top of page
  • Writer's pictureAvantia Threat Update


A perfect example why you need to do 'due diligence' for suppliers.

This week, an Australian Real Estate network leaks job applicant data, Hyatt Hotels pays hackers to find security flaws and an American mug maker gets mugged.

This Week’s Dark Web compromise Trends*:

Top Source Hits: ID Theft Forums (99%) Top Compromise Type: Domains (99%) Top Industry: Finance and Insurance Top Employee Count: 51-100 employees (28%)

This Week’s Top Targeted Industries*:

Finance Hits: 92 | Targets: PayPal, ISL Consulting, Equifax Inc, First Data Corporation, SNI

Software Hits: 73 | Targets: Newegg, Twitter, LinkedIn, GitHub, Google

eCommerce Hits: 64 | Targets: PayPal, Newegg, First Data Corporation, eBay Inc,

Information Technology Hits: 53 | Targets: Twitter, LinkedIn, Google, Sony Corp, Yahoo

Consumer Goods Hits: 40 | Targets: Starwood Hotels & Resorts Worldwide, Marriott International, Tesla Inc., Sony Corp, Huawei Technologies

This Week’s Top Threat Actors*:

Magecart Hits: 39 | Targets: British Airways, Newegg, Ticketmaster Entertainment, Magento, Feedify

Lazarus Group Hits: 28 | Targets: Sony Corp, South Korea, United States, Central Bank of Bangladesh, Cryptocurrency

APT28 Fancy Bear Hits: 26 | Targets: Democratic National Convention, United States, Democratic National Committee, Germany, United States Senate

Hezbollah Hits: 17 | Targets: Israel, Syria, Lebanon, Iran, United States

GRIM SPIDER Hits: 5 | Targets: Banking

This Weeks Top Malware Exploitations*:

NotPetya Hits: 36 | Targets: Ukraine, United Kingdom, Russia, A.P. Moller-Maersk, USA

Ryuk Ransomware Hits: 21 | Targets: Bitcoin, United States, Check Point Software Technologies Ltd, North Carolina.

LoJax Hits: 21 | Targets: Unified Extensible Firmware Interface, Microsoft Windows, LoJack for Laptops, Balcas.

TRISIS Hits: 20 | Targets: Triconex SIS, Schneider Electric, Triconex, Industrial Control Systems, Critical infrastructure

Magecart Hits: 15 | Targets: Ticketmaster Entertainment, Shopper Approved, British Airways, Newegg, eCommerce


In Other News


Australian real estate network First National released a statement that information it held on job applicants had been leaked online. In the statement, First National explained that a recruitment agency it uses, Sales Inventory Profile, was responsible for the breach. "First National immediately responded through every appropriate channel to ensure that its network had not breached or participated in any notifiable data breach," the organisation wrote, noting this included completing its due diligence, such as reaching out to the Office of the Australian Information Commissioner (OAIC). Sales Inventory Profile, founded by Maya Saric in 1995, describes its product as the "world's first sales staff pre-selection software that allows you to identify which candidates can sell before the interview with 90 percent accuracy". First National is not the only customer of the recruitment software firm, with its website showing Starr Partners, Sophos, and Professionals Real Estate Group are also on its books. "As this breach is not within First National's responsibility, we, like all networks with the real estate industry are dependent upon the Sales Inventory Profile organisation complying with the necessary security arrangements," First National network chief executive Ray Ellis said. "We are working with our affected offices, and more importantly, any applicants that have been affected". The information leak was first highlighted by Gareth Llewellyn, who works in information security for Brass Horn Communications, after he tweeted last week about what he found online. Initially, Llewellyn found an indexed S3 bucket that contained over 6,000 CVs and cover letters of individuals applying for a job within the real estate industry. The leaked information included the full names, addresses, phone numbers, dates of birth, and other personal information -- as many applicants list their education and previous employment information on resumes.

Updating his findings, Llewellyn explained that the service provider requires individuals to answer over 300 psychometric questions and then upload a CV. It is the second data breach from an Australian recruitment company since the country's Notafiable Data Breaches (NDB) scheme came into effect in February last 2018.

Avantia’s Note: This breach illustrated the significant risk 3rd Party suppliers pose to businesses who have not adequately ‘vetted’ or done any ‘due diligence on their suppliers in terms of their Cyber Security posture.


