top of page
  • Writer's picture Avantia Threat Update


Updated: Mar 9, 2020


The European Union lobby’s for regulation of AI to limit Risks; KEWE Smart Lock is easily bypassed and cannot be fixed; Hamas hackers try to “seduce” Israeli soldiers with phone hack; Report identifies Ransomware hidden in YouTube videos; New technique allows Ransomware to run undetected; Australian Signals Directorate flags ‘danger close’ for DDos attacks on Australian organisations: Financial Phishing Emails grew by 9.5% over the Christmas Holidays shopping period; The Greek Government Website was ‘nailed’ by a cyber attack; A global facilities maintenance company based in Denmark slowly recovering from a critical malware attack and British spies insist tech giants install the means for them to access all encrypted data.


Telecommunications: [467 Hits]

Targets: Virgin Media; Communications & Power Industries Inc; Telus; Koodo Mobile; T-Mobile

Publishing: [431 Hits]

Targets: Virgin Media, Carnival PLC.

Media & Entertainment [400 Hits]

Targets: Virgin Media, Netflix, Tik Tok Inc, Gawker Media, Spotify.

Internet Service Providers: [399 Hits]

Targets: Virgin Media, Telus, Vodafone.

Internet Hosting: [399 Hits]



The European Union unveiled proposals recently to regulate artificial intelligence that call for strict rules and safeguards on risky applications of the rapidly developing technology. The report is part of the bloc’s wider digital strategy aimed at maintaining its position as the global pacesetter on technological standards. Big tech companies seeking to tap Europe’s vast and lucrative market, including those from the U.S. and China, would have to play by any new rules that come into force. The EU’s executive Commission said it wants to develop a “framework for trustworthy artificial intelligence.” European Commission President Ursula von der Leyen had ordered her top deputies to come up with a coordinated European approach to artificial intelligence and data strategy 100 days after she took office in December. “We will be particularly careful where essential human rights and interests are at stake,” von der Leyen told reporters in Brussels. “Artificial intelligence must serve people, and therefore artificial intelligence must always comply with people’s rights.” EU leaders, keen on establishing “technological sovereignty,” also released a strategy to unlock data from the continent’s businesses and the public sector so it can be harnessed for further innovation in artificial intelligence. Officials in Europe, which doesn’t have any homegrown tech giants, hope to to catch up with the U.S. and China by using the bloc’s vast and growing trove of industrial data for what they anticipate is a coming wave of digital transformation. They also warned that even more regulation for foreign tech companies is in store with the upcoming “Digital Services Act,” a sweeping overhaul of how the bloc treats digital companies, including potentially holding them liable for illegal content posted on their platforms. A steady stream of Silicon Valley tech bosses, including Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai and Microsoft President Brad Smith, have visited Brussels as part of apparent lobbying efforts. “It is not us that need to adapt to today’s platforms. It is the platforms that need to adapt to Europe,” said Thierry Breton, commissioner for the internal market. “That is the message that we delivered to CEOs of these platforms when they come to see us.” If the tech companies aren’t able to build systems “for our people, then we will regulate, and we are ready to do this in the Digital Services Act” he said. The EU’s report said clear rules are needed to address “high-risk AI systems,” such as those in recruitment, healthcare, law enforcement or transport, which should be “transparent, traceable and guarantee human oversight.” Other artificial intelligence systems could come with labels certifying that they are in line with EU standards. Artificial intelligence uses computers to process large sets of data and make decisions without human input. It is used, for example, to trade stocks in financial markets, or, in some countries, to scan faces in crowds to find criminal suspects. While it can be used to improve healthcare, make farming more efficient or combat climate change, it also brings risks. It can be unclear what data artificial intelligence systems work off. Facial recognition systems can be biased against certain social groups, for example. There are also concerns about privacy and the use of the technology for criminal purposes, the report said. Human-centered guidelines for artificial intelligence are essential because “none of the positive things will be achieved if we distrust the technology,” said Margrethe Vestager, the executive vice president overseeing the EU’s digital strategy. Under the proposals, which are open for public consultation until May 19, EU authorities want to be able to test and certify the data used by the algorithms that power artificial intelligence in the same way they check cosmetics, cars and toys. It’s important to use unbiased data to train high-risk artificial intelligence systems so they can avoid discrimination, the commission said. Specifically, AI systems could be required to use data reflecting gender, ethnicity and “other possible grounds of prohibited discrimination.” Other ideas include preserving data to help trace any problems and having AI systems clearly spell out their capabilities and limitations. Users should be told when they’re interacting with a machine and not a human while humans should be in charge of the system and have the final say on decisions such as rejecting an application for welfare benefits, the report said. EU leaders said they also wanted to open a debate on when to allow facial recognition in remote identification systems, which are used to scan crowds to check people’s faces to those on a database. It’s considered the “most intrusive form” of the technology and is prohibited in the EU except in special cases.


