top of page
  • Avantia Threat Update


Chinese companies abroad forced to SPY by Government Legislation.

This past week reveals how Chinese Cyber Legislation impacts on Chinese companies abroad, Ransomware shuts down a food bank, Canadian patient data is leaked via employee Email and Australian universities get schooled on cybersecurity.

This Past Week’ Top Dark Web Compromises:

Top Source Hits: ID Theft Forums Top Compromise Type: Domain Top Industry: Finance & Insurance Top Employee Count: 51 - 100 Employees

This Past Week’s Top Targeted Industries:

Finance Hits: 125 | Targets: PayPal, Western Union, National Bank, Equifax Inc, National Bank of Ukraine

Software Hits: 90 | Targets: Google, BitDefender, Evite, Yahoo, Facebook

Information Technology Hits: 66 | Targets: Google, Sony Corp, Yahoo, Netflix, Facebook

eCommerce Hits: 52 | Targets: PayPal, eBay Inc, Shopify, Amazon

Banking Hits: 40 | Targets: National Bank, National Bank of Ukraine, U.S. Bancorp, JPMorgan Chase & Co., Lloyds Banking Group PLC

This Past Week’s Top Threat Actors:

Hezbollah Hits: 38 | Targets: Israel, Syria, Lebanon, Iran, United States

Inj3ct0r Team Hits: 28 | Targets: WordPress, Joomla, Twitter, Apache HTTP Server, SCADA and ICS Products and Technologies

XENOTIME Hits: 17 | Targets: Saudi Arabia, United States, U.S. Power Grid, Critical infrastructure systems, Industrial Control Systems

FIN8 Hits: 7 | Targets: POS devices, US Hotel, United States, InfoSec, MorphiSec

Lazarus Group Hits: 6 | Targets: Sony Corp, South Korea, Cryptocurrency, United States, Bitcoin

This Past Weeks Top Malware Exploitations:

CryptoTrojan Hits: 101 | Targets: Coin

GandCrab Hits: 84 | Targets: Microsoft Office Word, Italy, Syria, Russia, Microsoft Windows

UPATRE Hits: 30 | Targets: University of Florida, Personal Computer, Microsoft Windows, Microsoft Windows Xp, Application Compatibility Database Installer

Emotet Hits: 29 | Targets: Germany, United Kingdom, Banking, Microsoft Windows, United States

Pegasus Hits: 24 | Targets: Apple Mac Os X, Mexico, Android, Apple iPhone, iOS



China’s National Intelligence Laws impact on Chinese Companies abroad.

Dr. Gu Bin, of the Beijing Foreign Studies University, says that Article 7 of China’s National Intelligence Law is often misunderstood and whilst it does create the obligation of Chinese citizens to support national intelligence work it does not authorize pre-emptive spying - national intelligence work must be defensive in nature. Dr. Murray Scot Tanner, a leading CCP (Community Custody Program) law professor, writing in ‘Lawfare’, shortly after the law came into effect, disagrees with the characterisation of the law as merely a “defensive” measure. Tanner lays out the case that the National Intelligence Law is designed to turn a Chinese Citizen’s “legal obligations from intelligence ‘defence’ to ‘offense’…” He writes:

The Chinese National Intelligence Law… repeatedly obliges individuals, organizations, and institutions to assist Public Security and State Security officials in carrying out a wide array of ‘intelligence’ work. Article Seven stipulates that “any organization or citizen shall support, assist, and cooperate with state intelligence work according to law.”

Article 14, in turn, grants intelligence agencies authority to insist on this support: “state intelligence work organs, when legally carrying forth intelligence work, may demand that concerned organs, organizations, or citizens provide needed support, assistance, and cooperation.” When discussing the implications of such a law in China, historical context should not be forgotten or ignored. Chinese citizens have been encouraged and even coerced to inform on each other in the recent past – with devastating results. In 1966, Mao Zedong launched the Cultural Revolution, which “lighted the flames…to purge his opponents and preserve the ‘true’ communist ideology,” wrote Dr. Zhou Zehao in 2016. Marking the 50-year anniversary of the beginning of the movement that would effectively erase Chinese culture from the People’s Republic of China, Zhou poignantly describes his and his family’s suffering at the hands of the Red Guards who terrorized the nation, all the while exhorted and encouraged to do so by Mao. Fast forward five decades, and China has acquiesced to more formal measures of dictate. Written measures now define the Chinese state, and its relationship to its people. Xi Jinping is often heralded as the most powerful Chinese leader since Mao. Certainly, no leader since Mao has more adamantly called for a return to fundamental communist principles, practices, and persuasions. Mao was able to induce the Chinese population to spy and inform on itself with just a few spoken words. Xi has used legislation and regulations to place a similar obligation upon not only Chinese citizens, but also upon companies and other entities, as well. It can be argued that whether or not the law is for defensive purposes, as Gu argues, or for offensive purposes, as Tanner suggests, the legal obligation for Chinese to act as citizen spies in the name of national security poses a greater risk for Chinese society and Chinese Companies than the danger the law is attempting to minimize, given history and human tendencies.

