Search
  • Avantia Threat Update

FOR WHOME THE BELL TOLLS......... AGAIN!



THIS PAST WEEK: Toll Transport hit by ransomware for a second time in 3 months; Maastricht University pays US$240,000 for release from Ransomware; Australian Cyber Security Centre issues Critical Advisory # 2020-009; Polish Police arrest 5 hackers for selling stolen Usernames/Passwords; US&UK Police warn Covid 19 responders targeted; GO DADDY announces 19Million Data Breach in October last year; Are Usernames & Passwords obsolete?; Phishing scams compromise patient data; Ransomware disrupts remote work; The sale of the world’s largest whiskey collection is thwarted; and employees struggle to deter cybersecurity threats while working from home with Major Breaches in AUSTRALIA; EUROPEAN UNION; UNITED KINGDOM; CANADA & UNITED STATES.


Dark Web ID Trends:

Top Source Hits: ID Theft Forums

Top Compromise Type: Domain

Top Industry: Education & Research

Top Employee Count: 1-10

______________________________________________________________________________


AUSTRALIAN SHIPPING GIANT TOLL HIT BY RANSOMWARE FOR A SECOND TIME IN THREE MONTHS.

Australian shipping giant Toll informed customers on Tuesday that it has shut down some IT systems after discovering a piece of ransomware. This is the second ransomware incident disclosed by the company this year. Toll said it discovered the ransomware after seeing unusual activity on some servers. An investigation revealed an infection with Nefilim ransomware, a fairly new threat that has been linked to the Nemty ransomware. The company says it does not plan on paying any ransom demands and claims it has found no evidence that data has been exfiltrated from its network. However, Bleeping Computer reported in March that Nefilim authors do claim to steal data and threaten to make it public unless they are paid. Toll has shut down its MyToll portal as a result of the incident and the company is currently working on cleaning affected systems and restoring files from backups. The company says it’s using manual processes to continue providing services, but some customers have reported delays or disruption. In an update shared on Wednesday, Toll said freight shipments and parcel deliveries are largely unaffected, and the company revealed that it’s prioritizing the delivery of essential items, such as medical and healthcare supplies needed during the COVID-19 coronavirus outbreak. “We’re working closely with our large enterprise customers whose services are affected and, for our SME customers and consumers, we’re providing updates on work-around processes through our digital and social channels including Toll’s company and MyToll websites,” “We expect to maintain current business continuity and manual processing arrangements through the week, and we are in regular contact with the Australian Cyber Security Centre (ACSC) regarding the investigation and recovery process.” This is the second time Toll has been hit by ransomware this year. The company previously found Mailto ransomware on some systems in late January, but says the incidents are unrelated. The earlier incident reportedly impacted operations in Australia, India and the Philippines, with some unconfirmed reports claiming that the malware had infected over 1,000 servers. Owned by Japan Post, Toll has over 40,000 employees and claims to have a global logistics network that spans across 1,200 locations in more than 50 countries. Toll is not the only major shipping company hit by ransomware in recent years. The list of victims also includes Pitney Bowes, Mediterranean Shipping Company (MSC), and COSCO.


NETHERLANDS UNIVERSITY PAYS US$ 240,000 AFTER TARGETED RANSOMWARE BREACH:

