The second cyber attacks timeline of February 2023 is out (first timeline here) and with 10.62 events/day confirms the sustained level of activity that is characterizing this first part of 2023.
Ransomware-driven events are stable at 24.6% (34 out of 138 events), whilst 11 events were characterized by the exploitation of vulnerabilities (corresponding to 8% vs 7.7% of the previous timeline), with the massive exploitation of CVE-2021-21974 targeting VMware ESXi servers continuing also in this fortnight.
In the fintech sector, Platypus and Hope Finance suffered two massive hacks netting a total of more $10M worth to the attackers. Hatch Bank was also hit thanks to the exploitation of the Fortra’s GoAnywhere CVE-2023-0669 zero-day, and the users of Coinbase and Trezor were hit by phishing campaigns.
RailYatri is the mega breach of this month, leading to the compromise of 31 million users.
Ukraine is still targeted by state-sponsored threat actor. In this fortnight a campaign by a threat actor named UAC-0056 was unearthed, using a backdoor implanted on multiple government websites since two years. Meanwhile, in a different side of the planet (Asia), two threat groups were discovered targeting the material research sector (Clasiopa) and COVID-19 research (Hydrochasma). But obviously these are not the only ones discovered in this period.
And last but not least, and once again unsurprisingly, the pro-russian hacktivists were quite active with multiple DDoS campaigns against the websites of several German airports and some hospitals in Denmark (Killnet and their affiliates of Anonymous Sudan), and multiple Italian websites (NoName057(16)). And the pro-Ukraine hacktivists fought back with DDoS attacks against All-Russia State Television and Radio Broadcasting Company (VGTRK), multiple Russian websites, and also several Radio stations across Russia, broadcasting fake air raid warnings.
But we are now used to the fact that the list is too long to be summarized in few words, so my suggestion is to enjoy the interactive timeline and the tabular format, and obviously thanks for sharing it, and supporting my work in spreading the risk awareness across the community. As always, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
Geo Map February H1 2023
No Data Found
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
16/02/2023
16/02/2023
16/02/2023
Killnet
Websites of several German airports including: Hannover, Dortmund, Nuremberg, Karlsruhe/Baden-Baden, Dusseldorf, Erfurt-Weimar
The websites of several German airports are hit by a DDoS attack launched by the Killnet pro-Russian group.
DDoS
Transportation and storage
H
DE
Killnet
2
16/02/2023
Since at least 08/02/2023
08/02/2023
RansomExx2
Vulnerable ESXi servers
Researchers from Rapid7 reveal that the RansomExx2 ransomware gang is also targeting the VMware CVE-2021-21974 vulnerability.
CVE-2021-21974 Vulnerability
Multiple Industries
CC
>1
Rapid7, VMware, CVE-2021-21974
3
16/02/2023
-
-
WIP26
Telecommunication providers in the Middle East
Researchers at Sentinel One discover a new threat cluster tracked as WIP26 targeting telecommunication providers in the Middle East.
Targeted Attack
Information and Communication
CC
>1
Sentinel One, WIP26
4
16/02/2023
Since January 2022
During January 2022
Earth Yako
Researchers in the academic sector and think tanks
Researchers at Trend Micro discover a new campaign of the Earth Yako group targeting researchers in the academic sector and think tanks in Japan.
Targeted Attack
Education
CE
JP
Trend Micro, Earth Yako
5
16/02/2023
-
-
?
Multiple organizations in Taiwan
Researchers from Broadcom/Symantec discover an unknown threat actor deploying a new malware named 'Frebniis' on Microsoft's Internet Information Services (IIS) that stealthily executes commands sent via web requests.
Malware
Multiple Industries
N/A
TW
Broadcom, Symantec, Frebniss, Microsoft, Internet Information Services, IIS
6
16/02/2023
-
15/02/2023
SiegedSec
Atlassian
A hacking crew called SiegedSec posts data on what appears to be thousands of employees and floor plans for two of the company's offices. The company admits that the hack was carried out using accounts stolen from Envoy, a third-party.
Account Takeover
Professional, scientific and technical
CC
AU
SiegedSec, Atlassian, Envoy
7
16/02/2023
Since at least January 2021
-
Midnight Hedgehog
Multiple organizations
Researchers from Abnormal Security discover Midnight Hedgehog, a group leveraging Google Translate for Business Email Compromise attacks.
Business Email Compromise
Multiple Industries
CC
DE
DK
EE
ES
IT
FR
HU
NL
NO
PL
SE
Abnormal Security, Midnight Hedgehog, Google Translate
8
16/02/2023
Since at least February 2021
-
Mandarin Capybara
Multiple organizations
Researchers from Abnormal Security discover Mandarin Capybara, a group leveraging Google Translate for Business Email Compromise attacks.
Business Email Compromise
Multiple Industries
CC
AU
CA
FR
DE
ES
IT
PL
PT
SE
NL
US
Abnormal Security, Mandarin Capybara, Google Translate
9
16/02/2023
Since November 2022
During November 2022
?
Organizations in Armenia
Researchers from Check Point discover Operation Silent Watch, a malicious campaign against entities in Armenia with a new version of a backdoor tracked as OxtaRAT, an AutoIt-based tool for remote access and desktop surveillance.
Targeted Attack
Multiple Industries
CE
AM
Check Point, Operation Silent Watch, OxtaRAT
10
16/02/2023
End of November 2022
End of November 2022
?
Individuals
Researchers from Avanan discover a campaign leveraging the online payments system PayPal to send malicious invoices directly to users through the platform.
Account Takeover
Individual
CC
>1
Avanan, PayPal
11
16/02/2023
-
08/02/2023
?
Succession Wealth
British independent advice firm Succession Wealth confirmed a cyberattack
Unknown
Finance and insurance
CC
UK
Succession Wealth
12
16/02/2023
-
-
?
Hogwarts Legacy players
Researchers from Malwarebytes discover a campaign distributing fake Hogwarts Legacy cracks dropping adware.
