Search
  • Avantia Threat Update

HOW CYBER CRIMS CAN CLEAN OUT YOUR BANK VAULT


This Past Week:

New Malware can hijack your bank account; US NSA advises on urgent patching against Chinese hacking; AI Security: Spot attacks against critical systems before they happen; “The Donald’s” website hacked; Software Engineer leaks UK missile secrets; Pharmaceutical companies have a tough week as manufacturing is disrupted at COVID-19 drugmakers and huge patient databases are exposed; Why selling access for profit is on the rise and major breaches in: UNITED STATES; CANADA; INDIA; UNITED KINGDOM; GREECE & HUNGARY.

TOP Dark Web ID Trends: 

Top Source Hits: ID Theft Forums

Top Compromise Type: Domain

Top Industry: Education & Research

Top Employee Count: 1-10

________________________________________________________________________


NEW MALWARE USES REMOTE OVERLAY ATTACKS TO HYJACK YOUR BANK ACCOUNT.

Vizom disguises itself as popular videoconferencing software many of us are relying on during the pandemic. Researchers have uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders. The new malware variant, dubbed Vizom by IBM, is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services. IBM security researchers Chen Nahman, Ofir Ozer, and Limor Kessem said the malware uses interesting tactics to stay hidden and to compromise user devices in real-time -- namely, remote overlay techniques and DLL hijacking.  Vizom spreads through spam-based phishing campaigns and disguises itself as popular videoconferencing software, tools that have become crucial to businesses and social events due to the coronavirus pandemic.  Once the malware has landed on a vulnerable Windows PC, Vizom will first strike the AppData directory to begin the infection chain. By harnessing DLL hijacking, the malware will attempt to force the loading of malicious DLLs by naming its own Delphi-based variants with names expected By hijacking a system's "inherent logic," IBM says the operating system is tricked into loading Vizom malware as a child process of a legitimate videoconferencing file. The DLL is named Cmmlib.dll, a file associated with Zoom.  "To make sure that the malicious code is executed from "Cmmlib.dll," the malware's author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address -- the malicious code's address space," the researchers say.  A dropper will then launch zTscoder.exe via command prompt and a second payload, a Remote Access Trojan (RAT), is extracted from a remote server -- with the same hijacking trick performed on the Vivaldi Internet browser.  To establish persistence, browser shortcuts are tampered with and no matter what browser a user attempts to run, the malicious Vivaldi/Vizom code will run in the background.  The malware will then quietly wait for any indication that an online banking service is being accessed. If a webpage's title name matches Vizom's target list, operators are alerted and can connect remotely to the compromised PC.  As Vizom has already deployed RAT capabilities, attackers can take over a compromised session and overlay content to trick victims into submitting access and account credentials for their bank accounts.  Remote control capabilities also abuse Windows API functions, such as moving a mouse cursor, initiating keyboard input, and emulating clicks. Vizom can also grab screenshots through Windows print and magnifier functions.  In order to create convincing overlays, the malware generates HTML files and then loads them in Vivaldi in application mode. A keylogger is then launched, with input encrypted, packaged, and whisked away to the attacker's command-and-control (C2) server.  "The remote overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade making it the top offender in the region," IBM says. "At this time, Vizom focuses on large Brazilian banks, however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well."


URGENT ‘PATCHING’ AGAINST CHINESE HACKING REQUIRED - US NSA.

The U.S. National Security Agency is warning that Chinese-linked hacking groups are exploiting 25 vulnerabilities in software systems and network devices as part of cyberespionage campaigns - which means patching is urgent. In an alert the NSA notes many of the vulnerabilities are found in remote access or web service tools that are easily accessible from the internet. Chinese hackers are leveraging these vulnerabilities to steal sensitive intellectual property as well as economic, political and military data, the NSA says. NSA analysts say China-backed hackers are targeting the U.S. Defense Department as well as America's national security systems and the private defense industry, using vulnerabilities as launching pads into networks, according to the alert. The agency urges all organizations to immediately patch the flaws and initiate other mitigation efforts. "We hear loud and clear that it can be hard to prioritize patching and mitigation efforts," NSA Cybersecurity Director Anne Neuberger says in the alert. "We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems." In September, the U.S. Cybersecurity and Infrastructure Security Agency also warned that hacking groups backed by the Chinese Ministry of State Security were exploiting several unpatched vulnerabilities to target federal agencies. The NSA alert notes that the most significant vulnerabilities currently being exploited by Chinese advanced persistent threat groups are:


CVE-2020-5902: This vulnerability in F5's Big-IP traffic management user interface could allow hackers to execute arbitrary system commands, create or delete files, disable services or execute Java code

(see: CISA: Attackers Are Exploiting F5 BIG-IP Vulnerability).