The University of Maastricht, The Netherlands (UM), has paid a ransom of 30 Bitcoins (about $240,000 at the time, $294,000 today) for a decryption key to the CLOP ransomware. UM has been open and forthcoming on the details of the attack, providing detailed insight into a classic targeted ransomware attack. The encryption process started on December 23, 2019. By December 29, 2019, UM had concluded that its only realistic way forward was to pay the ransom and buy the decryption key. Rebuilding the infrastructure would take months -- even if it were possible -- while research material would be irretrievable. In the meantime, its students would not be able to work effectively and may not be able to take their exams.  The intrusion started on October 15th. A series of phishing emails was delivered, and two were successful on different workstations on October 15th and 16th. The attacker was resident on UM's network for more than two months before the encryption commenced, and were able to study the topology and deliver the maximum damage. The attacker was the group known as TA505. "The modus operandi of the group behind this specific attack," said Fox-IT in a forensic report commissioned by UM, "comes over with a criminal group that already has a long history, and goes back to at least 2014. The group is often referred to publicly as 'TA505', as well as 'GraceRAT', named after one of the tools used by the group." Some subsequent media reports have linked TA505 with Evil Corps, the group behind Dridex -- but this is questionable. The source appears to be a Microsoft tweet from 30 January 2020: "Dudear (aka TA505/SectorJ04/Evil Corp), used in some of the biggest malware campaigns today, is back in operations this month after a short hiatus. While we saw some changes in tactics, the revived Dudear still attempts to deploy the info-stealing Trojan GraceWire." Responding to this, however, Bryan Campbell, senior threat analyst with Proofpoint, commented simply, "TA505 does not equal Evil Corp." Certainly, Fox-IT mentions neither SectorJ04 nor Evil Corp in its forensic report. Evil Corp is usually associated with the group behind Dridex. Fox-IT believes that TA505 is a separate group, but that the group has "cooperated with the 'Dridex' group." Both successful phishing emails were written in English, with links leading to an Excel document. These documents contained a macro that downloaded the SDBBot remote access trojan from IP addresses 185.225.17(.)99 and 185.212.128(.)146 respectively. Following the successful phishing, TA505 accessed several UM servers. One of these had not been fully patched, and the group was able to gain full rights across the infrastructure. The group surveilled the topology and was able to collect multiple account usernames and passwords. On 23 December 2019 it successfully deployed the CLOP ransomware on 267 of UM's servers. Fox-IT found no indication that any personal or research data had been stolen, but has not been able to definitively exclude the possibility. Nevertheless, UM has now commissioned Fox-IT to conduct a separate investigation to confirm this. The forensic firm made four primary recommendations based on its analysis of the attack: improve vulnerability and patch management, increase segmentation within the network, implement or improve network and log monitoring, and practice different crisis response scenarios. For its part, UM has accepted the recommendations, but explains the difficulties faced by all higher education establishments: finding the right balance, it said in its own report, "between optimal digital security and providing an open and transparent environment for students and researchers." Its conclusion is that some openness must be sacrificed to improved security in the modern cyber world. It intends to improve security awareness training and tools for better phish detection and handling. It will improve its patch regime, but explains the problem: "UM receives approximately 100,000 updates per year, all of which have to be processed on 1,647 servers and 7,307 workstations." It will reconsider its current segmentation, and improve its control of administrator accounts. It does already use segmentation, but acknowledges that its V-LANs "are relatively open to each other to guarantee the openness of the network and also to facilitate decentralized management and use of UM infrastructures." UM also intends to establish a 24/7 SIEM and SOC. This had already been planned for January 2020, but too late to affect the TA505 attack. It hopes to do this in conjunction with other universities, and hopes to emulate what is happening in Canada and is already operational in the U.S. -- effectively a joint SOC between different universities for improved cooperation and collective action. Two areas that go beyond the Fox-IT primary recommendations include the development of a configuration management database and improving its backup regime. The university acknowledges that lack of understanding of its own infrastructure hampered its response. "There were insufficient insights into the number of active and inactive computer and server systems in the UM domain." It also acknowledges that failure to have an offsite backup was an error. Its existing backups were primarily aimed at ensuring instant continuity, and were consequently online. "The cyber attacker was able to encrypt these online backups from a few critical systems," it reports. "This must be prevented in the future." Since the attack, it has now made "offline and online backups for every critical system." One area not mentioned by any of the parties is cyber insurance. Since the basic education budget was established before the advent of ransomware, it may be considered currently too expensive. Nevertheless, it is something that should be considered in such a high-risk sector as higher education. There is little doubt that ransomware attacks against universities will continue, while cyber insurance already has a good track record in funding victims' ransom.