Malware
Arts entertainment, recreation
CC
>1
Malwarebytes, Hogwarts Legacy
13
16/02/2023
'Recently'
'Recently'
?
Romanian telecom customers
Researchers from Heimdal discover a massive smishing campaign, targeting Romanian telecom customers.
Account Takeover
Information and communication
CC
RO
Heimdal, Romania
14
16/02/2023
Since at least May 2022
Between August 2022 and January 2023
?
Chinese-speaking individuals in Southeast and East Asia
Researchers from ESET discover a campaign targeting Chinese-speaking individuals in Southeast and East Asia via rogue Google Ads that deliver remote access trojans such as FatalRAT to compromised machines.
Malware
Individual
CC
CN
HK
ID
JP
MY
MM
PH
SG
TH
TW
ESET, Google Ads, FatalRAT
15
16/02/2023
16/02/2023
16/02/2023
?
Platypus
Decentralized finance protocol Platypus, suffers a fresh loan attack causing $8.5 million drained from the protocol. The suspect is identified shortly after.
Fresh loan
Fintech
CC
N/A
Platypus
16
16/02/2023
Since November 2022
Since November 2022
CatB
Multiple organizations
Researchers from Fortinet reveal the details of a new ransomware variant named CatB
Malware
Multiple Industries
CC
>1
Fortinet, ransomware, CatB
17
16/02/2023
-
-
?
Over 50 WordPress sites worldwide
Researchers from Malwarebytes discover a malicious campaign targeting WordPress blogs with a fraudulent ad plugin called fuser-master.
Malicious WordPress plugin
Multiple Industries
CC
>1
WordPress, fuel-master, Malwarebytes
18
16/02/2023
-
-
SideCopy
Indian government entities
Researchers from ThreatMon discover a spear-phishing campaign carried out by a Pakistani threat actor named SideCopy targeting Indian government entities to deploy an updated version of a backdoor called ReverseRAT.
Targeted Attack
Public admin and defence, social security
CE
IN
ThreatMon, SideCopy, Pakistan, ReverseRAT.
19
16/02/2023
12/02/2023
12/02/2023
?
Sweetwater Union High School District
Sweetwater Union High School District is hit with 'undefined' outage.
Unknown
Education
CC
US
Sweetwater Union High School District
20
16/02/2023
During January 2023
During January 2023
?
CIty of Hilliard
The City of Hilliard loses $219,000 to an attacker pretending to be an existing vendor and persuading the finance to change bank-routing information for the vendor.
Account Takeover
Public admin and defence, social security
CC
US
CIty of Hilliard
21
16/02/2023
-
-
LockBit 3.0
Trudi
The LockBit ransomware gang claims to have hit Trudi, an italian manufacturer of soft toys.
Malware
Manufacturing
CC
IT
Trudi, LockBit 3.0, ransomware
22
17/02/2023
17/02/2023
17/02/2023
?
U.S. Federal Bureau of Investigation (FBI)
The U.S. Federal Bureau of Investigation (FBI) is reportedly investigating malicious cyber activity on the agency’s network involving an FBI New York Field Office computer system used to investigate child sexual exploitation.
Unknown
Public admin and defence, social security
CC
US
U.S. Federal Bureau of Investigation, FBI
23
17/02/2023
Since at least March 2020
-
?
GoDaddy
Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack.
Malware
Information and communication
CC
US
GoDaddy
24
17/02/2023
Since at least December 2021
-
8 individuals from France and Israel)
Multiple organizations in France
Europol dismantles a Franco-Israeli ‘CEO fraud’ group that employed business email compromise (BEC) attacks to divert payments from organizations to bank accounts under the threat actor's control.
Business Email Compromise
Multiple Industries
CC
FR
Europol
25
17/02/2023
Since at least the end of 2022
During the end of 2022
Earth Kitsune
Individuals showing an interest in North Korea
Researchers from Trend Micro discover a new backdoor called WhiskerSpy used in a campaign from the advanced threat actor tracked as Earth Kitsune, targeting individuals showing an interest in North Korea.
Targeted Attack
Individual
CE
BR
CN
JP
Trend Micro, WhiskerSpy, Earth Kitsune, North Korea
26
17/02/2023
-
05/02/2023
?
Coinbase
Coinbase cryptocurrency exchange platform has disclosed that an unknown threat actor stole the login credentials of one of its employees in an attempt to gain remote access to the company's systems.
Account Takeover
Fintech
CC
US
Coinbase
27
17/02/2023
-
-
?
Dole Food Company
Dole Food Company, one of the world’s largest producers and distributors of fresh fruit and vegetables, announces that it is dealing with a ransomware attack that impacted its operations.
Malware
Accommodation and food service
CC
IE
Dole Food Company, ransomware
28
17/02/2023
'Recently'
17/02/2023
Seize
TELUS
Canada's second-largest telecom, TELUS investigates a potential data breach after a threat actor shares samples online of what appears to be employee data. The threat actor subsequently posts screenshots that apparently show private source code repositories and payroll records held by the company.
Unknown
Information and communication
CC
CA
Seize, TELUS
29
17/02/2023
Between 13/02/2023 and 15/02/2023
Between 13/02/2023 and 15/02/2023
?
Disney+ accounts of French customers
Researchers at Bitdefender uncover a phishing campaign targeting Disney+ accounts of French customers.
Account Takeover
Arts entertainment, recreation
CC
FR
Bitdefender, Disney+
30
17/02/2023
-
-
?
Individuals in Europe, North America, Asia and Australia
Researchers from BitDefender discover an email scam trying to profit off the Turkey-Syria earthquake.
Scam
Individual
CC
>1
Turkey-Syria earthquake, Bitdefender
31
17/02/2023
-
05/11/2022
?
Cleveland Brothers Holdings (CBH)
Cleveland Brothers Holdings (CBH) files a notice of data breach after learning that “unusual activity” on the company’s network resulted in an unauthorized party gaining access to confidential consumer information.
Unknown
Wholesale and retail
CC
US
Cleveland Brothers Holdings, CBH
32
17/02/2023
Between 13/05/2022 and 16/05/2022
13/05/2022
?
