Russian ISP Convex.
Unknown
Information and communication
H
RU
#OpRussia, Anonymous Russia, Convex
130
31/01/2023
During October 2022
During October 2022
Sandworm
Energy company in Ukraine
Researchers at ESET reveal that the Russia-affiliated Sandworm used yet another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine.
The State Cyber Protection Centre (SCPC) of Ukraine warns of a new wave of targeted attacks conducted by the Russia-linked APT group Gamaredon.
Targeted Attack
Multiple Industries
CE
UA
Gamaredon, Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, Trident Ursa, State Cyber Protection Centre, Ukraine
132
31/01/2023
30/01/2023
30/01/2023
Pro-Russian hacktivists
Denmark's Centre for Cyber Security
The Denmark's Centre for Cyber Security is taken down by a DDoS attack allegedly carried out by pro-Russian hacktivists, following an announcement raising its cyber risk alert level.
DDoS
Public admin and defence, social security
H
DK
Denmark, Russia
133
31/01/2023
Between 06/12/2024 and 27/12/2023
06/12/2022
?
Multiple organizations
Microsoft disables multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations' cloud environments to steal email.
Account Takeover
Multiple Industries
CC
>1
Microsoft, Proofpoint, OAuth
134
31/01/2023
-
-
Prilex
Multiple organizations
Researchers from Kaspersky discover new versions of the Prilex point-of-sale malware able to block secure, NFC-enabled contactless credit card transactions, forcing consumers to insert credit cards that are then stolen by the malware.
Malware
Wholesale and retail
CC
>1
Kaspersky, Prilex
135
31/01/2023
Since at least 10/12/2022
10/12/2022
?
Multiple organizations
Researchers from Resecurity discover a relatively new ransomware operation known as Nevada with improved functionality targeting Windows and VMware ESXi systems.
Malware
Multiple Industries
CC
>1
Resecurity, Nevada with, Windows, VMware, ESXi
136
31/01/2023
31/01/2023
31/01/2023
LockBit 3.0
ION Group
The LockBit ransomware gang claims responsibility for the cyberattack on ION Group, a UK-based software company whose products are used by financial institutions, banks, and corporations for trading, investment management, and market analytics.
Malware
Professional, scientific and technical
CC
UK
LockBit, ransomware, ION Group
137
31/01/2023
30/01/2023
30/01/2023
Royal
Tucson Unified School District
The Tucson Unified School District is hit with a Royal ransomware attack.
Malware
Education
CC
US
Royal, ransomware, Tucson Unified School District
138
31/01/2023
During H1 January 2023
During H1 January 2023
?
Multiple organizations
Researchers from Armorblox discover a malicious DocuSign document in a campaign trying to steal credentials belonging to more than 10,000 people across several organizations.
Account Takeover
Multiple Industries
CC
>1
Armorblox, DocuSign
139
31/01/2023
Since at least 22/12/2022
31/01/2023
?
Nantucket Public Schools
Nantucket Public Schools are hit with a ransomware attack.
Malware
Education
CC
US
Nantucket Public Schools, ransomware
140
31/01/2023
11/01/2023
-
?
Mount Lilydale Mercy College
About 400 parents of students attending Mount Lilydale Mercy College, a Catholic high school near Melbourne, Australia, are informed of a cyberattack that exposed their credit card details.
Unknown
Education
CC
AU
Mount Lilydale Mercy College
141
31/01/2023
-
01/11/2022
?
Benefit Administrative Systems
Benefit Administrative Systems notifies certain individuals about the exposure of an electronic file that contained sensitive personally identifiable information and was accessed by unauthorized individuals,
Misconfiguration
Administration and support service
CC
US
Benefit Administrative Systems
142
31/01/2023
-
-
InTheBox
Android banking users
Researchers from Cyble discover a threat actor named inTheBox offering ready-to-sale web injects that are compatible with various Android banking malware.
Malware
Finance and insurance
CC
>1
Cyble, InTheBox, Android
143
31/01/2023
-
-
LockBit 3.0
Juva Skin & Laser Center
The LockBit ransomware group adds Juva Skin & Laser Center ito its dark web leak site.
Malware
Human health and social work
CC
US
LockBit, ransomware, Juva Skin & Laser Center
144
31/01/2023
-
-
LockBit 3.0
Arizona Liver Health
The LockBit ransomware group adds Arizona Liver Health ito its dark web leak site.
Malware
Human health and social work
CC
US
LockBit, ransomware, Arizona Liver Health
145
31/01/2023
'Recently'
'Recently'
?
Multiple organizations
Researchers at Fortinet discover a new campaign aimed to cryptojack systems to mine for Monero (XMR) cryptocurrency.
Malware
Multiple Industries
CC
>1
Fortinet, Monero, XMR
146
31/01/2023
'Recently'
'Recently'
?
1Password users
Researchers at Malwarebytes discover a malicious campaign using Google Ad to steal the passwords from the 1Password Password Manager users.
Malvertising
Individual
CC
>1
Malwarebytes, Google Ad, 1Password
147
31/01/2023
Since at least 16/01/2023
16/01/2023
?
Multiple organizations
Researchers at AhnLab discover a phishing campaign distributed with a changing icon to reflect the mail account service entered by the user.
Account Takeover
Multiple Industries
CC
>1
AhnLab
148
31/01/2023
31/01/2023
31/01/2023
?
Super Bock
The beverage company Super Bock is the target of a cyberattack that causes "disruptions in computer services, with constraints on regular operations, namely in terms of service."
Unknown
Accommodation and food service
CC
PT
Super Bock
149
31/01/2023
Since at least 25/01/2023
25/01/2023
Vidar
Multiple organizations
Researchers from Darktrace discover a campaign distributing the Vidar Info-stealer malware via malvertising on Google.
Malvertising
Multiple Industries
CC
>1
Darktrace, Vidar, Google
150
31/01/2023
-
-
?
Appui Santé Nord Finistère
The Appui Santé Nord Finistère is hit with a ransomware attack.
Malware
Human health and social work
CC
FR
Appui Santé Nord Finistère, ransomware
151
31/01/2023
-
-
?
Migliorshop
Miggliorshop, a service provider for e-commerce pharmacy sites, suffers a cyber attack, and as a consequence multiple retailer are impacted.
Multiple vulnerabilities
Professional, scientific and technical
CC
IT
Migliorshop
152
31/01/2023
Since March 2021
-
?
Unnamed education provider in Australia
Attacker break into at least 12 Australian companies using a sophisticated campaign that compromised an online education provider then impersonated it to gain access to other firms’ systems.
Account Takeover
Professional, scientific and technical
CC
AU
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
SUPPORT MY WORK!
BREACHOMETER
No Data Found
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July...
I have aggregated the statistics created from the cyber attacks timelines published in the second quarter of 2023. In total I have collected 1040 events...
2020 Cyber Attacks Statistics
1-15 August 2023 Cyber Attacks Timeline
The Biggest Data Breaches of 2023
Q2 2023 Cyber Attacks Statistics
2022 Cyber Attacks Statistics