ACSC Critical Advisory # 2020-009


The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)* are aware that Advanced Persistent Threat (APT) actors are actively targeting health sector organisations and medical research facilities in Australia. As the outbreak of the virus continues to impact the health sectors of countries worldwide, APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally. Accordingly, Australia’s health or research sectors could be at greater threat of being targeted, and potentially compromised, by malicious APT groups. Due to the increased pressure placed on the health sector to respond to the COVID-19 pandemic, it is critical that health sector organisations ensure that their networks are protected from malicious cyber actors who may seek to disrupt essential services or compromise business-critical systems. Sophisticated actors will often use the most efficient means available to target a victim’s network and, in the current climate, APT groups may seek to maximise on the public desire for COVID-19 related information by generating specific COVID-19 themed spear-phishing emails to attempt to compromise victims. Adversaries and cybercrime actors have been identified as responsible for compromising email servers of health sector entities in Australia, which are then used to distribute COVID-19 phishing emails in an attempt to deploy malicious software, including ransomware, or to gain access to other targeted organisations. Malicious actors view health sector entities as a lucrative target for ransomware attacks. This is because of the sensitive personal and medical data they hold, and how critical this data is to maintaining operations and patient care. A significant ransomware attack against a hospital network would have major impact. Sophisticated actors have also been seen undertaking brute force attacks using a trial-and-error method to guess login credentials, and password spray attacks that attempt to access numerous accounts with a list of commonly-used passwords. Attacks such as these often result in the theft of sensitive data, and underscore the importance of a strong cyber security culture amongst employees. This includes adopting multi-factor authentication, strong password policies, and regular reviews of network logs for signs of malicious activity. The exploitation of compromised Remote Desktop Protocol (RDP) credentials by malicious actors is also a significant concern, particularly as RDP is widely used by medical clinics and doctors’ surgeries to access centralised patient databases and other shared information repositories. Compromised RDP credentials can enable unauthorised access to networks in a manner that enables the malicious actor’s digital footprint and identification to be obscured. Organisations should implement the recommendations in this advisory in order to mitigate the threat of this malicious activity and harden their network against unauthorised access. Advanced Persistent Threat (APT) actors is the term given to the most sophisticated and well-resourced type of malicious cyber adversary. Commonly associated with nation states, APTs will seek to compromise networks to obtain economic, policy, legal, or defense and security information for their strategic advantage. APT actors may also seek to achieve disruptive or destructive effects against their targets. These actors use a range of different tradecraft, making it very difficult to identify patterns. Even the most sophisticated adversaries are not above using relatively simple or basic techniques to achieve their goal. While some APTs use combinations of high-end hacking tools, others will adopt fairly rudimentary methods such as phishing. In all cases, their actions are very deliberate and they carefully tailor their cyber attack to optimise the chances of success and minimise the chances of detection. APTs are also very patient adversaries, known to undertake detailed reconnaissance of high-value networks over months and sometimes years. They will also track representatives that work in the organisation they are targeting – in an effort to find the weakest link or point of vulnerability they can exploit. Even seemingly basic information such as contact details and employment history on an organisation’s website or an employees’ social media profile can provide useful leads for APTs to target. APT actors pose the most significant threat to Australia’s national security and economic prosperity. The ACSC recommends that organisations in the health sector implement the following cyber security mitigations: Implement Essential Eight security controls The ACSC strongly recommends the implementation of the ASD Essential Eight mitigations to mitigate threats of most methodologies used by APT actors to compromise computer networks.


  • Enable multi-factor authentication

  • Block macros

  • Implementing regular patching of systems and applications

  • Make regular back-ups of critical systems and databases

  • Keep back-ups separate from corporate computers, on separate devices or use a secure cloud service.

  • Implement additional security controls

  • Alert and educate staff

  • Email content scanning

Organisations should ensure that they have an up-to-date Incident Response Plan (IRP) that includes procedures to respond to a ransomware infection. In most situations, the aim of the ransomware procedures will be to:


  • quickly identify affected systems

  • quarantine the affected systems and isolate business critical systems

  • identify and implement security controls to prevent the propagation of the ransomware to other systems, and

  • preserve evidence for future analysis and restoration from backup.


Cyber incident reporting If you have questions about this advice or have indications that your network has been compromised, contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

*Avantia Corporate Services is a registered Security Partner of the Australian Cyber Security Centre (ACSC).

POLISH POLICE ARREST 5 HACKERS FOR SELLING STOLEN CREDENTIALS (USERNAMES/PASSWORDS) AND HACKING TOOLS.