CVE-2019-19781: This flaw in Citrix VPN appliances could allow hackers to execute directory traversal attacks.

CVE-2019-11510: This flaw in Pulse Secure's VPN servers could allow hackers to gain access to networks.

CVE-2019-0708: This is the BlueKeep vulnerability that is found in Microsoft Windows' Remote Desktop Protocol, which could allow an unauthenticated attacker to send specially crafted requests.

CVE-2020-15505: This a remote code execution vulnerability in MobileIron's Core and Connector administrative portals that could allow attackers to execute arbitrary code through unspecified vectors.

The NSA alert notes that Chinese-sponsored hackers are using many of the same network exploitation processes that other threat actors are using. "They often first identify a target, gather technical information on the target, identify any vulnerabilities associated with the target, develop or re-use an exploit for those vulnerabilities and then launch their exploitation operation," the NSA alert notes. The large list of vulnerabilities that these Chinese hacking groups are exploiting indicates that the NSA has been tracking these developments for some time, says Oliver Tavakoli, the CTO of security firm Vectra. "The breadth of products covered by this list of CVEs would indicate that the NSA has curated this list through the observation of many attacks undertaken by these actors," Tavakoli tells Information Security Media Group. "The exploits themselves also cover a broad range of steps in the cyberattack lifecycle, indicating that many of the attacks in which these exploits were observed were already pretty deep into the attack progression - and many were likely found only after the fact through deep forensic efforts rather than having been identified while the attacks were active." Satnam Narang, a staff research engineer with security firm Tenable, notes that the use of these commonly known CVE flaws demonstrates that state-sponsored groups as well as cybercriminals are no longer primarily relying on zero-day exploits to target potential victims. "Threat actors do not need to finance the development of or acquire zero-day vulnerabilities so long as there are a plethora of publicly accessible systems running unpatched software," Narang says. "This is further compounded by the availability of proof-of-concept code and exploit scripts that threat actors can easily co-opt as part of their own attacks."

In addition to patching these vulnerabilities, the NSA alert recommends additional risk mitigation steps that organizations can take, including: Vizom disguises itself as popular videoconferencing software many of us are relying on during the pandemic. Researchers have uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders. The new malware variant, dubbed Vizom by IBM, is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services. IBM security researchers Chen Nahman, Ofir Ozer, and Limor Kessem said the malware uses interesting tactics to stay hidden and to compromise user devices in real-time -- namely, remote overlay techniques and DLL hijacking.  Vizom spreads through spam-based phishing campaigns and disguises itself as popular videoconferencing software, tools that have become crucial to businesses and social events due to the coronavirus pandemic. Once the malware has landed on a vulnerable Windows PC, Vizom will first strike the AppData directory to begin the infection chain. By harnessing DLL hijacking, the malware will attempt to force the loading of malicious DLLs by naming its own Delphi-based variants with names expected By hijacking a system's "inherent logic," IBM says the operating system is tricked into loading Vizom malware as a child process of a legitimate videoconferencing file. The DLL is named Cmmlib.dll, a file associated with Zoom.  "To make sure that the malicious code is executed from "Cmmlib.dll," the malware's author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address -- the malicious code's address space," the researchers say.  A dropper will then launch zTscoder.exe via command prompt and a second payload, a Remote Access Trojan (RAT), is extracted from a remote server -- with the same hijacking trick performed on the Vivaldi Internet browser.  To establish persistence, browser shortcuts are tampered with and no matter what browser a user attempts to run, the malicious Vivaldi/Vizom code will run in the background.  The malware will then quietly wait for any indication that an online banking service is being accessed. If a webpage's title name matches Vizom's target list, operators are alerted and can connect remotely to the compromised PC.  As Vizom has already deployed RAT capabilities, attackers can take over a compromised session and overlay content to trick victims into submitting access and account credentials for their bank accounts.  Remote control capabilities also abuse Windows API functions, such as moving a mouse cursor, initiating keyboard input, and emulating clicks. Vizom can also grab screenshots through Windows print and magnifier functions.  In order to create convincing overlays, the malware generates HTML files and then loads them in Vivaldi in application mode. A keylogger is then launched, with input encrypted, packaged, and whisked away to the attacker's command-and-control (C2) server.  "The remote overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade making it the top offender in the region," IBM says. "At this time, Vizom focuses on large Brazilian banks, however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well."