Finnish security house F-Secure revealed a vulnerability in the KeyWe Smart Lock that could let a sticky-fingered miscreant easily bypass it. To add insult to injury, the device's firmware cannot be upgraded either locally or remotely. This means the only way to conclusively remediate this problem is to rip the damned things from your door and replace them with a bog-standard lock. The KeyWe Smart Lock is primarily used in private dwellings, and retails for circa $155 on Amazon. It allows users to unlock their doors through a traditional metal key, via a mobile app, or with Amazon Alexa. Its Achilles' heel is what F-Secure describes as "improperly designed communications protocols". These allowed the firm to intercept the secret passphrase as it transmitted from the smartphone to the lock, using just a $10 BLE sniffer and Wireshark. The KeyWe Smart Lock uses AES-128 to communicate with the mobile app. However, the communication channel uses only two factors to generate that encrypted channel: a common key and a separate key calculation process. Both of these are trivial to overcome. F-Secure's Krzysztof Marciniak said: "The KeyWe Smart Lock uses BlueTooth Low Energy, which is based on the concept of advertisements. These contain information about device capabilities, the device name, and the device [MAC] address. It's from this address the common key is generated." F-Secure also figured out how to yank the key-calculation process from the mobile application, rendering the second factor redundant. With the KeyWe's encryption rendered null and void, an attacker would merely have to identify a property using the lock, then wait for someone to come and unlock the door. They would then be able to intercept the passcode in transit and use it to break into the property. Arguably, the biggest issue here isn't that the KeyWe had a glaring design flaw, but rather that it's impossible to remediate. As with any tech product, one can assume that eventually someone will identify a security issue that needs fixing. Having no means to actually do so is... well... rather bad.


The Israeli military on said it has thwarted an attempt by the Hamas militant group recently to hack soldiers’ phones by posing as young, attractive women on social media, striking up friendships and persuading them into downloading malware. Lt. Col. Jonathan Conricus told reporters that the phones of dozens of soldiers had been infected in recent months, although he said the army detected the scam early on and prevented any major secrets from reaching the Islamic militant group. “We do not assess there is any significant breach of information,” the military spokesman said. Conricus said this was the third attempt by Hamas to target male soldiers through fake social media accounts, most recently in July 2018. But he said this latest attempt was by far the most sophisticated. He said Hamas used a number of social media platforms, including WhatsApp, Facebook, Instagram and Telegram, to make contact with unsuspecting soldiers. Posing as young women on social media, the group struck up friendships with the soldiers, sending photos, texts and voice messages to them. The “women” claimed to be new immigrants to explain their poor Hebrew, and even claimed to be deaf or hard of hearing as an excuse for texting, instead of speaking directly on the phone, Conricus said. The profiles appeared on multiple platforms, and he said the photos were disguised to make it difficult to “reverse track” them, giving the accounts additional authenticity. “We see that the level of social engineering is much higher and much more advanced and sophisticated when compared to previous attempts done by Hamas,” he said. “We see that they’re of course learning and upping their game.” Eventually, they sent the soldiers links to “seduce” them into downloading what they said was a Snapchat-like app to exchange photos that could quickly disappear, Conricus said. In reality, the links were to three malware programs — Catch&See, ZatuApp and GrixyApp — that allowed Hamas to gain access to the soldiers’ phones. He said it was “very clear” that Hamas was behind the effort. He said the malware linked to known Hamas servers and at least one of the profiles had been used in a previous Hamas scam. There was no immediate comment from Hamas Conricus declined to say how many soldiers had been targeted. But he said that dozens had downloaded the malware. He said soldiers had reported the suspicious activity relatively early on, allowing the army and the Shin Bet internal security service to monitor their phones. It is now in the process of removing the malware, he said. Israel and Hamas, an Islamic movement that seeks Israel’s destruction, are bitter enemies that have fought three wars and numerous skirmishes since the group seized control of the Gaza Strip in 2007. The enemy sides have been holding indirect talks through Arab and U.N. mediators aimed at reaching a long-term truce under which Israel would ease a blockade on the Gaza Strip in exchange for Hamas assurances to maintain quiet.