Rockler Companies
Rockler Companies files a notice of data breach following a data security incident resulting in the personal information of 8,604 consumers being leaked.
Unknown
Manufacturing
CC
US
Rockler Companies
33
17/02/2023
Between 19/12/2022 and 21/12/2022
21/12/2022
?
Hutchinson Clinic
Hutchinson Clinic posts notice of a data breach about an incident resulting in an unauthorized party gaining access to consumers’ names, contact information, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical record numbers, medical history, diagnoses, and treatment information, and physician names.
Unknown
Human health and social work
CC
US
Hutchinson Clinic
34
17/02/2023
During August 2022
During August 2022
?
Tom James Company
Tom James Company files notice of a data breach after experiencing a ransomware attack that compromised the security of information stored on the company’s computer network.
Malware
Manufacturing
CC
US
Tom James Company, ransomware
35
17/02/2023
-
-
?
O’Neal Industries
O’Neal Industries files notice of a data breach after learning that confidential consumer information stored on the company’s computer network was accessible to an unauthorized party.
Unknown
Manufacturing
CC
US
O’Neal Industries
36
17/02/2023
27/08/2022
-
?
Paul Smith’s College
Paul Smith’s College files notice of a data breach after learning that an unauthorized party gained access to its computer systems where they were able to access confidential information belonging to certain students and employees.
Unknown
Education
CC
US
Paul Smith’s College
37
17/02/2023
During February 2023
During February 2023
LockBit 3.0
Grupo Albanesi
Grupo Albanesi, a private company dedicated to the distribution of energy in Argentina, is added to LockBit3.0’s ransomware leak site.
Malware
Electricity, gas steam, air conditioning
CC
AR
Grupo Albanesi, LockBit3.0, ransomware
38
17/02/2023
17/07/2021
20/08/2021
?
Dental Health Management Solutions (DHMS)
Dental Health Management Solutions (DHMS) announces that the protected health information of 3,205 patients was exposed in a 2021 hacking incident.
Unknown
Human health and social work
CC
US
Dental Health Management Solutions, DHMS
39
18/02/2023
-
-
LockBit 3.0
Aguas do Porto
The LockBit ransomware gang claims to have hacked Aguas do Porto, a Portuguese municipal water utility company, and is threatening to leak the stolen data.
Malware
Water supply, waste mgmt, remediation
CC
PT
LockBit, Aguas do Porto
40
20/02/2023
Since at least January 2023
During January 2023
?
Multiple organizations
Researchers from Sekoia discover a new information stealer called Stealc with stealing capabilities and similarities with malware of the same kind like Vidar, Raccoon, Mars, and Redline.
Malware
Multiple Industries
CC
>1
Sekoia, Stealc, Vidar, Raccoon, Mars, Redline
41
20/02/2023
Since November 2022
During November 2022
HardBit 2.0
Multiple organizations
Researchers at Varonis reveal the details of a new version of the HardBit ransomware.
Malware
Multiple Industries
CC
>1
Varonis, HardBit, ransomware
42
20/02/2023
02/12/2022
04/12/2022
?
Activision
Activision confirms that it suffered a data breach in early December 2022 after hackers gained access to the company's internal systems by tricking an employee with an SMS phishing text. Few days later the threat actors leak some data allegedly stolen from the company.
Account Takeover
Arts entertainment, recreation
CC
US
Activision
43
20/02/2023
Since September 2021
-
?
GDS Holdings Ltd
Researchers from Resecurity warn data center organizations about malicious cyber activity targeting them and their customers.
CN
Information and communication
CC
CN
Resecurity, GDS Holdings Ltd
44
20/02/2023
Since September 2021
-
?
ST Telemedia Global Data Centres
Researchers from Resecurity warn data center organizations about malicious cyber activity targeting them and their customers.
CN
Information and communication
SG
ST Telemedia Global Data Centres
45
20/02/2023
06/02/2023
06/02/2023
ALPHV AKA BlackCat
Lehigh Valley Health Network (LVHN)
Lehigh Valley Health Network (LVHN) is hit with a BlackCat ransomware attack.
Malware
Human health and social work
CC
US
Lehigh Valley Health Network, LVHN, ALPHV, BlackCat, ransomware
46
20/02/2023
27/01/2023
31/01/2023
‘Portugal’ and ‘Brazil’
Multiple organizations
Researchers from Fortinet discover another 0-day attack in the PyPI packages (Python Package Index) by the malware authors ‘Portugal’ and ‘Brazil’ who published the packages ‘xhttpsp’ and ‘httpssp’.
RailYatri, a popular Indian train ticket booking platform, suffers a massive data breach that exposes the personal information of over 31 million (31,062,673) users/travellers.
Unknown
Transportation and storage
CC
IN
RailYatri, UNIT82
48
20/02/2023
'Recently'
'Recently'
?
Virgin Media Television
Virgin Media Television, the Irish broadcaster, says that an attempted hack was going to impact its programming in coming days.
Unknown
Information and communication
CC
IE
Virgin Media Television
49
20/02/2023
Since Q4 2022
During Q4 2022
?
Multiple organizations
Researchers from Cyble reveal an uptick of campaigns launched via the DarkCloud Stealer malware.
Malware
Multiple Industries
CC
>1
Cyble, DarkCloud Stealer
50
20/02/2023
20/02/2023
20/02/2023
?
Crypto investors
A fake website of the popular Ethereum Denver conference is able to steal over $300,000 worth of Ether.
Account Takeover
Fintech
CC
US
Denver Conference
51
20/02/2023
During January 2023
During January 2023
0mega
Aviacode
The 0mega ransomware gangs dumps 200 GB of data allegedly stolen from Aviacode.
Malware
Professional, scientific and technical
CC
US
0mega, ransomware, Aviacode
52
20/02/2023
19/02/2023
19/02/2023
?
ASL5 La Spezia
The ASL5 La Spezia, the local health service of the city of La Spezia, suffers a serious cyber attack and as a consequence multiple services are disrupted.