Blocking obsolete or unused protocols at the network edge and disabling them in device configurations;

Isolating internet-facing services in a network "demilitarized zone" to reduce the exposure of the internal network;

Enabling robust logging of internet-facing services and monitoring the logs for signs of compromise.


AI SECURITY: SPOT ATTACKS AGAINS CRITICAL SYSTEMS BEFORE THEY HAPPEN.

Microsoft has unveiled a new open-source "matrix" that hopes to identify all the existing attacks that threaten the security of machine-learning applications. Microsoft and non-profit research organization MITRE have joined forces to accelerate the development of cybersecurity's next chapter: to protect applications that are based on machine learning and are at risk of new adversarial threats. The two organizations, in collaboration with academic institutions and other big tech players such as IBM and Nvidia, have released a new open-source tool called the Adversarial Machine Learning Threat Matrix. The framework is designed to organize and catalogue known techniques for attacks against machine-learning systems, to inform security analysts and provide them with strategies to detect, respond and remediate against threats. The matrix classifies attacks based on criteria related to various aspects of the threat, such as execution and exfiltration, but also initial access and impact. To curate the framework, Microsoft and MITRE's teams analyzed real-world attacks carried out on existing applications, which they vetted to be effective against AI systems. "If you just try to imagine the universe of potential challenges and vulnerabilities, you'll never get anywhere," said Mikel Rodriguez, who oversees MITRE's decision science research programs. "Instead, with this threat matrix, security analysts will be able to work with threat models that are grounded in real-world incidents that emulate adversary behavior with machine learning," 

With AI systems increasingly underpinning our everyday lives, the tool seems timely. From finance to healthcare, through defense and critical infrastructure, the applications of machine learning have multiplied in the past few years. But MITRE's researchers argue that while eagerly accelerating the development of new algorithms, organizations have often failed to scrutinize the security of their systems. Surveys increasingly point to the lack of understanding within industry of the importance of securing AI systems against adversarial threats. Companies like Google, Amazon, Microsoft and Tesla, in fact, have all seen their machine-learning systems tricked in one way or the other in the past three years. Convenient video conferencing does not have to mean compromising security With the COVID-19 crisis forcing the closure of many offices, the world has witnessed a massive increase in people working from remote locations. "Whether it's just a failure of the system or because a malicious actor is causing it to behave in unexpected ways, AI can cause significant disruptions," Charles Clancy, MITRE's senior vice president, said. "Some fear that the systems we depend on, like critical infrastructure, will be under attack, hopelessly hobbled because of AI gone bad." Algorithms are prone to mistakes, therefore, and especially so when they are influenced by the malicious interventions of bad actors. In a separate study, a team of researchers recently ranked the potential criminal applications that AI will have in the next 15 years; among the list of highly worrying prospects was the opportunity for attack that AI systems constitute when algorithms are used in key applications like public safety or financial transactions. As MITRE and Microsoft's researchers note, attacks can come in many different shapes and forms. Threats go all the way from a sticker placed on a sign to make an automated system in a self-driving car make the wrong decision, to more sophisticated cybersecurity methods going by specialized names, like evasion, data poisoning, trojaning or backdooring.   Centralizing the various aspects of all the methods that are known to effectively threaten machine-learning applications in a single matrix, therefore, could go a long way in helping security experts prevent future attacks on their systems.  "By giving a common language or taxonomy of the different vulnerabilities, the threat matrix will spur better communication and collaboration across organizations," said Rodriguez. MITRE's researchers are hoping to gather more information from ethical hackers, thanks to a well-established cybersecurity method known as red teaming. The idea is to have teams of benevolent security experts finding ways to crack vulnerabilities ahead of bad actors, to feed into the existing database of attacks and expand overall knowledge of the possible threats. Microsoft and MITRE both have their own Red Teams, and they have already demonstrated some of the attacks that were used to feed into the matrix as it is. They include, for example, evasion attacks on machine-learning models, which can modify the input data to induce targeted misclassification. 