Europol announced today the arrest of five Polish hackers who were part of the Infinity Black hacking group. The group formed in late 2018 and was primarily known for operating the Infinity[.]black website, where they sold access to "collections" of user credentials. The collections were assembled together by gathering usernames and passwords leaked during data breaches at other companies in prior years. On various Dark Web channels and forums, the group advertised the Infinity[.]black portal, but also various hacking tools and scripts to perform credential stuffing attacks using the leaked credentials. Infinity Black also used the hacking tools themselves. They used their collections of leaked username and password combinations to gain access to other online accounts -- where victims might have reused credentials. According to a Europol press release today, the group focused on online services running loyalty programs. The Infinity Black crew would gain access to these accounts, and then sell the accounts to other criminal gangs, who would later exchange the loyalty points from each account for expensive electronic devices. Swiss authorities started an investigation into the group's operations after Infinity Black gained access to a large number of accounts belonging to Swiss users, and then sold access to other online fraudsters, causing financial losses to Swiss citizens. "Although the losses are estimated at €50,000, hackers had access to accounts with potential losses of more than €610,000," Europol said. "The fraudsters and hackers, among them minors and young adults, were unmasked when using the stolen data in shops in Switzerland," the agency said. Swiss police escalated the investigation to Europol and Eurojust, which eventually led to the arrest of five individuals in Poland, on April 30, 2020, last week. During the arrests and house searches, Polish police said they seized electronic equipment, external hard drives, and hardware cryptocurrency wallets, all worth around €100,000. Police authorities also seized two online platforms with databases containing over 170 million stolen user credentials. One of them is believed to be DataSense[.]pw. The original Infinity Black web portal was not among them, as the site went down last year, believed to have been discontinued by its members. The hacking group's leader, an individual known as Azatej, is also believed to have been arrested. Azatej's absence was almost immediately noticed by other users on the hacking forums were Azatej used to frequent and advertise hacking tools. Other known Infinity Black members include individuals going by the nicknames of Macien, TheN3RoX si Kay, although we can't confirm who of these was arrested at the time of writing.


US & UK WARN OF ADVERSARIES TARGETING COVID-19 RESPONDERS.

Advanced persistent threat (APT) groups continue to leverage the COVID-19 crisis in cyberattacks, the United States and United Kingdom said in a joint alert today.  For several months, threat actors adapted their operations to leverage the COVID-19 pandemic to increase the efficiency of their malicious attacks, including surveillance (Libya and Syria) and espionage campaigns.  Several weeks ago, Google, which was seeing around 18 million pandemic-themed malware or phishing messages per day, revealed that nation-backed hackers were targeting healthcare organizations and those engaged in the fight against the coronavirus pandemic.  Today, the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) warned that APT groups are “actively targeting organizations involved in both national and international COVID-19 responses.” The nation-states target healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments, looking to collect bulk personal information, intellectual property, and other type of data that “aligns with national priorities.” “The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research,” the joint alert reads.  By targeting pharmaceutical companies, medical research organizations, and universities, APT groups attempt to gather information “for their domestic research efforts into COVID-19-related medicine,” CISA and NCSC say. A number of incidents are currently being investigated.  “These organizations’ global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted,” the alert reads.  The threat actors are scanning the external websites of these organizations, looking for unpatched vulnerabilities they could exploit. Security flaws threat actors are known to have targeted include Citrix vulnerability CVE-2019-19781 and issues in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto, CISA and NCSC warn.  The two agencies are also investigating large-scale password spraying campaigns targeting healthcare entities in multiple countries, along with international healthcare organizations. Similar attacks have been used against government, emergency services, law enforcement, academia and research, financial, telecommunications, and retail organizations too. Such attacks, where a single, common password is used against multiple accounts before trying another password, allows attackers to remain undetected and is likely to succeed if used on a large number of accounts. Once an account has been compromised, the hackers can move to target other accounts within the organization. To stay protected, organizations are advised to adopt mitigations such as keeping VPNs, network infrastructure, and remote devices updated, employing multi-factor authentication, protecting the management interfaces of critical operational systems, using security monitoring, reviewing incident management processes, and using modern systems and software, which have better security built-in. “CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic,” the alert reads. 


US BASED INTERNET REGISTER & WEB HOSTING COMPANY ‘GO DADDY’ NOTIFIES ITS 19 MILLION CUSTOMERS OF A DATA BREACH.......... LAST OCTOBER.

GoDaddy has been notifying customers of a data breach that may have resulted in their web hosting account credentials getting compromised. Headquartered in Scottsdale, Arizona, the Internet domain registrar and web hosting company claims to have over 19 million customers worldwide. The company submitted a data breach notice with the California Attorney General this week, revealing that its systems were breached in October 2019. “We need to inform you of a security incident impacting your GoDaddy web hosting account credentials,” the accompanying customer notification letter reads. The company said it started an investigation immediately after identifying suspicious activity on a subset of servers, which revealed that “an unauthorized individual” was able to access the credentials customers use to connect to SSH on their hosting account. “We have proactively reset your hosting account login information to help prevent any potential unauthorized access; you will need to follow these steps in order to regain access,” GoDaddy says. The unauthorized party was blocked from the company’s systems, but the investigation into the incident continues. “We have no evidence that any files were added or modified on your account,” the web hosting provider says, but advises customers to conduct an audit of their hosting accounts. The Internet registrar also explains that the main GoDaddy.com customer accounts were not impacted by the incident, and that the information stored within those accounts was not accessed by the hackers. Only the hosting accounts were affected. GoDaddy is providing impacted customers with one year of premium security services, which should help them identify any potential security vulnerabilities on their websites. “We apologize for any inconvenience this may have caused. We have already taken and will continue to take measures to enhance our security in light of this incident,” the company says.