Businesses both in the UK and wider Europe should expect a sharp spike in phishing attacks once the political uncertainty around Brexit is resolved, with analysts already spotting a rise in malicious activity. Once either a withdrawal agreement between the UK and the European Union (EU) has been reached or a there is a 'no deal' outcome, businesses should expect a wave of threat activity as they embark on preparations. The outcome of negotiations should be known by March 2019, by which point organisations will face an increase in Brexit-themed spearphishing campaigns and political disinformation that could transition into infiltration, according to threat intelligence firm EclecticIQ. "Cybercriminals could easily exploit Brexit in large-scale phishing campaigns," the researchers said. "A campaign targeting businesses could see cybercriminals sending out documents that are made to look like government advice on dealing with Brexit which in fact download malware. Cybercriminals regularly use similar tactics by spoofing government organisations in order to spread malware or steal personal information." He said. Threat Actor nation-states ties such as Fancy Bear, or cousin organisation Cozy Bear, could target the UK government by spoofing a major central government department such as the Department for Exiting the European Union (DexEU). "We've seen examples of cybercriminals piggy-backing onto major political events to try and spread malware," analyst Aaron Roberts told IT Pro. Brexit-themed disinformation across social media has also been prevalent in recent months, EclecticIQ found, with Russian-originating accounts spreading messages and counter-messages across both sides of political opinion. Activity, at the moment, seems based around shaping opinion and less on intrusion, but analysts say that may change in the run-up to 29 March 2019, when the UK will leave the EU under Article 50. "We may see links alleging to be major news or highly relevant to Brexit being shared across social media, either to try and spread malware or to harvest credentials from users that could then be used to further spread the same message," Roberts continued.


There has been a lot written about how businesses can avoid being digitally defrauded by ransomware. "A ransomware infection often starts with someone clicking on what looks like an innocent attachment, and it can be a headache for companies of all sizes if vital files and documents (think spreadsheets and invoices) are suddenly encrypted and inaccessible," writes ZDNet's Danny Palmer in the article. He adds: "If you are attacked with file-encrypting ransomware, criminals will then brazenly announce they're holding your corporate data hostage until you pay a ransom in order to get it back." Even with all the warnings, the success of ransomware is unparalleled, and to make matters worse, digital fraudsters are now targeting smaller businesses, which typically do not have sufficient resources to even begin to combat ransomware. The cost is frightening. As to how ransomware is affecting smaller businesses, Datto, who work with Managed Service Providers estimates that 99% of their survey participants agree the number of ransomware attacks will continue to increase. Robert Gibbons, chief technology officer at Datto, states that approximately 75% of the MSPs queried said their SME customers experienced "business-threatening" downtime as a result of a ransomware attack. That is a rather bleak outlook.

To pay or not to pay?

"It's clear that both camps can cite a variety of reasons to support the decisions they make," concludes Tech Republics Jesus Vigo. "I feel, personally, that it isn't so black and white, and that each scenario should be addressed based on the circumstances rather than choosing an answer based on a pre-set plan. "It's not surprising that business owners who want to regain control of their data and infrastructure as quickly as possible are willing to pay the ransom even though the odds are against them. Reports from various security research firms state that between 45% and 55% of businesses that pay the ransom are unable to recover their data.

Not so fast……

The typical talking line for security experts is to never pay a ransom; however, that's easy for them to say—they're not the ones who have to make that painful decision. Still, those who are facing that decision are now more likely to say no to ransom demands. Cyber Edge Group's 2018 Cyberthreat Defence Report stated that of the 1,200 IT professionals surveyed, 55% experienced a ransomware attack; of the 55%, only 19% paid the ransom. The report also mentions those who refused to pay the ransom had backups allowing them to quickly recover and get back to business as usual.

Are backups the answer?

A bulletproof backup system seems to be the answer, as loss of data is the most pressing issue. "Businesses are most concerned with their data when hit with a cyber-attack," mentions the report. "Respondents noted that data leakage was their top business concern, followed by reputation loss and service outages." Besides being unable to function normally due to lost data, business owners have additional concerns:

· Getting data back is no indication the information has not been used by the attackers, sold to competitors, or made public with the intention of embarrassing the company.

· Losing data—sensitive or otherwise—may mean the company is out of compliance with industry and/or governmental regulations.