COMPROMISED CMS CREDENTIALS LIKELY USED TO HACK TRUMP CAMPAIGN WEBSITE

Security researchers believe that compromised credentials were used by hackers to access the content management system behind Donald Trump’s campaign website. Recently, hackers managed to break into the Website and change content on it. For a short period of time, the message “This site was seized” was displayed on donaldjtrump.com. The incident has been confirmed by Trump campaign spokesman Tim Murtaugh, who also revealed that law enforcement had been called in to investigate. He also said that no sensitive information had been compromised. In the message posted on the website, the hackers claimed they managed to compromise sensitive information on President Trump. They also included two cryptocurrency wallet IDs, saying they would release the information if visitors sent money to them. The message also contained a Pretty Good Privacy (PGP) public key, which can be used to verify future messages supposedly coming from the hackers. According to WordPress security solutions provider Defiant, which develops the Wordfence product, the hackers most likely used compromised credentials for access, supposedly targeting the underlying Expression Engine content management system (CMS), which is an alternative to WordPress. While the site content was quickly restored, the “Privacy Policy” and “Terms & Conditions” pages were still delivering a “404 page not found” error hours after the incident was resolved. “This indicates that something changed on the content management system itself, rather than on the Cloudflare configuration. So we believe that the CMS being compromised is therefore a higher probability than Cloudflare being compromised,” Defiant noted.  The site uses Cloudflare as a content delivery network (CDN), and Defiant says that this could have been used as a point of access only if the attackers knew the IP of the server hosting the site, which is hidden. Thus, this attack vector is less likely to have been used. If the attackers had access to the campaign’s Cloudflare account and were able to point the domain to their own IP address, the entire website would have been restored by simply pointing it to the right IP address. However, the issues with the “Privacy Policy” and the “Terms & Conditions” pages suggest this was not the attack vector. Of even lower probability would be the use of compromised credentials to access the account where the domain donaldjtrump.com was registered; a possible access via FTP or SSH (would require not only FTP or SSH credentials, but also knowledge of the site’s origin IP address); or the use of a zero-day flaw in Expression Engine, which has had few known vulnerabilities, Defiant says. “Almost every possible scenario includes reused credentials being exploited to gain access to the donaldjtrump.com site. In almost every case, having 2-Factor Authentication enabled would have prevented such a scenario from occurring. It’s also a reminder that it is important to enable 2-Factor Authentication not only on your website’s administrative panel, but on every service that offers it, including services you might not think of as being vulnerable,” Defiant concludes. The attack comes shortly after a Dutch security researcher claimed that he gained access to Donald Trump’s Twitter account by guessing its password, which he said was “maga2020!”. The White House and Twitter have denied the claims and the researcher has yet to provide any definitive proof.


SOFTWARE ENGINEER LEAKED UK MISSILE SYSTEM SECRETS AND REFUSED TO HAND POLICE HIS PASSWORD.

A former BAE Systems software engineer who allegedly leaked top-secret details about a frontline missile system also ignored orders from police to hand over passwords to his electronic devices, a court has heard. Simon Finch, of Swansea, is said by prosecutors to have emailed details of the unidentified missile system to nine separate addresses. He was charged with offenses under the UK's Official Secrets Act as well as the Regulation of Investigatory Powers Act (RIPA) last year, as we reported at the time. Mark Heywood QC, prosecuting, told the Central Criminal Court in London: "Expert evaluation has concluded that the release of information of that kind, for example to a hostile adversary of the UK, would give them an understanding of the function of that relevant system which in turn would allow them methods of countering it." Finch, who worked for both BAE Systems and defense research firm Qinetiq, was said to have encountered "problems in his personal life" before losing his job in 2018. As his life spiraled downwards, fueled by two homophobic assaults which he claimed police ignored, Heywood told the court that Finch "complained of mistreatment which he said amounted to torture at the hands of police". Merseyside Police allegedly mistreated Finch after arresting him for carrying a hammer and a machete in a public place, something he claims to have begun doing after the attacks.

