top of page
  • Avantia Threat Update


This week, phishing scams target DHL deliveries, US government and healthcare employees and Canadian plane parts are held for ransom. EU citizens are compromised in a UK breach, and 60,000 digital fingerprints find their way to the Dark Web.

This Week’s Top Dark Web Compromises:

Top Source Hits: ID Theft Forums (99%) Top Compromise Type: Domain (99%) Top Industry: Manufacturing Top Employee Count: 11 - 50 Employees

This Week’s Top Targeted Industries:

Software Hits: 435 | Targets: Verint Systems, Wipro, Microsoft, Just Dial, Google

Information Technology Hits: 408 | Targets: Verint Systems, Wipro, Microsoft, Just Dial, Google

Software Hits: 314 | Targets: Verint Systems, Wipro, Just Dial, Electronic Arts Inc, Bitly

Cybersecurity Hits: 163 | Targets: Verint Systems, Cellebrite, CloudFlare, IBM Corporation

Business Intelligence Hits: 160 | Targets: Verint Systems

This Week’s Top Threat Actors:

APT34 OilRig Hits: 50 | Targets: Saudi Arabia, Israel, United States, Middle Eastern government, Petroleum

Hezbollah Hits: 29 | Targets: Israel, Syria, Lebanon, Iran, United States

Shadow Brokers Hits: 21 | Targets: Microsoft Windows, Microsoft, Cisco Systems Inc, Iran, China

Gorgon Group Hits: 15

Inj3ct0r Team Hits: 12 | Targets: WordPress, Joomla, Twitter, Apache HTTP Server, SCADA and ICS Products and Technologies

This Week’s Top Malware Exploits:

WebShell Hits: 45 | Targets: Facebook, Hypertext Transfer Protocol, Web Server, Perl, WordPress

Scranos Hits: 32 | Targets: China, Microsoft Windows, BitDefender, Android, YouTube

DNSpionage Hits: 27 | Targets: Packet Clearing House, Bill Woodcock, Netnod, Lebanon, Internet

Darkirc Hits: 15

NamPoHyu Hits: 11 | Targets: Samba, Streaming Media, Ubuntu, Lawrence Abrams, Лоренс Абрамс



Fake DHL Shipment Notification delivers Netwire Trojan

We have been noticing a “new ” netwire Trojan recently being delivered by multiple different spam emails, abusing Microsoft OneDrive, either through compromised or fraudulently set up accounts. This particular version says that Asecorp ( a Spanish Management Company) has sent you a delivery via DHL Express. However the body suggests it comes from HSA Systems ApS ( a Scandanavian industrial printer supplier & manufacturer). They use email addresses and subjects that will entice a user to read the email and open the attachment or follow the link in the email. Almost all are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Today’s version is much worse than usual because it will almost certainly be delivered to recipients because the compromised sender email account uses an anti-spam service that almost all email servers will have on a white list. Further the risk of a recipient is exponentially increased by the criminals using OneDrive to host the malware files. No filtering system or network perimeter defences ever block access to Microsoft OneDrive.

Cyberspies Hack the Internet Domains of Entire Countries:

The discovery of new, sophisticated team of hackers spying on dozens of Government targets is never good news. But one team of cyberspies has pulled off that scale of espionage with a rare and troubling trick, exploiting a weak link in the internet's cybersecurity that experts have warned about for years: DNS hijacking - DNS (Domain Name System) hijacking is a type of malicious attack in which an individual redirects queries to a domain name server (DNS), by overriding a computer's TCP/IP settings. ... Once the individual or individuals performing the DNS hijacking have control of the DNS, they can use it to direct traffic to different websites - essentially it meddles with the fundamental address book of the internet. Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations. In the process, they went so far as to compromise multiple country-code top-level domains—the suffixes like or .ru that end a foreign web address—putting all the traffic of every domain in multiple countries at risk.