Millions of Devices Exposed to Attacks Due to Flaw in PC-Doctor Software

More than 100 million computers from Dell and other vendors may have been exposed to hacker attacks due to a serious vulnerability in software made by hardware diagnostic tools provider PC-Doctor. Researchers at cybersecurity firm SafeBreach discovered that the Dell SupportAssist software preinstalled on most Dell PCs was affected by a hijacking vulnerability that could have been exploited by an attacker with regular user permissions to execute code with elevated privileges by planting specially crafted files in specific locations. SupportAssist is designed to check the health of a system, including software and hardware. These checks require elevated privileges so many of the associated services run with SYSTEM permissions. “The vulnerability gives attackers the ability to load and execute malicious payloads by a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion SafeBreach said in a blog post. SafeBreach reported its findings to Dell in late April. Dell confirmed the vulnerability, which it tracked roughly one week later, but pointed out that it was not specific to its software and instead exists in a SupportAssist component provided by PC-Doctor. Dell patched the vulnerability in late May with the release of SupportAssist for Business 2.0.1 and SupportAssist for Home PCs 3.2.2. The company said a vast majority of its users received the updates automatically; SupportAssist has automatic updates enabled by default. On its website, PC-Doctor says its PC-Doctor for Windows tool is preloaded on over 100 million computers worldwide. PC-Doctor has yet to publish an advisory for this flaw. This is not the first time a researcher has found a vulnerability in Dell SupportAssist caused by a PC-Doctor driver. A researcher last year disclosed another privilege escalation flaw caused by PC-Doctor software. In late April, an expert reported identifying a SupportAssist weakness that could have been used for code execution.

Freaking out about IoT exploits? Maybe change that default password first?

While journalists worry about criminals and spies using sophisticated cyber-weapons to hijack Internet of Things devices, basic security protections are being overlooked – and pose a far greater threat. Miscreants targeting internet-connected devices, especially those found in homes and small offices, won't need special exploits leveraging code vulnerabilities to break in, because the username and password "admin" will typically get them just as far. That's according to eggheads at Stanford University and the University of Illinois at Urbana-Champaign in the US, and Avast Software in the Czech Republic. They've concluded IoT security is so completely devoid of basic protections that in many cases an attacker would not even need to resort to malware or complex exploits to compromise a device or network. For an academic study, the team collected telemetry from 83 million devices via home network scans of 16 million Avast customer volunteers, and found that basic security measures, such as strong passwords or non-default credentials were nowhere to be found. For example, the study, due to be presented at this summer's Usenix security symposium, noted that 30 per cent of TP-Link routers encountered during the research had an open HTTP port on the local network and used the default admin/admin username-password combination. The researchers also found that 14.6 per cent of all routers had either FTP or Telnet services open, and many of those also used passwords that would be trivial to guess. At the same time, media coverage and infosec vendors' marketing hype push the idea that sophisticated exploits and hidden firmware vulnerabilities are the big threats, rather than insecure out-of-the-box configurations and default login credentials. "What we see coverage of are these shiny exploits that go after devices that no one has, no one cares about, that are never going to be used," said Zakir Durumeric, an assistant professor at Stanford and co-author of the report. "We should be terrified about the fact that half of these routers have guessable passwords and that there's no security precautions really sitting between any of these infected machines and these devices." Durumeric went on to note that further danger is posed by many IoT devices continuing to use ancient protocols like FTP and Telnet for their communications, rather than more secure methods of transmission. This is compounded by the use of weak credentials on those connections – for example 9.3 per cent of TP-Link routers studied had an FTP port open to the internet, with 55 per cent also using a weak password. "We have seen these very old protocols make a return, FTP had been deprecated and these other protocols like telnet have unquestionably been abdicated. There are much more secure protocols that are used today on normal computers," he said. "It has not been a priority for these devices to use these more secure protocols." Fortunately, Durumeric noted, the study also found reason to believe that tackling the issue may not be as hard as it seems. For starters, the market dominance of a handful of vendors means that just 100 companies account for around 90 per cent of all IoT devices, and in areas like voice assistant boxes just two vendors (Amazon and Google) control 90 per cent. This means that if these top-tier vendors can clean up their acts and improve the security of their hardware, the strong majority of IoT hardware can become significantly more secure and better protected.