SO YOU’VE SET UP MULTI FACTOR AUTHENTICATION (MFA) AND YOU THINK THAT PASSWORDS ALONE ARE SECURE .......... THINK AGAIN!

About a third of firms and organisations in Europe and the Middle East still believe the humble password is a good enough security measure, according to a survey carried out by French firm Thales. Moreover, two-thirds of the 400 IT professionals quizzed indicated "that their organisations plan to expand use of usernames and passwords in the future".The findings come as a contrast to a survey, which showed that the majority of people (as opposed to companies) don't really care about good password hygiene and cheerfully reuse the same one everywhere they digitally go. Thales, which bought secure mobile phone SIM card biz Gemalto in 2017, reckoned that over half (57 per cent) of IT pros it polled said that unsecured infrastructure was the most likely attack surface. With that in mind, password-protecting that sort of infrastructure makes more sense than simply leaving it open for any curious or malicious bod to poke around within. Francois Lasnier, veep of access management solutions at Thales, opined: "Often, in an effort to adapt to the new working habits of users connecting from anywhere, which is increasingly pertinent right now and will become standard moving forward, businesses tend to revert back to old password-based logins for cloud services in despair. This is knowingly increasing their security exposure to credential stuffing and phishing attacks." Thales, which, among other things, sells access management software, reckoned that its 400 respondents said the amount of staff training on security and access management, increasing spend on access management, and access management becoming a board priority "have all seen an increased focus". Last year French-owned Thales flogged off hardware security module biz nCipher following its Gemalto acquisition, a sale demanded by competition regulators. Password security is an ongoing bugbear for security folk. NordVPN found in a survey earlier this year that tens of thousands of people across the world were using such Fort Knox-style gems as "pakistan", "onedirection" and "superman".

______________________________________________________________________________


THREAT FOCUS: Ambry Genetics - UNITED STATES

https://securityboulevard.com/2020/04/medical-information-of-233000-individuals-exposed-after-genetic-testing-lab-hack/


Exploit: Phishing scam  

Ambry Genetics: Genetic testing laboratory  

Risk to Small Business: 1.373 = Extreme An employee failed to identify a phishing scam, interacting with the message and giving hackers access to patient data between January 22, 2020, and January 24, 2020. However, the incident wasn’t reported until March 22nd, as the company struggled to dedicate resources to cybersecurity while it transitioned to remote work. In total, the breach is the second largest healthcare breach of the year, and, although the company is updating its cybersecurity practices in response to the incident, they will need to navigate a challenging recovery process during a pandemic.

Individual Risk: 1.290 = Extreme Hackers had access to patient data, including names, medical information, genetic-specific information, and a limited amount of Social Security numbers. This information has a strong market on the Dark Web, and those impacted by the breach should take steps to guard themselves against medical or identity theft. To support victims, Ambry Genetics is offering free identity monitoring services for a year. Also, those impacted by the breach should monitor their digital communications for potential spear-phishing messages that could compromise additional data.     Customers Impacted: 233,000

Effect On Customers: Healthcare services collect and store peoples’ most sensitive personal information, and they are a top target for cybercriminals during the COVID-19 pandemic. Rather than reacting to a cybersecurity incident, companies should take a proactive stance to protect PII. The incredible rise in phishing scams targeting healthcare facilities during this time should make employee awareness training a top priority.  

Risk Levels*: 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk *Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: BullPhish ID, through a targeted Email campaign, simulates phishing attacks and conducts security awareness training campaigns to educate your employees, making them the best defense against cybercrime – now with COVID-19 scam awareness kits. Call Avantia now on +61 7 30109711 for more information.