The hackers' victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet's directory system, hackers were able to silently use "man in the middle" attacks - to intercept all internet data from email to web traffic sent to those victim organizations. (A Man In The Middle cyber attack is where someone gets in between you and whatever you’re doing online: between you and your online banking; or between your work emails and whoever is meant to send/receive them; or between you and the box where you enter your payment details; or, or, or.) DNS hijacking targets the Domain Name System, the pillar of internet architecture that translates the domain name you type into your browser, such as "," into the IP address that represents the actual computer where that service is hosted, such as "" Corrupt that system, and hackers can redirect that domain to any IP address they choose. Cisco Talos researcher Craig Williams says the Sea Turtle campaign is disturbing not only because it represents a series of brazen cyberspying operations but also because it calls into question that basic trust model of the internet.

"When you're on your computer and visit your bank, you assume DNS servers will tell you the truth," Williams says. "Unfortunately what we're seeing is that, from a regional perspective, someone has broken that trust. You go to a website and it turns out you don’t have any guarantee of who you’re talking to." "If you’re in those countries, how do you trust that your DNS system is working again?" Hackers have used DNS hijacking plenty of times in years past, for everything from crude website defacements to another apparent espionage campaign, labelled DNSpionage, uncovered by Cisco Talos in late 2018 and linked to Iran early this year. Cisco's Williams says that other security firms have misattributed some of Sea Turtle's operations, confusing them with those of the DNSpionage campaign. But the Sea Turtle campaign represents a distinct and more serious series of security breaches, he argues. "Anyone in control of a top level domain can add, remove, and delete records, or redirect domains and do a subversive man-in-the-middle attack," says David Ulevitch, founder of the DNS-focused firm OpenDNS. Cisco Talos said it couldn't determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cyprus, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco's Craig Williams confirmed that Armenia's .am top-level domain was one of the "handful" that were compromised, but wouldn't say which of the other countries' top-level domains were similarly hijacked. Cisco did name two of the DNS-related firms who were targeted by the Sea Turtle hackers: The Swedish infrastructure organization NetNod and Berkeley-based Packet Clearinghouse both of whom in February that they had been hacked. Cisco said the attackers had burrowed into those initial target networks with traditional means, such as spearphishing emails, and a toolkit of hacking tools designed to exploit known but unpatched vulnerabilities. Those initial targets were only a stepping stone. Once the Sea Turtle hackers gained full access to a DNS provider, their spying operations followed a predictable pattern, according to Cisco's researchers. The hackers would change the target organization's domain registration to point to their own DNS servers—the computers that perform the DNS translation of domains into IP addresses—instead of the victim's legitimate ones. When users then attempted to reach the victim's network, whether through web, email, or other internet communications, those malicious DNS servers would redirect the traffic to a different man-in-the-middle server that intercepted and spied on all the communications before passing them on to their intended destination. That sort of man-in-the-middle attack should be prevented by SSL certificates, which are meant to assure that the recipient of encrypted internet traffic is who it claims to be. But the hackers simply used spoofed certificates from Let's Encrypt or Comodo, invalid on close inspection but still able to trick users with signs of legitimacy, like a lock symbol in a browser's URL bar. With that stealthy man-in-the-middle server in place, the hackers would harvest usernames and passwords from the intercepted traffic. Using those stolen credentials and their hacking tools, the attackers could in some cases penetrate deeper into the target network. In the process, they would steal a legitimate SSL certificate from the victim that allowed them to make their man-in-the-middle server look even more legit. To avoid detection, the hackers dismantled their set-up after no more than a couple of days—but only after they'd intercepted vast troves of the target organization's data, and the keys to enter its network at will. A disturbing element of the Sea Turtle hackers' approach—and DNS hijacking in general—is that the point of initial compromise occurs at internet infrastructure groups, entirely outside the real target's network. "The victim would never see it," Williams says. In early 2019, security firms including FireEye and Crowdstrike publicly exposed parts of the Sea Turtle operation, Cisco's Williams says, mistakenly thinking it they were part of the DNSpionage campaign. Despite that exposure, Sea Turtle's campaign persisted, Williams says. The group even attempted to compromise NetNod again. Sea Turtle isn't alone in its enthusiasm for DNS hijacking. The technique is growing in popularity among hackers, but particularly in the Middle East, notes Sarah Jones, a principal analyst at FireEye. "We’ve definitely seen more actors pick it up, and of all skills levels," Jones says. "It's another tool in the arsenal, like web-scanning and phishing. And I think a lot of the groups that pick it up are finding that it’s not hardened on enterprise networks, because it's not part of the network. No one really thinks about who their [domain] registrar is."