How automated Dark Web marketplaces make ‘Credential Stuffing’ attacks more profitable.

(Credential stuffing is a type of Cyber Attack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.)

Validated stolen credentials cost less than a cup of coffee, but economies of scale have made selling user accounts more lucrative than ever, according to Recorded Future. There is, undoubtedly, a great deal of stuff on the DARK WEB. Though marketplaces for buying drugs and weapons hosted on the Dark Web exist, countless other marketplaces for selling illicit goods, including website credentials, are thriving. Specialized marketplaces for buying and selling user credentials have emerged over the last several years, reducing the amount of manual work needed by cybercriminals to profit: Indexes of searchable, validated accounts, can be browsed by potential buyers, with purchases automated by the selling platform. To replenish these marketplaces, cybercriminals have relied on automated tools for hacking multiple random accounts, according to a report published Thursday by Cyber Specialists, Recorded Futures. Though this trend was first observed in late 2014, it continues to grow as platforms for stolen account credentials increase in popularity. Likewise, the maturation of the automated hacking tools, called "checkers," aids the process. Checker software, according to the report, is typically sold for between $50 and $250, depending on the capability of the tool. This software attempts to log in to a website using credentials obtained from databases that are gathered, often, from the Dark Web. Working credentials would be marked as valid, and checkers with more advanced capabilities could automatically scrape linked bank accounts or payment information, account balances, the address of the account holder, or transaction history. Because this requires no user input after initial configuration, the "set it and forget it" functionality makes this the cybercrime equivalent of a ‘Chicken BBQ Rotisserie’. More robust tools have subsequently been developed, according to the report, "supporting an unlimited number of custom plugins, also called 'configs,' which essentially offered hackers the capability to target almost any company with an online retail presence. What had initially started as several hundred or several thousand compromised accounts quickly ballooned to hundreds of thousands, or even millions, of accounts." This glut of compromised accounts has brought the asking price for compromised accounts from $10 to "a mere $1 to $2," though "the overall profitability of credential stuffing attacks increased significantly through sheer volume," the report added. Despite this, the success rate for credential stuffing is between 1 to 3%, though the report adds that "the same database could then be reused over and over again to hack dozens of different websites," as users often recycle username/password pairs across different services, "yielding even higher profits."



Exploit: Ransomware ASCO: Designer and manufacturer of aerospace components

Risk to Small Business: 2.111 = Severe: A ransomware attack crippled IT systems and halted production at the company’s Belgium plant. To prevent the ransomware from spreading, the company also shut down production in Germany, Canada, and the United States. Not only is ASCO faced with either paying the ransom or purchasing new network infrastructure, but the company had to send home 1,000 of its workers on paid leave for the entire week.

Individual Risk: 3 = Moderate: No personal information was compromised in the breach.

Customers Impacted: Unknown

Effect on Customers: Regardless of your company’s size or sector, having a plan in place in the event of a ransomware attack is a must-have asset in today’s digital economy. Since data breach management is considerably more expensive than proactively training employees and implementing safeguards, such efforts should be a no-brainer for every institution.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: City Of Burlington – CANADA

Exploit: Phishing scam City of Burlington: Local government organization serving Burlington, Canada Risk to Small Business: 2 = Severe Risk: A sophisticated phishing email requesting new bank account information was purportedly sent from an established city vendor. Workers didn’t immediately identify the scam, and the city sent $503,000 to a falsified bank account. Although the government is updating its protocols to prevent this from happening in the future, it’s a reminder that, when it comes to guarding resources, proper cybersecurity training is a bargain

Individual Risk: 3 = Moderate Risk: No personal information was compromised in the breach.