Finch, said Heywood as he read from the email the engineer sent, was allegedly forced to defecate on the floor of his prison cell because police wouldn't get him to a toilet in time. The Crown alleges that Finch wrote and sent the email – which included details of the missile system's workings – because he wanted revenge against the UK in general after having his complaints about police mistreatment ignored by everyone he approached. When police began investigating his October 2018 disclosures Finch did not cooperate, the prosecutor told the jury as reported by newswire Court News UK: "Later on, even after things came to light, he committed, consciously, a further offense. That is to say when he was asked quite simply to give up the passcode for his electronic devices and given a formal notice to do that, so as to assist the investigation and prevent risk of further disclosure, he refused, so committing a further criminal offense." Finch faces two charges under the Official Secrets Act: recording information for any purpose prejudicial to the safety or interests of the state which was calculated to be or might be or was intended to be directly or indirectly useful to an enemy; and making a damaging disclosure. He is also charged with failing to reveal his passwords to a police worker, under the Regulation of Investigatory Powers Act 2000. The RIPA clause relating to relinquishing a password was introduced in 2007 and has been controversial ever since. A government barrister called for key safeguards around misuse of the power to be watered down back in January. Finch denies all charges. The case, under judge Mrs Justice Whipple, continues.

_____________________________________________________________________________


THREAT FOCUS: Maxex Trading - UNITED STATES

https://www.inforisktoday.com/blogs/home-loan-trading-platform-exposes-mortgage-documentation-p-2959


Exploit: Unsecured Database

MAXEX: Loan Trading

Risk to Business: 1.772 = Severe - Georgia-based home loan trader MAXEX had a data disaster this week as an estimated 9GB of data leaked from a suspected insecure server. Some of the data is from backend software development for its loan-trading platform. But a substantial portion included confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and cybersecurity readiness reports. The breach also exposed complete mortgage documentation for at least 23 individuals in New Jersey and Pennsylvania. The incident investigation is ongoing. Individual Risk: 2.011 = Severe - Financial information for clients was leaked, opening customers up to identity theft concerns. Some impacted clients had no idea that MAXEX currently had their loan, creating complications for informing customers who may be affected. Consumers should check to see who is servicing their mortgage and take precautions against identity theft and spear phishing if that provider is MAXEX.

Customers Impacted: Unknown

How it Could Affect Your Business: Sloppy security can mean that if you do have an incident like a data breach, you might not even know where to start looking for the cause, putting your business at risk for an expensive investigation in addition to a data disaster.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: Streamline your secure identity and access management with Passly. Single-sign on LaunchPads reduce access points, reducing risk. Call Avantia on 07 30109711 to find out more.


THREAT FOCUS: Made in Oregon Retail - UNITED STATES

https://www.infosecurity-magazine.com/news/oregon-retailer-suffers-sustained/


Exploit: Unauthorized Database Access

Made in Oregon: Specialty Gift Retailer

Risk to Business: 1.669 = Severe - Customers of gift retailer Made in Oregon got a little something extra when they purchased their treats – a side order of fraud. For more than 6 months, cybercriminals gained access to its e-commerce site, stealing payment information for transactions that occurred between the first week of February 2020 and the last week of August 2020.

Risk to Individuals: 1.669 = Severe - Customers who made an online purchase from Made in Oregon may have had their name, billing address, shipping address, email address, and credit card information compromised. The company has sent out notices to people who could be impacted, warning of identity theft and spear phishing dangers.

Customers Impacted: 7,800

How it Could Affect Your Business:  Information that is stolen in incidents like this often ends up on the Dark Web in a data dump or information market where it powers cybercrime for years to come.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue:  Guard against damage from credentials that end up in Dark Web data dumps with Dark Web ID. Keep your business credentials safe with our perfect blend of human and machine intelligence monitoring the Dark Web 24/7/365 to warn you of trouble. Call Avantia on 07 30109711 to find out more.