Spyware penetrates Asus PC’s via ‘poisoned Software Updates”

A million or so Asus personal computers may have downloaded spyware from the computer maker's update servers and installed it, Kaspersky Lab claims. Someone was able to modify a copy of the Asus Live Update Utility, hosted on the Taiwanese manufacturer's backend systems, and sign it using the company's security certificate, even keeping the file length the same as the legit version, to make everything seem above board. The update utility ships with every machine, and routinely upgrades the motherboard firmware and related software with any available updates from Asus. When it checked in with Asus's servers for the latest updates, the utility would fetch and install a backdoored version of the Asus Live Update Utility, we're told. The dodgy version was offered between June and November 2018, according to Kaspersky. That infected build of the utility was designed to spy on roughly 600 machines, identified by their network MAC addresses hardcoded into the software. So, roughly a million Asus-built computers may have been running a trojanized update utility, with a few hundred actively spied on via the backdoor. The software nasty, discovered by Kaspersky in January this year and dubbed ShadowHammer, because they've all got to have a sexy name these days, was apparently found on 57,000 machines running the Russian security shop's antivirus tools. Extrapolating that figure, there are a million or so computers running this backdoor, it is claimed: Asus is the world's fifth largest computer manufacturer. Kaspersky claims it has found similar exploit code in the firmware of three other, as yet unnamed, vendors. "We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques," said the Russian bughunters in a preliminary report. "The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers." Kaspserky said its staff first informed Asus about the mass infection on January 31, and met them two weeks later, according to Motherboard. But since then the manufacturer hasn't seemingly made progress on a fix, and hasn't warned customers. It also did not respond to our request for comment. Symantec also said its antivirus tools detected the backdoored update utility on 13,000 or more machines. It goes without saying that you shouldn't be put off installing security updates and patches because of this snafu. "This is the worst kind of supply chain attack," said Matt Blaze, adjunct computer science prof and crypto-guru, in response to the revelations. "It threatens to poison faith in the integrity of update mechanisms that have become essential for security today. But in spite of this one attack, you are still WAY better off keeping things updated. Really. "Everything ships with vulnerabilities. They get discovered (and exploited) over time. If you patch, there's a small chance you'll fall prey to a malicious update injected through the vendor. But if you don't patch, there's a close to 100% chance you'll be attacked over time."

Fire sale on the Dark Web: 60,000 digital fingerprints This week’s Kaspersky Security Analyst Summit revealed a troubling development, even by Dark Web standards. Kaspersky researchers detailed a new online marketplace where cybercriminals can purchase full digital fingerprints for 60,000 online users. Genesis, the name ascribed to the new marketplace, sells full user profiles for as little as $5. This information helps cyber criminals evade many of the security standards that currently detect abnormal account behavior and can be indicative of fraud. For instance, a full user profile doesn’t just include login information. It provides thieves with account cookies, browser details, webGL signatures, and other features that allow criminals to evade detection. Data thieves use a Genesis Chrome extension to use the stolen information, something that security researchers have already discovered in the wild. It’s recommended that people enable two-factor authentication whenever possible to help prevent this scheme from impacting them. At the same time, keeping an eye on our digital information seems even more pertinent than ever.


THREAT FOCUS: City Of Greenville – USA

Exploit: Ransomware attack City of Greenville: Part of a South Carolina network

Risk to Small Business: 1.777 = Severe: After local police detected a ransomware infection, the city was forced to shut down most of its servers. While police and fire facilities remain unaffected, other services, including payments to city agencies, are significantly restricted. Consequently, city officials recommend making cash payments until the network can be restored. The city expects servers to be offline for several days as they work to determine the next steps towards rectifying the situation.