Customers Impacted: Unknown

Effect On Customers: Phishing attacks are entirely preventable, but they can be incredibly difficult to identify. As hackers adopt more sophisticated methodologies, it increases the importance of sophisticated and continual training to prevent them from wreaking havoc on your company’s IT infrastructure and customer data. What’s more, this training needs to reflect the evolving nature of today’s attacks.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Nova Scotia Health Authority - CANADA

Exploit: Phishing attack Nova Scotia Health Authority: Provincial health authority serving Nova Scotia, Canada Risk to Small Business: 2 = Severe Risk: When an employee entered his credentials into an email purporting to be from the company's information technology department, hackers gained access to sensitive patient information stored in the employee’s email account. Although the breach was first reported on May 13th, the organization required nearly a month to determine the type and scope of the compromised data. Their slow response time and weak protocols will make the clean-up costly as they must re establish their patients’ trust even as they upgrade their cybersecurity practices.

Individual Risk: 2.428 = Severe Risk: The breach specifically pertains to patients who were scheduled for surgery at or who were communicating with the Colchester East Hants Health Centre in Truro. Since the organization can’t verify specific data exposure, those impacted by the breach should prepare for the worst and assume that their information could be made accessible on the Dark Web.

Customers Impacted: 2,841

Effect On Customers: The Health Authority has repeatedly struggled to mitigate the threat of a breach, and employee actions are frequently the cause, something that is certainly not restricted to this particular organization. A rapidly changing and increasingly capricious threat landscape means that companies need to routinely and continually train and prepare their employees to succeed in this regard. Often, that means partnering with industry experts to keep your employees up to speed.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Evite Services – USA

Exploit: Unauthorized system access Evite: Social planning and e-invitation service Risk to Small Business: 1.888 = Severe Risk: Hackers were able to access Evite’s network, which allowed them to download an inactive data storage file that contained the personal information of millions of their customers. Despite being notified of the breach on April 15th, the company is only now acknowledging the breach. Their slow response time and lax security standards will now require them to incur the fees of third-party cybersecurity analysts as well as cascading reputational costs that are difficult to quantify and even more challenging to repair. In the meantime, the company is encouraging users to reset their passwords, a modest first step for such a traumatic incident.

Individual Risk: 2.428 = Severe Risk: The compromised information could include names, usernames, email addresses, dates of birth, phone numbers, and mailing addresses. Fortunately, social security numbers and financial data were not included as part of the breach. However, since this information was already discovered on the Dark Web, those impacted by the breach should immediately attain credit and identity monitoring services to secure their credentials.

Customers Impacted: 10 million

Effect On Customers: When organizations are compromised in a data breach, their response becomes a critical metric in restoring their users’ trust. In this case, the company was slow to respond to the breach, delaying their messaging by several months. When exposed information makes its way to the Dark Web, timing is of the essence, and understanding what happens to the information accessed in the data breach can provide employees or customers with confidence in the integrity of their personal information or credentials. Partnering with an MSP can provide the insight necessary to achieve this.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Auburn Food Bank – USA

Exploit: Ransomware Auburn Food Bank: Charitable organization providing free food to families and individuals Risk to Small Business: 2.111 = Severe: A ransomware attack struck the non-profit, charitable organization, encrypting all but one of its computers. This particular ransomware, GlobalImposter 2.0, cannot be decrypted, and victims must contact the hackers to negotiate a ransom. However, Auburn Food Bank is refusing to negotiate. Instead, they are seeking donations to replace their technology, which is roughly equal to the ransom demands.

Individual Risk: 3 = Moderate Risk: No personal information was compromised in the breach.

Customers Impacted: Unknown

Effect On Customers: Ransomware attacks are frequently initiated through phishing emails, but this incident occurred at 2:00 A.M., when no employees were in the office. Keeping in mind that such threats can arrive at any time and any place, organizations must prepare a response plan proactively and continuously evaluate their cybersecurity posture.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: US Customs and Border Protection – USA

Exploit: Malicious cyberattack U.S. Customers and Border Protection: Law enforcement agency operating under the authority of the Department of Homeland Security. Risk to Small Business: 1.777 = Severe: A subcontractor violated the department’s policy and transferred copies of license plate and traveler images to their network where they were stolen in a malicious cyberattack. In response, the agency is monitoring the Dark Web for evidence of this data, and they are re evaluating their cybersecurity and privacy standards. Of course, these initiatives are simpler and more palatable when they are done proactively, rather than after an incident occurs. Consequently, the agency will now have to endure increased governmental oversight and media scrutiny.