· "Paying a hacker in these situations not only incentivizes further attacks, but it provides criminals with the funds they need to continue their operations," said Carl Herberger, vice president of security solutions at Radware.

Prepare for the inevitable

There is a watershed movement occurring—Cyber Security professionals are changing their focus from prevention to recovery. Prevention is not the be-all and end-all answer, so why not be as prepared as possible to recover from the inevitable cybersecurity incident?


Hyatt Hotels recently launched a bug bounty program dubbed Hacker One, enabling ethical hackers to report security flaws for rewards up to $4,000. Considering recent card-skimming attacks against the hospitality chain, the innovative platform is designed to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities”. Other organizations that are following suit and using the platform include Google, Twitter, the US Department of Defence, GitHub, and Qualcomm.



THREAT FOCUS - Titan Manufacturing & Design – USA*

Exploit: System breach through malware attack. Titan: Retailer for tools, housewares, and household appliances. Risk to Small Business: 1.555 = Severe Customers Impacted: Total number to be determined, but 1,838 Washington residents were affected. Individual Risk: 2.428 = Severe: With personal and financial records exposed, the individual risk involved with this breach is incredibly high. So far, Titan and their third-party security expert only knows that customers who purchased goods from its online stores between November 23, 2017 and October 25, 2018 were potentially breached. This means that the data could have already have been auctioned off on the Dark Web or exploited for further payment breaches. Effect on Customers: System breaches that go undiscovered for large periods of time cost incrementally more by the day. Since this exploit was discovered over a year after it began, businesses are liable for damages, future identity theft protection services, and potential litigation. Such a crisis can be averted by working with the right MSSPs, Solution Providers, Systems Integrators, and OEMs.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Managed Health Services Of Indiana - USA*

Exploit: Third-party breach via employee email phishing attack. Managed Health Services (MHS) of Indiana: Healthcare group that manages Indiana's Hoosier Healthwise and Hoosier Care Connect Medicaid programs.

Risk to Small Business: 1.333 = Extreme: When vulnerabilities of this magnitude are exposed within a third-party provider’s environment, the finger-pointing begins immediately. LCP Transportation, the vendor for MHS that disclosed the breach, will surface in news headlines and must answer to many other concerned clients as well. Although there is no evidence that any of the information was misused, experts are already calling for better cyber-risk management solutions to protect the healthcare industry.

Individual Risk: 2.142 = Severe: When vulnerabilities of this magnitude are exposed within a third-party provider’s environment, the finger-pointing begins immediately. LCP Transportation, the vendor for MHS that disclosed the breach, will surface in news headlines and must answer to many other concerned clients as well. Although there is no evidence that any of the information was misused, experts are already calling for better cyber-risk management solutions to protect the healthcare industry.

Customers Impacted: Up to 31,000 patients.

Effect On Customers: In light of multiple reports of data breaches at Humana and the Blue Cross Blue Shield network of Michigan this year alone, it is clear that the healthcare industry is in the crosshairs of cybercriminals. Other organizations should take notice, protecting sensitive health data and putting systems in place to avoid being breached. Also, this example of third-party breach serves as a great reminder for businesses to thoroughly evaluate vendors and ensure that updated security systems are in place

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Discount Mugs – USA*

Exploit: Injection of card skimming code into website.

Discount Mugs: E-commerce website for custom mugs and apparel. Risk to Small Business: 1.666 = Severe Risk to Small Business: 1.666 = Severe: When hackers can extract credit card numbers from your customers for four months long undetected, the aftermath is never good. Although the company identified that orders between August 5 and November 16 of 2018 had been compromised, the number of shoppers affected has not been determined. Customers will think twice before purchasing from the website and will likely consider competitors with better online security.

Individual Risk: 2.428 = Severe: Given that the cyber attack occurred just before a busy holiday shopping season, you must wonder if the cyber criminals planned their timing strategically. They stole everything from credit card numbers, security codes, and expiration dates, to names, addresses, phone numbers, email addresses and ZIP codes. With this information in hand, anyone is capable of orchestrating payment fraud.

Customers Impacted: To be determined.