Unknown
Human health and social work
CC
IT
ASL5 La Spezia
53
21/02/2023
21/02/2023
21/02/2023
IT Army of Ukraine
All-Russia State Television and Radio Broadcasting Company (VGTRK)
A suspected distributed denial of service (DDoS) attack downs several websites broadcasting President Putin’s state on the nation. IT Army of Ukraine claims responsibility for the attack.
DDoS
Information and communication
H
RU
All-Russia State Television and Radio Broadcasting Company, VGTRK, Putin, IT Army of Ukraine
54
21/02/2023
-
20/02/2023
?
Multiple organizations
Researchers from Checkmarx discover that threat actors upload over 15,000 spam packages to the npm open-source JavaScript repository.
Account Takeover
Multiple Industries
CC
>1
Javascript, npm, Checkmarx
55
21/02/2023
-
-
?
Multiple organizations
Researchers from CloudSEK observe threat actors exploiting CVE-2023-21752, a privilege escalation vulnerability on the Windows Backup and Restore service.
CVE-2023-21752 Vulnerability
Multiple Industries
CC
>1
CloudSEK, CVE-2023-21752
56
21/02/2023
Between 07/09/2022 and 14/09/2022
-
?
Emtec
Emtec files notice of a data breach, after determining that confidential consumer information was leaked following a cyberattack.
Unknown
Professional, scientific and technical
CC
US
Emtec
57
21/02/2023
-
-
?
Henrico Doctors' Hospital
Henrico Doctors' Hospital notifies 990 patients that some of their protected health information was compromised in a data breach after detecting suspicious activity within its information network.
Unknown
Human health and social work
CC
US
Henrico Doctors' Hospital
58
21/02/2023
Since July 2022
Since July 2022
?
Multiple WordPress sites
Researchers from Sucuri discover a new campaign by the Konami Code Backdoor abusing cron jobs to reinfect the compromised WordPress sites.
Malicious WordPress plugin
Multiple Industries
CC
>1
Sucuri, Konami Code Backdoor, WordPress
59
21/02/2023
'Recently'
'Recently'
?
Multiple organizations
Researchers from Malwarebytes discover a Magecart skimmer involved in a fingerprinting campaign, and abusing the Cloudflare endpoint API.
Malicious Script injection
Wholesale and retail
CC
>1
Malwarebytes, Magecart, Cloudflare
60
21/02/2023
-
-
BlackBasta
KFI Engineers
KFI Engineers pays a $300k ransom, to the Black Basta ransomware gang.
Malware
Professional, scientific and technical
CC
US
KFI Engineers, ransomware, BlackBasta, Black Basta
61
21/02/2023
21/02/2023
21/02/2023
?
Hope Finance
Hope Finance loses $2M cryptocurrency worth after falling victim of a smart contract exploit.
Smart contract vulnerability
Fintech
CC
N/A
Hope Finance
62
22/02/2023
22/02/2023
22/02/2023
NoName057(16)
Multiple organizations in Italy
The Russian group NoName057(16) targets some Italian institutions and companies following a visit by Italy’s prime minister Giorgia Meloni to Ukraine. Targets include Italy’s Foreign Ministry, Defense Ministry, Interior Ministry, and Telecom Italia
Radio stations across multiple Russian cities are hacked and blast fake air raid warnings.
Unknown
Information and communication
H
RU
Radio, Russia, Ukraine
64
22/02/2023
22/02/2023
22/02/2023
ALPHV AKA BlackCat
CIty of Lakewood
The BlackCat ransomware gang (ALPHV) lists the City of Lakewood on its data leak site.
Malware
Public admin and defence, social security
H
US
BlackCat, ALPHV, ransomware, City of Lakewood
65
22/02/2023
Since at least October 2022
During October 2022
Hydrochasma
Shipping and medical laboratories involved in COVID-19 vaccine development and treatments in Asia
Researchers from Broadcom/Symantec discover a previously unknown threat actor named Hydrochasma targeting shipping and medical laboratories involved in COVID-19 vaccine development and treatments.
Targeted Attack
Professional, scientific and technical
CE
>1
Broadcom, Symantec, Hydrochasma, COVID-19
66
22/02/2023
Between July and December 2022
-
S1deload Stealer
YouTube and Facebook users
Researchers from BitDefender discover an ongoing malware campaign targeting YouTube and Facebook users with a new information stealer dubbed S1deload Stealer able to hijack their social media accounts and use their devices to mine for cryptocurrency.
Malware
Individual
CC
>1
BitDefender, YouTube, Facebook, S1deload Stealer
67
22/02/2023
Since 22/02/2023
22/02/2023
Multiple threat actors
Multiple organizations
Threat actors are targeting Internet-exposed Fortinet appliances with exploits targeting CVE-2022-39952, an unauthenticated file path manipulation vulnerability in the FortiNAC webserver that can be abused for remote command execution.
CVE-2022-39952 Vulnerability
Multiple Industries
CC
>1
Fortinet, CVE-2022-39952, FortiNAC
68
22/02/2023
Since at least 12/02/2023
12/02/2023
Multiple threat actors
Individuals
Threat actors are exploiting the popularity of OpenAI's ChatGPT chatbot to distribute malware for Windows and Android, or direct unsuspecting victims to phishing pages.
Malware
Individual
CC
>1
OpenAI, ChatGPT, Windows, Android
69
22/02/2023
-
-
Multiple threat actors
Organizations the U.S.
The US Cybersecurity and Infrastructure Security Agency (CISA) warns organizations that two vulnerabilities affecting the Mitel MiVoice Connect business communications platform have been exploited in the wild.
CVE-2022-41223 and CVE-2022-40765 vulnerabilities
Multiple Industries
CC
US
CVE-2022-41223, CVE-2022-40765, US Cybersecurity and Infrastructure Security Agency, CISA, Mitel MiVoice Connect
70
22/02/2023
-
-
Multiple threat actors
Organizations the U.S.