Individual Risk: 2.571 = Moderate: According to the city’s communications manager, Brock Letchworth, the city does not believe that the incident compromised personal information.

Customers Impacted: To be determined

Effect On Customers: This episode is a reminder of the fragility within local infrastructure. Although critical safety operations remain unaffected, city employees are unable to continue business as usual, and new solutions are not immediately apparent. Most importantly, it’s essential to know if data is stolen and to understand what thieves intend to do with that information.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Minnesota Department of Human Services - USA

Exploit: Phishing scam MN Department of Human Services: A state agency Risk to Small Business: 2 = Severe: In March 2018, a bad actor logged into a state agency email account and sent emails seeking personal information and invoice payments via wire transfer. The breach was detected when an agency employee received the email and flagged it as suspicious. The breach was just disclosed this week, and department officials believe that hackers gained access to the personal information of 11,000 users.

Individual Risk: 2.285 = Severe Although the agency contends that personal information has not been misused, the perpetrator certainly had access to the data of thousands of people. Because the breach impacted the agency's Direct Care and Treatment division, the data stolen includes treatment information and other sensitive health files.

Customers Impacted: 11,000

Effect On Customers: This most recent incident is the department’s third breach in just over a year, something that can have broad implications for data security and patient trust. The employee who received the malicious email responded appropriately, but these scams are preventable through security training and education.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Palmetto Health & Women’s Health - USA

Exploit: Phishing scam Palmetto Health & Women's Health USA: Healthcare providers based in the U.S. that collect and maintain ePHI Risk to Small Business: 1.666 = Severe: Palmetto Health and Women’s Health USA reported separate phishing scams that compromised private employee information and patient health records. Only two employee accounts were compromised, but this had cascading consequences for both the companies and their patients.

Individual Risk: 2 = Severe: Both healthcare companies acknowledge that hackers accessed sensitive patient information including names, addresses, social security numbers, Medicare Health Insurance Claim Numbers, and health insurance policy numbers.

Customers Impacted: 41,162

Effect On Customers: Sensitive patient information was disclosed in this breach, and the companies are offering identity theft protection services or free credit reports to affected patients. By all accounts, these companies worked quickly to secure patient information and to respond appropriately. However, email phishing scams are entirely preventable, and training and education can make all the difference.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach

THREAT FOCUS: Mitsubishi Aerospace – CANADA

Exploit: Ransomware Mitsubishi: Airplane parts manufacturer

Risk to Small Business: 1.888 = Severe: Employees at the Mitsubishi Canada Aerospace offices received a notification on their desktops declaring, “Your network has been penetrated. You will receive a BTC address for payment.” The ransomware was signed by RYUK, a notorious hacker believed to have Russian or North Korean origins. While the company's manufacturing capabilities are unobstructed, their facilities have been without internet service since that attack.

Individual Risk: 3 = Moderate: It is not currently believed that any personal information was revealed in the ransomware attack

Customers Impacted: Unknown

Effect On Customers: Ransomware is a serious problem for companies of all sizes. Critical information and operations can be cut off until the ransom is paid. Businesses must establish security protocols and source advanced security solutions in order to appropriately respond in the event of a ransomware attack.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: United Kingdom Home Office – UNITED KINGDOM

Exploit: Accidental sharing UK Home Office: Ministerial department of the UK government responsible for immigration, security, and law and order

Risk to Small Business: 2.555 = Moderate: In a mass email communicating with EU citizens applying for the EU Settlement Scheme, an employee inadvertently included all recipients’ emails in the CC field rather than the BCC field, exposing the list of email addresses to all recipients. The agency notified the Information Commissioner’s Office and the Departmental Data Protection Officer about the error, and new internal steps are required to prevent a similar error from happening again.

Individual Risk: 2.714 = Moderate: Individuals included in the communication had their email addresses exposed to all other recipients. However, there is little risk of other information exposed from the message.