Every day, there’s a report detailing how ransomware is affecting the world. The attackers are also getting innovative in their attacks. Recently, Cybersecurity form ESET published an account about the Stantinko botnet (a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g. to send spam) a popular mining malware that is now using YouTube pages to spread ransomware. According to the report, the botnet, which has been operating since about 2012, has now affected up to half a million computers. Its primary targets are located in Russia, Ukraine, Belarus, and Kazakhstan. The malware operates a simple cryptojacking operation, although this time, it distributes a Monero-morning virus through pages on YouTube. Crypto hackers use codes to steal processing resources from unsuspecting users, disguising their nefarious activity with other processes, and using the computer’s computing power to mine cryptocurrencies. ESET claimed that it had informed YouTube about the bot, and that all channels which contain traces of the Stantinko code have been removed from the platform.  Malware has been in rampant operation so far, as cryptocurrencies have been a particular target of attackers across the world. While ransomware operators prefer to get paid in crypto before releasing the data of their victims, crypto jackers just go for the jugular, using a network of computers to mine their favorite crypto assets and profiting off the resources owned by others. in late 2019, the Microsoft Defender ATP research team shared insights on a new form of crypto-stealing malware, which, as they estimated, had infected almost 80,000 computers.  The malware, which they called Dexphot, has reportedly been in operation since October 2018. The code hijacks processes to disguise its activity, and when ks trigger the re-infection.  “Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers,” the report states. The attacks have gotten so sophisticated, that they now target the cryptocurrencies at source. A Reddit post published by the Monero development team revealed that the software available for download on the company’s official website had been retrofitted to steal currency.  Per the post, the Command Line Interface tools available at has been compromised, as the team discovered that the hash of the binaries available for download didn’t match the expected hashes. Government agencies in Finland are getting proactive in their fight against ransomware. Earlier this month, a government agency beefed up securities among its network of systems in preparation of an attack.


A recently discovered technique allows ransomware to encrypt files on Windows-based systems without being detected by existing anti-ransomware products, Nyotron security researchers warn. Dubbed RIPlace, the technique allows malware to bypass defenses using the legacy file system "rename" operation, and the security researchers say it is effective even against systems that are timely patched and run modern antivirus solutions. RIPlace, the researchers say, can be used to alter files on any computers running Windows XP or newer versions of Microsoft’s operating system.  In a detailed report covering the findings, the researchers note that most ransomware operates by opening and reading the original file, encrypting content in memory, and then destroying the original file by writing encrypted content to it/saving the encrypted file and then erasing the original/or by saving the encrypted file and then leveraging Rename to replace it. When a Rename request is called, the filter driver gets a callback.  What the researchers discovered was that, if DefineDosDevice (a legacy function that creates a symlink), is called before Rename, one could pass an arbitrary name as the device name, along with the original file path as the target to point on.  The issue, they explain, is that the callback function filter driver “fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” Although an error is returned when passing a DosDevice path, the Rename call succeeds. “Using this technique, it is possible to maliciously encrypt files and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback. We believe that malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products,” the researchers explain. The researchers discovered the technique in spring 2019 and have been in contact with Microsoft, security vendors, and law enforcement and regulatory authorities. Unfortunately, they say only a handful of security vendors have acknowledged a fix, despite dozens being impacted. Nyotron published two videos demonstrating how RIPlace can bypass Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV) and also released a free tool that allows anyone to test their system and security products against RIPlace evasion technique.




The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) is aware of a number of Denial of Service (DoS) threats for ransomware being made against Australian Organisations, primarily in the banking and finance sector.

(A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilising multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT (Internet Of Things) devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.)

The ACSC cannot positively verify the legitimacy of any threats made by the malicious actor. However, the ACSC has received no reports of the threats eventuating in DoS form and is aware of a number of DoS threats made in the past against Australian organisations that did not eventuate.

What you need to do

Preparing for any DoS attack before it occurs is by far the best strategy, as this sort of incident can be very difficult to respond to once the attack begins. Well prepared organisations should be able to operate effectively despite these threats and any potential DoS. We strongly recommend organisations review the ACSC publication - Click on Link:

Preparing for and Responding to Denial-of-Service Attacks (

If your organisation is affected by a DoS attack, the ACSC recommends:

1. Talking to your service provider(s) about their ability to immediately implement any responsive actions.

2. Blocking the offending IP address(es).

3. Temporarily transferring online services to cloud-based hosting with high bandwidth and content delivery networks that cache non-dynamic websites.