The US Cybersecurity and Infrastructure Security Agency (CISA) warns organizations that the vulnerability CVE-2022-47986 affecting IBM Aspera Faspex has also been exploited in the wild.
CVE-2022-47986 vulnerability
Multiple Industries
CC
US
CVE-2022-47986, US Cybersecurity and Infrastructure Security Agency, CISA, IBM Aspera Faspex
71
22/02/2023
-
-
?
Multiple organizations
Researchers from ReversingLabs discover 41 malicious packages on Python Package Index that mimic popular libraries
Malware
Multiple Industries
CC
>1
ReversingLabs, Python Package Index, PyPI
72
22/02/2023
'Recently'
'Recently'
?
Crum & Forster (C&F)
Crum & Forster (C&F) files notice of a data breach after confirming that an unauthorized party was able to access confidential consumer data as a result of a successful cyberattack.
Unknown
Finance and insurance
CC
US
Crum & Forster, C&F
73
22/02/2023
28/02/2023
28/02/2023
Hive
Alvaria
Alvaria files notice of a data breach after confirming that a recent cybersecurity event was a Hive ransomware attack resulting in confidential employee information being leaked.
Malware
Professional, scientific and technical
CC
US
Alvaria, Hive, Ransomware
74
22/02/2023
17/02/2023
17/02/2023
ALPHV AKA BlackCat
Chile’s National Health Fund (FONASA)
Chile’s National Health Fund (FONASA) reveals that it suffered a malware attack causing some minor interruptions and delays at its branches.
Malware
Human health and social work
CC
CL
Chile’s National Health Fund, FONASA, ALPHV, Black Cat
75
22/02/2023
27/01/2023
27/01/2023
Ragnar Locker
Associação de Advogados de São Paulo (AASP)
The Ragnar Locker ransomware gang leaks 200 GB of files from the Associação de Advogados de São Paulo (AASP) plus numerous screenshots with personal information after the association denies it was hacked.
Malware
Administration and support service
CC
BR
Ragnar Locker, ransomware gang, Associação de Advogados de São Paulo, AASP
76
23/02/2023
Since February 2022
During February 2023
Russia
Youtube users worldwide
According to watchdog Newsguard, Russia is successfully continuing its online disinformation campaigns, with hundreds of professionally-produced videos making their way on to YouTube.
Coordinated inauthentic Behavior
Individual
CW
>1
Russia, YouTube
77
23/02/2023
25/02/2023
25/02/2023
CH01
At least 32 Russian websites
A group of pro-Ukraine hacktivists that goes online with the moniker CH01 deface at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion.
Defacement
Multiple Industries
H
RU
CH01, Russia, Ukraine
78
23/02/2023
Since at least February 2022
End of February 2023
UAC-0056 AKA DEV-0586, UNC2589, Nodaria, or Lorec53
Multiple organizations in Ukraine
The Computer Emergency Response Team of Ukraine (CERT-UA) reveals that Russian state-sponsored threat actors have breached multiple government websites this week using backdoors planted as far back as December 2021.
Targeted Attack
Multiple Industries
CE
UA
UAC-0056, DEV-0586, UNC2589, Nodaria, Lorec53, Computer Emergency Response Team of Ukraine, CERT-UA, Russia
79
23/02/2023
-
-
Clasiopa
Companies in the materials research sector in Asia
Researchers from Symantec/Broadcom discover a threat group, named Clasiopa, targeting companies in the materials research sector with a unique toolset that includes a custom remote access trojan (RAT) called Atharvan.
Targeted Attack
Professional, scientific and technical
CE
N/A
Symantec, Broadcom, Clasiopa, Atharvan
80
23/02/2023
Over the past few months
-
wtfisthat34698409672
macOS users
Researchers from Jamf discover a cryptomining operation targeting macOS with a malicious version of Final Cut Pro that remains largely undetected by antivirus engines.
Malware
Individual
CE
>1
Jamf, macOS, Final Cut Pro, wtfisthat34698409672
81
23/02/2023
Since at least March 2021
Since at least March 2021
Three Dutch individuals
Multiple organizations
The Amsterdam cybercrime police team arrests three men for ransomware activity that generated €2.5 million from extorting small and large organizations in multiple countries.
Malware
Multiple Industries
CC
N/A
Amsterdam, Ransomware
82
23/02/2023
-
-
?
Government entities
Researchers from Menlo Security uncover an unknown threat actor leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targeting government entities.
Malware
Public admin and defence, social security
CC
N/A
Menlo Security, Discord, PureCrypter
83
23/02/2023
-
-
?
Multiple organizations
Researchers at Ahnlab reveal that the operators of the ChromeLoader browser hijacking and adware campaign are now using VHD files named after popular games. Previously, such campaigns relied on ISO-based distribution.
Malware
Multiple Industries
CC
>1
Ahnlab, ChromeLoader, VHD, ISO
84
23/02/2023
During August 2021
-
?
My Rewards
Data belonging to customers of The Good Guys are compromised in a security breach involving the Australian retailer's former third-party supplier, My Rewards.
Unknown
Administration and support service
CC
AU
The Good Guys, My Rewards
85
23/02/2023
Since 20/01/2023
During January 2023
Multiple threat actors
Multiple organizations
Researchers from Bitdefender report that multiple threat actors are actively exploiting the Zoho ManageEngine CVE-2022-47966 vulnerability in attacks in the wild.
CVE-2022-47966 vulnerability
Multiple Industries
CC
>1
Bitdefender, Zoho ManageEngine, CVE-2022-47966
86
23/02/2023
Since at least 23/02/2023
Since at least 23/02/2023
Multiple threat actors
Individuals
Security researchers warn about a wave of questionable authenticator apps flooding the Apple App Store and Google Play after Twitter’s recent shift from SMS-based 2FA.
Malware
Individual
CC
>1
Apple App Store, Google Play, Twitter, Authenticator
87
23/02/2023
Between 22/11/2023 and 29/11/2023
28/11/2022
?
Texas Orthopaedics & Sports Medicine (TOSM)
Texas Orthopaedics & Sports Medicine notifies 537 individuals of breach involving some patient information.