THREAT FOCUS: CivicSmart  Technology - UNITED STATES 

https://statescoop.com/smart-parking-meter-vendor-data-stolen-ransomware-attack/


Exploit: Ransomware

CivicSmart: Smart parking meter technology producer 

Risk to Small Business: 2.130 = Severe A ransomware attack encrypted CivicSmart’s network and exfiltrated company and customer data. The attack, which took place in March, was identified when hackers threatened to publish 159 gigabytes of sensitive data online. To prevent publication, the company paid an undisclosed ransom, and the files were brought offline. However, CivicSmart can’t rest easy. Despite promises to delete the information, it’s unlikely that cybercriminals will destroy valuable resources, which means that the stolen data could come back to haunt the company or its customers.  

Individual Risk: 2.671 = Severe Although the details are unclear, CivicSmart’s platform collects peoples’ personal and payment information as part of its smart parking meter service. What’s more, it partners with a variety of mobile apps and parking-garage vendors that could also be compromised in the breach. As a precaution, those impacted by the breach should notify their financial institutions of the incident, while carefully scrutinizing incoming messages for signs of a spear phishing scam.    

Customers Impacted: Unknown

Effect On Customers: Even before bad actors began exfiltrating data, ransomware attacks were uniquely costly and incredibly destructive. Today, companies can expect that a ransomware attack will double as a data breach, giving every organization millions of reasons to ensure that their networks are guarded against this especially problematic malware.  Risk Levels*:

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk *Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: BullPhish ID, through a targeted Email campaign, simulates phishing attacks and conducts security awareness training campaigns to educate your employees, making them the best defense against cybercrime – now with COVID-19 scam awareness kits. Call Avantia now on +61 7 30109711 for more information.


THREAT FOCUS: Saint Francis Ministries - UNITED STATES 

https://curated.tncontentexchange.com/states/kansas/saint-francis-ministries-provides-notice-of-email-incident/article_89591d55-2275-5bb7-8910-b6a62e6c3bb9.html


Exploit: Phishing scam

Saint Francis Ministries: Non-profit organization  

Risk to Small Business: 1.583 = Severe An employee interacted with a phishing scam that provided hackers with access to company IT. The breach, which was first identified on December 19, 2019, gave hackers access to user data between December 13, 2019, and December 20, 2019. However, it would be another two months before the organization understood the full scope of the breach. What’s more, it took until March 24, 2020, to determine that the breach included peoples’ personal data, and Saint Francis Ministries is just now notifying the public of the incident.  

Individual Risk: 1.677 = Severe The impacted email account contained peoples’ personally identifiable information, including names, Social Security numbers, dates of birth, driver’s license numbers, state ID information, bank account details, treatment and diagnosis information, account credentials, and other healthcare data. This comprehensive breach could have far-reaching ramifications for victims, who will need to protect themselves against future data misuse.  Customers Impacted: Unknown

Effect On Customers: Whether hackers extract account credentials through phishing scams, purchase them on the Dark Web, or otherwise acquire this valuable data, organizations need to be prepared to protect accounts even when account information is compromised. Enabling easy-to-use tools like two-factor authentication is a natural first step.

Risk Levels*:

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk *Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & Passly to the Rescue: With Passly, get the secure identity and access management solutions that you need to protect your systems and data in today’s remote work landscape at a price that you can afford, including multi-factor authentication, single sign-on, and secure password storage. Find out more by phoning Avantia on 07 30109711 or Click the link to get started: Click the link to get started: https://www.avantiacybersecurity.com/overwatch


THREAT FOCUS: Learn Press Software - UNITED STATES 

https://www.darkreading.com/vulnerabilities—threats/researchers-find-vulnerabilities-in-popular-remote-learning-plug-ins/d/d-id/1337697


Exploit: Software vulnerability

LearnPress: WordPress plug-in 

Risk to Small Business: 1.708 = Severe Cybersecurity researchers identified flaws in the LearnPress plug-in that could allow hackers to access student information, steal money from course creators, or to alter their access privileges to become teachers. The popular WordPress plug-in is used by more than 100,000 schools, organizations, and content creators who rely on these digital services even more now that eLearning is the de-facto presentation method for nearly all students.     Individual Risk: At this time, there is no evidence that personal information was compromised in the breach. However, users should carefully monitor their accounts and credentials for misuse or abuse.

Customers Impacted: Unknown

Effect On Customers: Developers took steps to repair the vulnerability, but businesses that want to thrive in our altered digital environment will need to identify threats before their products reach the public. As other organizations have discovered, the COVID-19 pandemic can be an excellent time to demonstrate strength or expose yourself to issues that will erode your brand’s image long after the crisis abates.