THREAT FOCUS: United States – Pfizer Pharmaceuticals - UNITED STATES

https://pharmafield.co.uk/pharma_news/pfizer-suffers-huge-data-breach-on-unsecured-cloud-storage/


Exploit: Unsecured Database

Pfizer: Drugmaker

Risk to Business: 1.401 = Extreme - In a monster week for Pharma hacking, Pfizer leads the pack with a substantial data breach that it brought on itself. In a huge blunder, unsecured and unencrypted data containing logs, transcripts, and details of patient helpline conversations was leaked from a misconfigured Google Cloud storage bucket. The exposed data included detailed information regarding hundreds of conversations between Pfizer’s automated customer support software and patients using drugs including Lyrica, Chantix, Viagra, Ibrance, and Aromasin.

Individual Risk: 1.412 = Extreme - The exposed call or chat transcripts had extensive PII and medical data for patients including full names, addresses, phone numbers, and details of health and medical conditions. The transcripts also contained detailed information about treatments, patient experiences, and questions related to products manufactured and sold by Pfizer.

Customers Impacted: Unknown

How it Could Affect Your Business: Leaving this kind of information laying around is a hacker’s dream, and a security nightmare for your business as not only the recovery costs but the regulatory penalties for exposing this kind of data adds up.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: Maintaining compliance with many data privacy regulations requires multifactor authentication, just one of the suite of security boosting features that are included with Passly. Call Avantia on 07 30109711 to find out more.

THREAT FOCUS: City of Shafter Government - UNITED STATES

https://bakersfieldnow.com/news/local/city-of-shafter-hit-by-ransomware-attack


Exploit: Ransomware

City of Shafter: Municipal Government

Risk to Business: 1.714 = Severe - Cyberattacks against city governments and municipal services have been climbing worldwide, and Shafter, CA just joined the list after a ransomware attack took it’s systems offline for several days. The attack impaired the operations and delivery of city services, a common hallmark of recent municipal cybercrime.

Individual Risk: No personal or consumer information was reported as impacted in this incident.

Customers Impacted: 20,000

How it Could Affect Your Business: Ransomware has been a menace to municipal governments large and small. Just last week, the Hackney Borough Council in London was rocked by ransomware, and the risk is growing for governments as incidents pile up.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue:  Spotting and stopping phishing attacks is key to guarding your business against ransomware. BullPhish ID transforms staffers from a company’s biggest attack surface to it’s biggest asset with dynamic phishing resistance training. Call Avantia on 07 30109711 for more info.

THREAT FOCUS: The Société de transport de Montréal - CANADA

https://www.tripwire.com/state-of-security/security-data-protection/montreal-public-transport-agency-discloses-ransomware-attack/


Exploit: Ransomware

The Société de transport de Montréal: Municipal Transportation Agency 

Risk to Business: 2.502 = Moderate - Getting around Montréal got a bit more complicated at The Société de transport de Montréal (STM) fell victim to a ransomware attack last week. While métro and bus service were not disrupted, after-sales service was not available and reservations for paratransit services were impacted.

Individual Risk: No personal data has been reported as impacted in this incident.

Customers Impacted: Unknown

How it Could Affect Your Business: Ransomware attacks on municipal infrastructure and transportation sector targets have been growing more frequent, and businesses that service those industries are also at risk, creating a need for better ransomware protection.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue:  Spotting and stopping phishing attacks is key to guarding your business against ransomware. BullPhish ID transforms staffers from a company’s biggest attack surface to it’s biggest asset with dynamic phishing resistance

THREAT FOCUS: Foxtons Management - UNITED KINGDOM

https://propertyindustryeye.com/foxtons-hit-by-cyber-attack/


Exploit: Malware

Foxtons: Property Management 

Risk to Business: 2.671 = Moderate - UK estate agency Foxtons was hit with a malware attack that impacted agency services, including a temporary shutdown of its MyFoxtons customer portal. The company describes the incident as a limited malware incident that infected a small part of the business but did not cause the loss of any data about its clients. Individual Risk: No individual information has been reported as compromised in this incident.

Customers Impacted: Unknown

How it Could Affect Your Business: Ransomware can steal data, but it can also just shut a business down. Even a partially successful attack that doesn’t exfiltrate data or infect the entire network is a headache.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: Phishing is up by more than 600% in 2020. As the favored delivery system of ransomware, preventing phishing attacks from hitting your business with strong phishing resistance training using BullPhish ID is critical for stopping ransomware. Call Avantia on 07 30109711 for more info. 