Unknown
Human health and social work
CC
US
Texas Orthopaedics & Sports Medicine, TOSM
88
23/02/2023
During February 2023
During February 2023
Nevada
American and Hungarian universities and Italian shipping and construction firms
A new massive ransomware operation by the Nevada group compromises over 5,000 victims in Europe and the U.S.
Malware
Multiple Industries
CC
HU
IT
US
Nevada, ransomware
89
23/02/2023
-
-
?
Hospital Joaquín Paz Borrero
The Hospital Joaquín Paz Borrero is hit with a ransomware attack.
Malware
Human health and social work
CC
CO
Hospital Joaquín Paz Borrero, ransomware
90
23/02/2023
04/02/2023
-
RansomHouse
AESCULAPIUS Farmaceutici
AESCULAPIUS Farmaceutici, an Italian producer of pharmaceutical products, is hit with a RansomHouse ransomware attack and has some data leaked.
Malware
Professional, scientific and technical
CC
IT
AESCULAPIUS Farmaceutici, RansomHouse, ransomware
91
23/02/2023
-
-
?
Lawrence General Hospital
Lawrence General Hospital files a notice of data breach after learning that confidential patient information that had been entrusted to the company was leaked following a cybersecurity event.
Unknown
Human health and social work
CC
US
Lawrence General Hospital
92
23/02/2023
-
-
Andariel
Multiple organizations in South Korea
Researchers from ASEC (AhnLab Security Emergency response Center) discover a campaign distributing malware targeting users with vulnerable versions of Innorix Agent.
Malware
Multiple Industries
CE
KR
ASEC, AhnLab Security Emergency response Center, Andariel, Innorix
93
24/02/2023
-
-
PlugX
Multiple organizations
Researchers from Trend Micro uncover a new wave of attacks aimed at distributing the PlugX remote access trojan masqueraded as an open-source Windows debugger tool called x32dbg. The legitimate tool allows to examine kernel-mode and user-mode code, crash dumps, or CPU registers.
Malware
Multiple Industries
CC
>1
Trend Micro, PlugX, x32dbg
94
24/02/2023
08/07/2022
-
?
Aloha Nursing Rehab Centre (Aloha)
Aloha Nursing Rehab Centre (Aloha) files notice of a data breach after learning that an unauthorized party accessed electronic files containing confidential patient information from the company’s computer network.
Unknown
Human health and social work
CC
US
Aloha Nursing Rehab Centre, Aloha
95
24/02/2023
During November 2022
-
?
Crystal Bay Casino
Crystal Bay Casino files notice of a data breach after learning that an unauthorized party accessed files on the company’s computer network containing confidential consumer information.
Unknown
Arts entertainment, recreation
CC
US
Crystal Bay Casino
96
24/02/2023
27/12/2022
16/12/2022
?
Advanced Health Media (AHM)
Advanced Health Media (AHM) files a notice of data breach after learning that an unauthorized party was able to access certain company servers that stored confidential consumer data.
Unknown
Professional, scientific and technical
CC
US
Advanced Health Media, AHM
97
24/02/2023
Since 2019
-
MedusaLocker
Healthcare organizations in the U.S.
The Health Sector Cybersecurity Coordination Center (HC3) warns organizations in the healthcare about the MedusaLocker ransomware.
Malware
Human health and social work
CC
US
Health Sector Cybersecurity Coordination Center, HC3, MedusaLocker, ransomware
98
24/02/2023
Mid-February 2022
Mid-February 2022
ALPHV AKA BlackCat
Encino Energy
Encino Energy, one of the largest private natural gas and oil producers in the U.S., said it has investigated and remediated a recent cyberattack allegedly carried out by the BlackCat ransomware gang.
Malware
Electricity, gas steam, air conditioning
CC
US
Encino Energy, BlackCat, ALPHV, ransomware
99
24/02/2023
20/02/2023
20/02/2023
?
Minneapolis Public Schools
Minneapolis Public Schools reveals to be experiencing technical difficulties due to an encryption event due to a ransomware attack.
Malware
Education
CC
US
Minneapolis Public Schools, ransomware
100
24/02/2023
Over the last few days
Over the last few days
?
Individuals
Researchers from Malwarebytes discover a campaign sending out phishing mails that disguise bogus URLs with something called Slinks—shortened Linkedin URLs.
Account Takeover
Individual
CC
>1
Malwarebytes, Slinks, shortened Linkedin URLs
101
24/02/2023
Since early February 2023
During February 2023
WhiteSnake
Multiple organizations
Researchers from Cyble discover a new malware strain called “WhiteSnake” Stealer designed to extract sensitive information from the victim’s computer.
Malware
Multiple Industries
CC
>1
Cyble, WhiteSnake
102
24/02/2023
-
-
ALPHV AKA BlackCat
Empresa Distribuidora Del Este (EdeEste)
The Empresa Distribuidora Del Este (EdeEste), an electricity distribution firm, is named on BlackCat’s ransomware leak site. The group claims to have 420 GB of information from the company.
Malware
Electricity, gas steam, air conditioning
CC
DO
ALPHV, BlackCat, Empresa Distribuidora Del Este, EdeEste
103
24/02/2023
-
-
Royal
Âncora Sistemas de Fixação
Âncora Sistemas de Fixação, a company specializing in the manufacture and marketing of fasteners for civil construction, is added to the Royal gang’s leak site with 88 GB uploaded to the site at the same time.
Malware
Manufacturing
CC
BR
Âncora Sistemas de Fixação, Royal, ransomware
104
24/02/2023
-
-
LocKBit 3.0
La Segunda Seguros
La Segunda Seguros insurance company is named by LockBit on its leaks site with some samples as proof of claims.
Malware
Finance and insurance
CC
AR
La Segunda Seguros, LockBit, ransomware
105
24/02/2023
-
-
Stormous
Zurcal
The Zurcal group, which belongs to the energy saving and efficiency sector, is named by the Stormous ransomware group in its Telegram channel.