Individual Risk: 2.428 = Severe: The stolen data included license plate and travel images from certain lanes at a particular border crossing. The agency isn’t providing any more specific information at this time, noting that it processes more than a million border crossings each day. However, they did indicate that no passport or other travel information was compromised in the breach.

Customers Impacted: 100,000

Effect On Customers: When sensitive personal information is compromised in a data breach, organizations have a responsibility to help those impacted recover from the incident. These responses vary significantly, but they should foundationally include understanding what happens to personal information after its stolen. Personal data can be quickly bought and sold on the Dark Web, so monitoring this environment is a staple of any comprehensive response that can begin restoring the organization’s reputation and protecting those that are affected.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Lake City Local Govt – USA

Exploit: Ransomware Lake City: Local government organization serving Lake City, Florida

Risk to Small Business: 2 = Severe: A malware attack delivered “triple threat” ransomware that targeted the city’s network systems, rendering many city services inaccessible. Although emergency services such as police and fire are operational, city email accounts, land-line phones, and credit card services were disabled. In the meantime, the city has been forced to write bills, receipts, and other services by hand. It’s a reminder that ransomware attacks are uniquely dangerous because they not only cost money to repair, but those impacted run the risk of disrupting business processes or losing valuable data.

Individual Risk: 3 = Moderate Risk: City officials believe that personal data, including online payment information, was not compromised in the breach. However, residents should monitor their accounts for suspicious activity.

Customers Impacted: Unknown

Effect On Customers: Local governments are a top target for hackers, and ransomware is becoming a commonly deployed method for extorting valuable city resources away from citizens. Therefore, every local government needs a comprehensive ransomware response plan before an incident occurs. Ransomware attacks are often initiated by phishing scams, signalling the importance of cybersecurity awareness and training at the front line.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Emuparadise Gaming – USA

Exploit: Compromised password hashing algorithm Emuparadise: Retro gaming emulator website Risk to Small Business: 1.555 = Severe: An outdated, compromised password hashing algorithm was exploited by hackers, causing user data to be compromised. Although the data breach took place on April 1, 2018, the damage was only recently revealed when accounts were provided to HavelBeenPwned. By failing to update their cybersecurity standards, Emuparadise will now face reputational erosion and incur significant costs associated with interrupted business processes and recover

Individual Risk: 2 = Severe: Emuparadise users can search HavelBeenPwned to view the status of their credentials. For those compromised, hackers gained access to email addresses, IP addresses, usernames, and passwords. Impacted individuals should be mindful that their credentials could be compromised, and they should be especially careful about using duplicate passwords on other services.

Customers Impacted: 1,131,229

Effect On Customers: A data breach predicated on outdated security standards is an unnecessary and self-inflicted wound that is entirely avoidable. Instead, every organization should routinely evaluate their cybersecurity standards, ensuring that they reflect industry standard best practices.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.



Australian Universities at Significant Risk of a Cyber Attack :

A recent audit of the IT environment for Australia’s universities found repeated failures to address identified weaknesses in their IT systems, making them especially susceptible to cyber attacks. Focused on just 10 universities, the audit identified one university, Charles Sturt University, as a high risk, and the other universities were classified as a moderate security risk. Perhaps most troubling, many of the vulnerabilities were repeat findings, indicating that universities are either unable or unwilling to improve their cybersecurity posture to address existing and emerging threats. The report comes on the heels of a recent cyber attack in which hackers accessed 19 years of university data that included sensitive information about current and former staff and students. Since universities are trusted with troves of personal information, including data from minors, addressing these concerns should be a top priority. These weaknesses, according to the audit, could cause significant financial or reputational loss for universities that can’t improve in this capacity.

Cyber Criminals Are Getting Smarter:

Security-minded internet users often look for certain signs – like the padlock that accompanies a web address or the “https” designation – to identify websites that are safe and secure. Those hallmarks of internet integrity are not as sure as they once were. According to a public service announcement released by the U.S. Federal Bureau of Investigation (FBI), cyber criminals are using these designations to proliferate phishing campaigns by establishing a more trustworthy messaging apparatus. Many are using cloud hosting websites to achieve SSL certificates that help convince users to hand over sensitive personal information. Regardless of the methodology, it’s evident that internet users will have a more difficult time identifying phishing scams. However, comprehensive training and 'sphere testing' from providers like Avantia Cyber Security can stop phishing scams in their tracks by preparing customers and employees to address the shifting security trends and the emerging threats.

Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

bottom of page