Risk Levels*:

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk *Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & Huntsman Digital Auditor to the Rescue: Helping SME’s to understand the importance of security is no easy task. With an ‘Essential8’ Digital Security Audit we offer a remote access, independent, ‘real time’ audit of our clients critical operational infrastructure systems to determine where the gaps are with recommendations for remediation.

Its the first step to real cyber security. Call Avantia’s office on 07 30109711 or visit:

https://www.avantiacybersecurity.com/cyber-security-audit


THREAT FOCUS: Northwest Territories Power Corporation - CANADA 

https://www.cbc.ca/news/canada/north/ntpc-apparent-ransomware-attack-1.5551603


Exploit: Ransomware 

Northwest Territories Power Corporation: Electricity provider   

Risk to Small Business: 1.571 = Severe A ransomware attack disabled the power provider’s servers and email accounts. Website visitors were abruptly greeted by a message from the hackers notifying them of the attack and providing steps to purchase a decryption key to unlock the data. The event brought dismay from consumers who lamented another hurdle in an already tumultuous time. What’s more, it’s unclear if the company will be able to restore services from backup files, meaning they will likely have an expensive path to recovery.  

Individual Risk: At this time, no personal information was compromised in the breach.

Customers Impacted: Unknown

Effect On Customers: Ransomware attacks can feel random and inevitable. In reality, they always require an access point, and companies can take steps to defend their digital environment from these attacks. For instance, assessing your network for vulnerabilities and identifying compromised login credentials can go a long way toward ensuring that your company isn’t the next victim.

Risk Levels*:

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk *Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & Passly to the Rescue: With Passly, get the secure identity and access management solutions that you need to protect your systems and data in today’s remote work landscape at a price that you can afford, including multi-factor authentication, single sign-on, and secure password storage. Find out more by phoning Avantia on 07 30109711 or Click the link to get started: Click the link to get started: https://www.avantiacybersecurity.com/overwatch


THREAT FOCUS: Zaha Hadid Architects - UNITED KINGDOM     

https://www.cisomag.com/zaha-hadid-architects-suffers-a-ransomware-attack/


Exploit: Ransomware 

Zaha Hadid Architects: Architectural design firm

Risk to Small Business: 2.207 = Severe A ransomware attack forced Zaha Hadid Architects to bring its network offline, disrupting its remote operations as its distributed teams work from home during the COVID-19 pandemic. Fortunately, the company restored operations using backup data, but they were unable to determine the specific data sets that hackers exhilarated before encrypting the network. As a result, the consequences will likely continue, as those responsible try to extract financial value from their efforts.  

Individual Risk: At this time, it’s unclear if personal data was compromised in the breach. However, employees and customers should be especially vigilant to monitor their accounts and messages for unusual activity.

Customers Impacted: Unknown

Effect On Customers:  As companies battle to remain productive and profitable during the COVID-19 crisis, ransomware remains a constant threat to both priorities. Now, more than ever, every company needs to ensure that its defensive posture is ready to address this growing threat.  

Risk Levels*:

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk *Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & Passly to the Rescue: With Passly, get the secure identity and access management solutions that you need to protect your systems and data in today’s remote work landscape at a price that you can afford, including multi-factor authentication, single sign-on, and secure password storage. Find out more by phoning Avantia on 07 30109711 or Click the link to get started: Click the link to get started: https://www.avantiacybersecurity.com/overwatch


THREAT FOCUS: Proton Technologies AG - EUROPEAN UNION   

https://threatpost.com/data-leak-gdpr-advice-site/155199/


Exploit: Exposed database

Proton Technologies AG: GDPR compliance advice website  

Risk to Small Business: 1.672 = Severe An exposed database compromised users’ login credentials on GDPR.EU, an advice site for organisations striving to improve data privacy compliance that is partially sponsored by the Horizon 2020 Framework Program, an EU research program. The ironic cybersecurity incident was easily-identifiable by cybersecurity researchers, who reported the vulnerability to developers. For a company that relies on institutional funding to power its platform, this incident is an embarrassing failure that could impact its long-term viability as a government partner. Individual Risk: 2.509 = Moderate The breach compromised usernames and passwords, and victims should immediately reset their account credentials. In addition, any accounts that use the same username and password combination could also be compromised, and users should immediately update that information. 

Customers Impacted: Unknown

Effect On Customers: While we rightly give a lot of attention to the financial cost of a data breach, many organizations fail to appraise the reputational damage that accompanies a cybersecurity incident. Especially for organizations predicated on their data privacy expertise, even a relatively small oversight can have significant consequences.