Malware
Electricity, gas steam, air conditioning
CC
ES
Zurcal, Stormous, ransomware,Telegram
106
24/02/2023
17/02/2023
17/02/2023
?
City of Rosarito
The City of Rosarito discloses to have been hit by a cyber attack.
Unknown
Public admin and defence, social security
CC
MX
City of Rosarito
107
24/02/2023
In recent weeks
In recent weeks
?
Iowa Legislative Hearings
Iowa Legislative Hearings are disrupted by offensive or graphic images or videos while the hearings were taking place.
Zoom bombing
Public admin and defence, social security
CC
US
Iowa Legislative Hearings, Zoom
108
24/02/2023
'Recently'
'Recently'
Snip3
Multiple organizations
Researchers from Zscaler observe multiple threat campaigns utilizing the Snip3 crypter, a multi-stage remote access trojan (RAT) loader with new TTPs and available since 2021 as a crypter-as-a-service offering.
Malware
Multiple Industries
CC
>1
Zscaler, Snip3
109
25/02/2023
23/02/2023
23/02/2023
Black Basta?
Dish Network
American TV giant and satellite broadcast provider, Dish Network confirms that a ransomware attack was the cause of a multi-day network and service outage.
Malware
Information and communication
CC
US
Dish Network, Black Basta
110
25/02/2023
23/02/2023
23/02/2023
BianLian
Southeastern Louisiana University (SLU)
Southeastern Louisiana University (SLU) posts notice of a potential data breach after certain SLU systems were down in response to what the school characterized as a “Temporary Network and System Disruption." The BianLian ransomware gang claims responsibility for the attack.
A series of distributed-denial-of-service (DDoS) attacks shut down nine Danish hospitals' websites for a few hours, but did not have any life-threatening impact on the medical centers' operations or digital infrastructure.
DDoS
Human health and social work
H
DK
Anonymous Sudan, Killnet
112
26/02/2023
26/02/2023
26/02/2023
?
Tennessee State University (TSU)
Tennessee State University (TSU) posts a “Notice of Suspicious Network Activity” after the institution experienced what it believes to have been a ransomware attack.
Malware
Education
CC
US
Tennessee State University, TSU, ransomware
113
26/02/2023
Since November 2022
Since November 2022
TA569
Multiple organizations
Researchers from Proofpoint reveal the details of a new campaign by TA569 delivering the SocGholish payload via Javascript injections in compromised websites.
Malware
Multiple Industries
CC
>1
Proofpoint, TA569, SocGholish, Javascript
114
26/02/2023
25/02/2023
25/02/2023
?
Multiple organizations
Researchers from Sonatype discover an open source malware campaign in which a threat actor is infiltrating the PyPI software registry with thousands of malicious packages.
Malware
Multiple Industries
CC
>1
Sonatype, PyPI
115
27/02/2023
-
-
?
Multiple organizations
Researchers at Prodaft reveal that the RIG Exploit Kit currently targets 207 countries, launching an average of 2,000 attacks per day and having a current success rate of 30%.
Researchers from Patchstack reveal that threat actors are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites.
Researchers at CYFIRMA discover a new 'Exfiltrator-22' post-exploitation framework, allegedly created by former Lockbit 3.0 affiliates, and designed to spread ransomware in corporate networks while evading detection.
Malware
Multiple Industries
CC
>1
CYFIRMA, Exfiltrator-22, Lockbit 3.0
118
27/02/2023
Between 12/08/2022 and 26/10/2022
-
?
LastPass
LastPass discloses more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.
Account Takeover
Professional, scientific and technical
CC
US
LastPass, AWS
119
27/02/2023
17/02/2023
17/02/2023
?
U.S. Marshals Service (USMS)
The U.S. Marshals Service (USMS) is investigating the theft of sensitive law enforcement information following a ransomware attack that has impacted what it describes as "a stand-alone USMS system."
Malware
Public admin and defence, social security
CC
US
U.S. Marshals Service, USMS, ransomware
120
27/02/2023
-
-
Multiple threat actors
Organizations in the U.S.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) adds CVE-2022-36537 impacting the ZK Framework, to its "Known Exploited Vulnerabilities Catalog" after threat actors began actively exploiting the remote code execution (RCE) flaw in attacks.
CVE-2022-36537 Vulnerabilities
Multiple Industries
N/A
US
U.S. Cybersecurity & Infrastructure Security Agency, CISA, CVE-2022-36537, ZK Framework
121
27/02/2023
-
07/02/2023
?
Pipefitters Local 537
A cyberattack on Pipefitters Local 537, a Boston-based labor union’s health fund, results in the loss of $6.4 million.
Account Takeover
Human health and social work
CC
US
Pipefitters Local 537
122
27/02/2023
Since Q4 2021
-
DIgital Smoke
Internet users from multiple countries
Researchers from Resecurity identify Digital Smoke, one of the largest investment fraud networks by size and volume of operations created to defraud Internet users from Australia, Canada, China, Colombia, the European Union, India, Singapore, Malaysia, United Arab Emirates, Saudi Arabia, Mexico, the U.S. and other regions.
Investment scam
Individual
CC
>1
Resecurity, Digital Smoke
123
27/02/2023
20/02/2023
20/02/2023
APT-C-36 AKA Blind Eagle
Key industries in Colombia and Ecuador, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.
Researchers from Blackberry discover a new campaign by APT-C-36, where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia.
Targeted Attack
Multiple Industries
CE
CO
EC
APT-C-36, Blind Eagle, Blackberry
124
27/02/2023
14/02/2023
14/02/2023
LockBit 3.0
Pierce Transit
Pierce Transit discloses to have been hit with a LockBit 3.0 ransomware attack.
Malware
Transportation and storage
CC
US
Pierce Transit, LockBit 3.0, ransomware
125
27/02/2023
During December 2022
During December 2022
?
At least 3,000 Texans with Asian surnames
An organized crime group obtains thousands of replacement Texas driver licenses and sends the replacement licenses to Chinese nationals in the country illegally.