4. Preferably using multiple major cloud service providers to obtain redundancy.

5. Engage a DoS attack mitigation service for the duration of the incident.



Kaspersky researchers detected a 9.5% growth in financial phishing in the final quarter of 2019, with holiday-season spam and scam activity also growing in numbers and variety. The last quarter of the year is a fruitful time for cybercriminals, who prey on shoppers rushing to get a good deal ahead of the holidays. Now that the season is over, analysis of the threat landscape during the period provides a better understanding of changes in fraudulent activities. In 2019, the share of financial phishing continued to grow, surpassing half (52.61%) of all phishing attempts in Q4. Phishing remains an effective way to lure users into handing over their personal data and credit card credentials. Popular brands are most often used as bait. One of the examples discovered by Kaspersky was a fake Amazon page, offering users Christmas promotions so criminals could steal their Amazon Prime credentials. Such scams often prove effective. The analysis of phishing activity using the eBay and Alibaba brand names as bait showed significant growth just before big shopping holidays. Just a few days before Black Friday sales, the number of users trying to access eBay phishing pages grew four-fold, reaching over 8,000 attempts daily. These high levels of visits were maintained until mid-December, with an additional peak a week before Christmas. A similar pattern was seen with phishing versions of the Alibaba website. The number of blocked attempts to visit phishing versions of eBay (left) and Alibaba (right) by Kaspersky users Spam emails also showed slight growth in the holiday season, as well as a significant diversification in topics. Criminal schemes varied from promises of Christmas donations, to scams with attempts to steal cryptocurrency, to malicious emails sent to organizations as fake urgent Christmas orders. Such holiday-related scams and spam emails are not exclusive to the Christmas season alone. Users in South East Asia also received typical “gift offers,” but instead tied to Lunar New Year.

“The holiday season is a time for impulse purchases and rash decisions,” said Tatyana Sidorina, security analyst at Kaspersky. “Pressure to get a good deal or buy presents can mean that users are distracted, making it easier for cybercriminals to take advantage of them. Of course, this does not mean that anyone should abstain from shopping ahead of the holidays – users just need to pay extra attention to their credit card payments. It is possible that a subscription or a delayed charge for a present for friends or family could turn out to be fraudulent, as criminals often do not use stolen data straight away.” To stay safe from spam and phishing, Kaspersky recommends:

***If you receive a link to a great offer via email, make sure to check the embedded hyperlink - sometimes it may differ from the visible one. If it does, access the deal page directly through the legitimate website ***Only make purchases through official marketplaces and pay attention to the web addresses if you are redirected to them from other landing pages. If they differ from the official retailer, consider checking the offer you were redirected to by looking for it on the official web page ***Use a security solution with behavior-based anti-phishing technologies, which will notify you if you are trying to visit a phishing web page ***Never use the same password for several websites or services, because if one is stolen, all your accounts will be made vulnerable. To create strong passwords without having the struggle of remembering them, use password managers.


The Greek government said Friday that the official state websites of the prime minister, the national police and fire service and several important ministries were briefly disabled by a cyberattack but have been restored. Government spokesman Stelios Petsas said early Friday that the distributed denial-of-service or DDoS attack “led to the malfunction of certain websites.” He said “countermeasures” had been successfully implemented, but gave no further details. Along with the prime minister’s website, targets in the attack late Thursday included the websites of the ministries of public order, interior, foreign affairs, and merchant marine, as well as the Greek Police and Fire Service. It was the second cyberattack against government websites in less than a week. Responsibility for the first attack was claimed in an online post by a group of hackers who purported to be from Turkey. Greek officials have not commented on whether they consider that claim to be true.