Risk Levels*:

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk *Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & Passly to the Rescue: With Passly, get the secure identity and access management solutions that you need to protect your systems and data in today’s remote work landscape at a price that you can afford, including multi-factor authentication, single sign-on, and secure password storage. Find out more by phoning Avantia on 07 30109711 or Click the link to get started: Click the link to get started: https://www.avantiacybersecurity.com/overwatch

THREAT FOCUS:  WhiskyAuctioneer  - AUSTRALIA  

https://www.theguardian.com/technology/2020/apr/25/online-auction-of-record-breaking-whisky-collection-hit-by-cyber-attack


Exploit: DDoS attack 

WhiskyAuctioneer.com: Online auction platform for rare whisky’s.  

Risk to Small Business: 1.393 = Severe A DDoS attack disrupted and ultimately forced the cancellation of an auction of the largest private whisky collection for public sale. The event was expected to net millions of dollars, and the cancellation will undoubtedly hurt the company’s bottom line. To protect critical data, the company was forced to bring its website offline, and members are encouraged to stay alert for future breach notifications.

Individual Risk: At this time, no personal information was compromised in the breach.

Customers Impacted: Unknown

Effect On Customers: Even before COVID-19 forced everyone online, many people already preferred digital platforms to in-person buying experiences. Of course, the pandemic has only accelerated this trend, which means that companies looking to capitalize on digital platforms need to ensure that they are safe, secure amidst a rapidly expanding threat landscape. Risk Levels*:

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk *Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & Huntsman Digital Auditor to the Rescue: Helping SME’s to understand the importance of security is no easy task. With an ‘Essential8’ Digital Security Audit we offer a remote access, independent, ‘real time’ audit of our clients critical operational infrastructure systems to determine where the gaps are with recommendations for remediation.

Its the first step to real cyber security. Call Avantia’s office on 07 30109711 or visit:

https://www.avantiacybersecurity.com/cyber-security-audit

______________________________________________________________________________


POSTSCRIPT:


Many Employees Feel Vulnerable to Cyberattacks    A survey of more than 1,500 UK employees found widespread fear of becoming the victim of a cyberattack following the national order to impose social distancing and transition to remote work. 49% of respondents indicated that they lack confidence in their computer hardware, and 42% reported receiving a suspicious email while working from home. Notably, 18% indicated that they’d experienced a cybersecurity event while working from home, and more than half of breach victims indicated a malicious email was to blame. Phishing attacks have soared, up over 600% in the wake of COVID-19. While some participants felt that their employers provided helpful defensive tools, like antivirus software or access to a VPN service, only 28% received specific training for the endpoints and applications that comprise their workflow.  The risks of remote work are well-documented, and with this arrangement likely to continue for the foreseeable future, now is the perfect time to ensure that your employees have the tools necessary to protect your valuable data.   

https://www.techradar.com/uk/news/half-of-remote-workers-feel-vulnerable-to-growing-cyberattacks


IT Leaders Recognize the Risks of Remote Work  

The cybersecurity risks of remote work have received center-stage in light of the workplace restrictions in place because of COVID-19. However, these risks were well-known, even before COVID-19. According to a recent study, in 2019, nearly half of IT leaders admitted that remote workers had intentionally or accidentally put data security at risk. Most prominently, apathy or a failure to take security seriously was identified as one of the most substantial risks associated with remote work.  Simply put, many remote workers are not attuned to the data security risks experienced when working from home. In some cases, murky technology policies contribute to the risk, but other factors, like being unprepared to identify and respond to phishing scams, pose a significant threat to data security. Fortunately, companies can move the meter in this regard, as intentional strategies, like comprehensive employee awareness training, can equip employees to be a prominent defender of data security. 

Disclaimer*:

Avantia Corporate Services Pty Ltd T/A Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cyber security information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services - All Rights Reserved.

(233,000)

Want The Information  Cyber Criminal's  Don't Want You To Know?

Subscribe below to receive our weekly Threat Updates straight to your inbox.

Call (07) 3010 9711 

info@avantiacorp.com.au

 

Avantia Corporate Services Pty Ltd,                    Level 7, 320 Adelaide Street

Brisbane, Queensland 4000

AUSTRALIA.

  • LinkedIn Social Icon
  • Facebook Social Icon

DISCLAIMER*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cybersecurity information to us in real-time. Given their international focus and experience in the cyberspace arena, we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the content's accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services  PTY LTD - All Rights Reserved.