Account Takeover
Individual
CC
US
Texas
126
27/02/2023
27/02/2023
27/02/2023
?
Italian Taxpayers
A new campaign targets the Italian taxpayer with fake notifications from the italian Institute for Social Security (INPS)
Account Takeover
Individual
CC
IT
Italian Institute for Social Security, INPS
127
28/02/2023
Between 30/01/2023 and 31/01/2023
07/02/2023
?
Hatch Bank
Hatch Bank, a digital-first bank that provides infrastructure for fintech companies offering their own brand credit cards, confirms that attackers exploited the Fortra’s GoAnywhere CVE-2023-0669 zero-day vulnerability in the company’s internal file transfer software that allowed access to thousands of customer Social Security numbers.
CVE-2023-0669 Vulnerability
Fintech
CC
US
Hatch Bank, Fortra, GoAnywhere, CVE-2023-0669
128
28/02/2023
-
-
Snatch
Ingenico
The Russian ransomware gang Snatch claims to have stolen data from Ingenico, a merchant services technology company based in France.
Two subsidiaries of an Asian conglomerate in the materials and composites sector
Researchers from Symantec/Broadcom discover a new campaign by the Chinese Winnti group targeting two subsidiaries of an Asian conglomerate in the materials and composites sector.
Researchers from Sysdig discover an advanced hacking operation dubbed 'SCARLETEEL' targeting public-facing web apps running in containers to infiltrate cloud services and steal sensitive data.
Misconfiguration
Unknown
CC
N/A
Sysdig, SCARLETEEL
131
28/02/2023
27/02/2023
27/02/2023
?
Users of the Trezor hardware cryptocurrency wallet
An ongoing phishing campaign is pretending to be Trezor data breach notifications attempting to steal a target's cryptocurrency wallet and its assets.
Account Takeover
Fintech
CC
>1
Trezor
132
28/02/2023
Between January and February of 2023
Between January and February of 2023
?
Several law firms
Researchers from eSentire discover a malicious campaign targeting law firms with the GootLoader malware.
Malware
Professional, scientific and technical
CE
N/A
eSentire, GootLoader
133
28/02/2023
Between January and February of 2023
Between January and February of 2023
?
Several law firms
Researchers from eSentire discover a malicious campaign targeting law firms with the SocGholish malware.
Malware
Professional, scientific and technical
CE
N/A
eSentire, SocGholish
134
28/02/2023
'Recently'
'Recently'
Parallax
Multiple organizations
Researchers at Uptycs detect active samples of the Parallax remote access Trojan (RAT) targeting cryptocurrency organizations.
Malware
Fintech
CC
>1
Uptycs, Parallax
135
28/02/2023
-
-
?
Veris Residential
Veris Residential files a notice of data breach following a cybersecurity incident that leaked confidential consumer information.
Unknown
Real estate
CC
US
Veris Residential
136
28/02/2023
-
13/12/2022
?
Compass Behavioral Health
Compass Behavioral Health discloses a data security incident that involved the protected health information (PHI) of 1,064 patients.
Account Takeover
Human health and social work
CC
US
Compass Behavioral Health
137
28/02/2023
Since January 2023
Since January 2023
?
Job seekers
Researchers from Trellix reveal that threat actors are exploiting the ongoing economic downturn by using job-themed phishing and malware campaigns to target job seekers and employers to steal sensitive information and hack company recruiters.
Malware
Individual
CC
>1
Trellix, Job seekers
138
28/02/2023
31/10/2022
31/10/2022
Sour Grapes
Individuals
Researchers from Sophos uncover a scam ring run by Chinese criminals named 'Sour Grapes'
Pig-butchering scam
Individual
CC
>1
Sophos, pig-butchering, Sour Grapes
139
28/02/2023
Since 13/01/2023
-
r3nin
Multiple e-commerce sites
Researchers from Cyble discover R3NIN Sniffer, a ready-to-use toolkit and panel for stealing payment card data from compromised e-commerce websites on sale in a notorious Russian-language cybercrime forum.
Malicious Script injection
Wholesale and retail
CC
>1
Cyble, R3NIN Sniffer
140
28/02/2023
-
27/02/2023
LockBit 3.0
White Settlement Independent School District
LockBit adds White Settlement Independent School District in Texas to their leak site, with a proof pack that suggests that the threat actors were able to access and may have exfiltrated a lot of files.
Malware
Education
CC
US
LockBit 3.0, White Settlement Independent School District, ransomware
141
28/02/2023
-
-
?
Federación de Aseguradores Colombianos (Fasecolda)
The Federación de Aseguradores Colombianos (Fasecolda), an association for Colombian insurers, suffers a cyber attack.
Unknown
Administration and support service
CC
CO
Federación de Aseguradores Colombianos, Fasecolda
142
28/02/2023
06/02/2023
06/02/2023
?
Oregon City
Oregon City discloses to have been hit by a sophisticated ransomware attack.
Malware
Public admin and defence, social security
CC
US
Oregon City, ransomware
143
28/02/2023
During December and January 2022
During December and January 2022
LockBit 3.0
Multiple organizations
Researchers from Fortinet discover a new LockBit ransomware campaign using a combination of techniques effective against AV and EDR solutions.
Malware
Multiple Industries
CC
>1
LockBit, Fortinet
144
28/02/2023
During February 2022
-
Chinese state-sponsored threat actors
Association of Southeast Asian Nations (ASEAN)
Chinese state-sponsored threat actors managed to breach the mail servers operated by the Association of Southeast Asian Nations, stealing a trove of data that may have contained strategic information about the economy and politics of member countries.
Targeted Attack
Extraterritorial orgs and bodies
CE
N/A
Association of Southeast Asian Nations, ASEAN, China
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
SUPPORT MY WORK!
BREACHOMETER
No Data Found
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.
April 2023 Cyber Attacks Timeline
The Biggest Data Breaches of 2023
2020 Cyber Attacks Statistics
Q1 2023 Cyber Attacks Statistics
2022 Cyber Attacks Statistics