Effect On Customers: Payment breaches are frightening for businesses and their customers. As American consumers begin to experience how cyber attacks affect them first-hand, they will put their digital dollars towards websites that can protect their financial information.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Amazon India - India*

Exploit: Internal technical glitch. Amazon India: Online shopping site in India. Risk to Small Business: 2.111 = Severe Customers Impacted: 400,000 sellers. Risk to Small Business: 2.111 = Severe: When a company the size of Amazon is involved, issues regarding the erosion of customer loyalty and loss of brand equity can be measured in six-figure range digits. Although the breach exposed the tax data of 400,000 sellers on Amazon, only 0.2% of the seller base, and was rectified immediately, it remains to be seen what the long-term effects for enterprise customers are.

Individual Risk: 2.428 = Severe: Tax data can reveal significant information on Amazon sellers, but the breach was contained and it is likely that no data was maliciously harvested. At the same time, the glitch allowed users to view details of other sellers, which could potentially place sensitive business details in jeopardy.

Customers Impacted: 400,000 sellers.

Effect On Customers Businesses: No business owner wants their tax information in the hands of the wrong person. Even a small business glitch has the potential to expose proprietary information such as intellectual property, competitive advantages, or earnings, which means that a sustained glitch in seller data could be much more impactful than it appears. Brainstorm how you can work with your security providers to protect and obscure such information.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Singh Health – Singapore*

Exploit: Initial malware infection coupled with a multi-pronged attack. SingHealth: Singapore’s largest group of healthcare institutions. Risk to Small Business: 1.444 = Extreme Customers Impacted: 1.5M individuals. Risk to Small Business: 1.444 = Extreme: Besides for the relentless onslaught of articles and news detailing SingHealth’s negligence and lack of “security hygiene”, high-profile members of management were terminated, demoted, and fined. As you can imagine, the long-term implications for employee morale are less than desirable, along with crippling blows to culture, brand, and customer trust.

Individual Risk: 2 = Severe: Although the theft initially occurred between a short period of time (June 27, 2018 to July 4, 2018), data stolen included names, NRIC numbers, addresses, gender, race, and dates of birth. Even worse, around 160,000 also had their outpatient prescriptions taken. It is believed that Prime Minister Lee Hsien Loong was a primary target for the hack, but you can expect the data collected to be sold to the highest bidder.

Effect On Customers Businesses: Aside from the laundry list of penalties for incurring such a breach, an affected organization must continue business as-is while restoring operations. In this case, SingHealth has imposed a “temporary Internet surfing separation” on 28,000 staff’s work computers. With an entirely new set of security processes to manage while avoiding disruptions caused by the breach, customers should begin to see the value in proactively implementing IT protocols and monitoring for stolen credentials.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Maire Tecnimont SpA - Italy*

Exploit: Social engineering and business email compromise (BEC). Maire Tecnimont SpA: Construction engineering company. Risk to Small Business: 2.111 = Extreme Customers Impacted: N/A Risk to Small Business: 2.111 = Severe: This elaborate cyber fraud involved staging a “confidential acquisition” and impersonating the CEO in order to persuade the head of India’s operations to transfer funds amounting to $18.5M. Although it was an isolated incident, such an attack demonstrates the lack of overall awareness surrounding BEC scams and may serve as impetus for other hackers to try infiltrating the company’s networks. Also, it is entirely possible that the hackers were monitoring day-to-day business operations for months in advance to prepare for the sophisticated scheme, which means that there may be other undiscovered breaches at play.

Individual Risk: 3 = Moderate: No personal information was breached.

Effect on Customers Businesses: Increasing awareness of social engineering fraud and BEC is a best practice all organizations should implement. Hackers are growing increasingly sophisticated and convincing in their efforts to fool executives into handing over funds or information, which means that we must counter by incorporating training courses or multi-factor authentication processes to prevent attacks.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.



Following the Cambridge Analytica scandal, Australia media company, Pureprofile, surveyed consumers to measure perceptions surrounding data use by organizations. Almost half (48%) were concerned about how their data was being used and intended to make changes to their privacy and sharing settings. Surprisingly, 26% of the Australian users surveyed decided to change or close their Facebook account.

When combined with other research on attitudes towards data use, it becomes clear that consumers are growing increasingly aware of the value exchange that occurs with online services, social media, and companies. However, they are not satisfied with how their data is being used and who exactly is using it, signalling a future paradigm shift in the way customers respond to data breaches.

Fostering trust with cyber vigilant customers begins by explaining how you are protecting their data. Consider highlighting your security solutions and outline how customer data is only being used when necessary, and with the intention of improving customer experiences to make their lives easier.



* Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions.

bottom of page