ISS World, a global facilities maintenance company based in Denmark, says it's gradually restoring its systems after a malware attack on Monday. The company, which provides facilities management, catering, security and other property-related services, has more than 500,000 employees worldwide. ISS World says the "root cause" of the attack has been identified. But the company didn't say if the attack was caused by ransomware, the file-encrypting malware that is frequently the cause of public announcements of system shutdowns. U.K.-based security researcher Kevin Beaumont tweeted on Thursday, however, that ISS World has "informed business partners it is ransomware." The company says it's working with forensic experts, its hosting provider and an external task force to restore its systems. "Certain systems have already been restored," the company says in a statement. "There is no indication that any customer data has been compromised." A U.K.-based publication, This Week in Facilities Management, reports that 43,000 of ISS World's employees had no access to operational systems, including 4,000 employees in the U.K. But ISS World says most of its work is performed on customer's sites, and it is relying on its business continuity plans to continue operating. "The nature of our business is to deliver services on customer sites mainly through our people, and as such, we continue our service delivery to customers while implementing our business continuity plans," ISS World says. "Our priority is to ensure limited or no disruption while we fully restore all systems. We are currently estimating when IT systems will be fully restored and are assessing any potential financial impact. Security, in all its forms, is a top priority for ISS, and we remain committed to protecting the integrity of our systems." ISS World's description of the attack would fit the profile of a ransomware strike. But it's common for organizations to at least initially not specify that the malware used in an attack is ransomware. Beaumont tweets that it's possible ISS World was affected by the REvil ransomware, also known as Sodinokibi. Mursch told Information Security Media Group that the flaw could be used to get a foothold into a network behind a VPN. Bad Packets used data from the search engine BinaryEdge on Jan. 11 to scan potentially vulnerable Citrix endpoints. Bad Packets found more than 25,000 unique IPv4 hosts that were vulnerable. Included in that batch was a Citrix endpoint belonging to ISS World, Mursch. ISS World have been offline since last week. No websites, no webapps, no email. About half a million employees, ~10bn revenue. Website says malware is on their systems. Mursch says the scans on Jan. 31 showed that ISS World had patched a vulnerable server. Mursch says it's not possible to say whether that vulnerability led to a ransomware infection, but a forensic examination could give an answer. Ransomware attackers have been using the Citrix vulnerability. FireEye writes in a blog post that it noticed attackers were using the Citrix flaw to install coin miners, a malware program called NOTROBIN as well as ransomware.



British Spies want power to access encrypted data.

British spies are once again stipulating that tech companies break their encryption so life is made easier for state-sponsored eavesdroppers. The head of the domestic spy agency, Sir Andrew Parker, demanded that companies such as Facebook compromise the security of their messaging products so spies could read off the contents of messages at will.

Although Sir Andrew linked this need to serious crimes such as terrorism, the principle of a technical backdoor is that once open to spies, it's open to anyone who knows it exists. Calling the world of encrypted messaging apps a "Wild West" that is "inaccessible to authorities", Sir Andrew told ITV in a pre-recorded interview: "Can you provide end-to-end encryption but on an exceptional basis – exceptional basis – where there is a legal warrant and a compelling case to do it, provide access to stop the most serious forms of harm happening?"

In the interview, summarised by ITV itself as well as other news outlets, Sir Andrew also claimed that MI5 is not interested in the products of dragnet mass surveillance. He told the broadcaster: "We do not approach our work by population level monitoring – looking for, you know, signs of: 'Out of this 65 million people, who should we, you know, look a bit more closely at?' We do not do that."

On a technicality, he may be right: that role is mainly reserved for GCHQ, which does the dirty work of automated spying on the entire population of Britain, as the Snowden revelations confirmed in 2013. Having "collected" everyone's online conversations and trawled through them for snippets of interest, GCHQ passes the highlights to MI5 and overseas UK spy agency MI6.

The tension between frictionless reading of criminal suspects' messages and protection of freedoms in the digital era is one where the English-speaking world outside the US has become angrier and angrier with American tech firms, which politely refuse to compromise their products. In Australia this public sector anger boiled over into outright denial of mathematics, with technically illiterate politicians convincing themselves that shouting "Make it so", Star Trek-style, can create a technical means of letting police and spies read your messages whilst shutting out everyone else.

Current UK home secretary Priti Patel is firmly anti-encryption, with the social conservative having banged on about paedoterrorists shortly after her appointment last summer.

A GCHQ plan to silently add the government as an authorised "third user" to online conversations, whose sole merit was that some actual thought and technical knowhow had been put into it, was dismissed last year by an international coalition of tech companies and big infosec names. The main tension between privacy activists and state security agencies is that the latter prefer the ease of dragnet surveillance over applying for judicial permission to target individuals on a case-by-case basis. Privacy activists say a lack of per-case controls leads to innocents being wrongly caught up in surveillance.

MI5 was found by a secretive British spy court in 2018 to have been breaking the law for years. Thanks to the unique way in which MI5 is subject to the law, neither the agency nor any individuals associated with it were held accountable. The Investigatory Powers Tribunal's (IPT) judges were all but falling over themselves to tell MI5 it would be walking free from court.

A year later the same court granted MI5 de facto immunity from the law, presumably to apologise for its previous public ruling. Judges drew a line between a newly devised legal "power" to commit crimes in direct defiance of the law and "immunity from prosecution." Apparently one doesn't equal the other, though even the IPT was too embarrassed to explain in its published judgment why that is.

Sir Andrew is stepping down in April, along with National Cyber Security Centre founding chief Ciaran Martin, whose service ends at some point this summer. Both their replacements will be appointed by the current government.




Avantia Corporate Services Pty Ltd T/A Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cyber security information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services - All Rights Reserved.


bottom of page