Customers Impacted: 240

Effect On Customers: In many ways, this mistake could happen to anyone as human error is often the cause of a data breach. Companies need to put their employees in a position to be successful by implementing software that identifies potential vulnerabilities and deploys real-time safeguards to prevent accidental information sharing.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


Exploit: Trojan malware attack VSDC (Flash-Integro LLC): Free multimedia editor

Risk to Small Business: 2.222 = Severe: Hackers accessed the platform’s download links and replaced them with links containing trojan malware that stole personal information from various applications on the infected computer. The company acknowledged the breach and issued a patch, but it will be much more difficult to repair their reputation and to restore customer confidence in their platform.

Individual Risk: 2.428 = Severe: Users who downloaded the application between February 21, 2019 and March 23, 2019 could be impacted by this malware.

Customers Impacted: 648

Effect On Customers: This isn’t the first time that VSDC’s website was compromised, and previous breaches made this event possible. Although the company deploys security software to guard its websites, it’s evident that they are not doing enough to protect their critical infrastructure. With a myriad of solutions to choose from, it’s important for small businesses to partner with competent providers and protect users from trojan malware attacks and other vulnerabilities

Risk Levels:

1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach


Exploit: Credentials leak Internet protocol for decentralized communication including instant messaging, VoIP, IoT, and more Risk to Small Business: 2.111 = Severe: A hacker accessed hosting servers for the platform, providing them access to several of the company’s database and exposing unencrypted personal data. The attackers capitalized on outdated software to access the servers. The breach caused widespread network outages that shut down many messaging platforms for hours while the company rebuilt its production servers.

Individual Risk: 2.428 = Severe’s communication protocols are predicated on privacy, and this incident may have compromised unencrypted content like private messages, password hashes, and access tokens. All users were logged out and asked to change their passwords, and certain data including encrypted conversation history may no longer be available.

Customers Impacted: Unknown

Effect On Customers: may have escaped the most catastrophic consequences of a data breach, but they will struggle to rebuild their infrastructure and user trust for a long time. Unfortunately, this entire incident may have been avoided through a simple software update. By deploying security software that provides offer a high-level snapshot of a company’s security vulnerabilities, it’s possible to protect against preventable data breaches

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach


Exploit: Emotet trojan distribution Uniden: Wireless communications brand offering security, monitoring and radio technologies Risk to Small Business: 1.777 = Severe: The company’s website was compromised, hosting a Microsoft Word document that delivers a form of the Emotet trojan. When opened, the document runs a macro that downloads three versions of the Trojan. Although the virus is now detectable using many antivirus programs, it was originally discovered by a Twitter user who posted about the incident. The problem is still unsolved, and the website remains compromised. Not only do they risk infecting their customers’ computers, but their lack of awareness and action is even problematic for a company operating in an industry where the emphasis on security should be paramount.

Individual Risk: 2.142 = Severe: According to reports, the website remains compromised, and any users who download Microsoft Word files from the company could be impacted by the virus

Customers Impacted: To be determined

Effect On Customers: The company's lack of response is most troubling here. When a data breach does occur, it’s important for businesses to quickly acknowledge and solve the problem. However, at the time of publication, Uniden’s website is still compromised. Companies need the tools to identify security risks and to detect anomalies, rather than having Twitter users raise the alarm by finding them first. Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.



COMING SOON - Cybersecurity for 5G

As you might imagine, many industries are gearing up to harness the widely anticipated development of 5G. Although there is much to gain, including better speeds and more consistency, we must also prepare for 5G to usher in its own showcase of security threats.

One of the immediate concerns that rises to the top is how 5G will transform data collection and protection. With fast-moving and highly customized web traffic, new technologies such as IoT devices will be enabled, creating an unmet need in security statistics and metrics.

High-level cybersecurity strategies must adapt to meet these needs, but one maxim still holds true. Hackers will continue to expose the gaps within the infrastructures of small businesses or enterprises, but security providers and solutions will prepare you with the tools to fight back.

*Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions

bottom of page