THREAT FOCUS: Sopra Steria IT - FRANCE

https://www.theregister.com/2020/10/22/sopra_steria_ryuk_ransomware_reports/


Exploit: Ransomware

Sopra Steria: IT Services and Data Center Operator

Risk to Business: 2.009 = Severe - French tech services giant Sopra Steria was slammed with a potential new variant of Ryuk ransomware, causing a disaster that could take months to clean up. The company, a member of France’s Cyber Campus, operates data centers for Britain’s NHS as well as operating software development, fintech, and consulting services. The investigation and recovery are expected to take months, and some systems are still not fully operational. Individual Risk: No personal or financial data is reported as stolen or compromised in this incident.

Customers Impacted: Unknown

How it Could Affect Your Business: Attacks on large IT services targets that operate data centers, especially if they have medical information, have been ramping up as the search for a vaccine for COVID-19 makes patient and research data a hot seller in Dark Web data markets.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: A new ransomware variant is always a problem, but it’s still most likely to arrive at your business via a phishing email. BullPhish ID has 4 new plug-and-play phishing kits added every month to keep you up to date on the latest threats. To learn more call Avantia on 07 30109711 today.

THREAT FOCUS: Vastaamo Clinic - FINLAND

https://newsnowfinland.fi/crime/hackers-hold-patient-information-for-ransom-in-psychotherapy-data-breach


Exploit: Ransomware

Vastaamo: Mental Health Clinic Operator 

Risk to Business: 2.702 = Severe - In a bizarre incident, a ransomware gang has snatched up the patient records of a mental healthcare clinic chain in Finland and is demanding ransom payments from the patients instead of the business. Vastaamo had not initially publicly disclosed the breach due to the sensitive nature of the information stolen but has been working with authorities to investigate the incident and mitigate the damage.

Individual Risk: 1.327 = Extreme - The cybercriminals have been contacting the patients whose information they’ve obtained, demanding that recipients must pay 200 euros within 24 hours, or if they don’t meet that deadline, 500 euros within 48 hours, to prevent the public release of their therapy records.

Customers Impacted: 400,000

How it Could Affect Your Business: This is this company’s second major data breach – the CEO was just terminated for the first one a week ago. Failing to implement strict security awareness and data handling policies after an incident, especially when your company keeps sensitive information, is a recipe for disaster.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: Start using Passly to secure the points of access to all of your databases and files, especially highly sensitive data. Multifactor authentication puts an affordable extra roadblock between cybercriminals and your data. To find out more info call Avantia n 07 30109711.

THREAT FOCUS: Scalable Capital Advisors - GERMANY

https://international-adviser.com/robo-advice-firm-suffers-data-breach/


Exploit: Malicious Insider

Scalable Capital: Online Financial Advice

Risk to Business: 1.227 = Extreme - At least one malicious insider is to blame for a cybersecurity disaster at fintech firm Scalable Capital. The firm said in a statement that it had discovered the incident on October 16 and taken action to prevent further damage, but a large amount of sensitive client data including financial information was snatched. It also concluded that it was clear that the attack was the work of someone with extensive insider knowledge of their systems.

Individual Risk: 1.411 = Extreme - Clients impacted in the breach had what the company characterizes as general information exposed including names, residential addresses, and email addresses.

Customers Impacted: 20,000

How it Could Affect Your Business: Insider incidents are incredibly devastating, but also preventable. Whether you’re dealing with a malicious insider like this case or just a careless employee, learning to spot and stop insider threats pays off.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: Can you detect an insider threat fast? Don’t let staffers cause your business harm whether they mean to or not. Learn to spot and stop insider threats with our Stop Insider Threats resource package. Call Avantia on 07 30109711 today.  

THREAT FOCUS: Dr. Reddy’s Pharmaceuticals - INDIA

https://www.infosecurity-magazine.com/news/covid19-vaccine-global/


Exploit: Hacking

Dr. Reddy’s: Drug Manufacturer

Risk to Business: 1.206 = Extreme - In yet another attack on a pharmaceutical industry giant, India’s Dr.Reddy’s was crippled by a nasty hacking incident. The producer of vital COVID-19 treatments like remdesivir and favipiravir and expected manufacturer of Russia’s future Sputnik-V COVID-19 vaccine, Dr.Reddy’s was forced to shut operations at several global facilities, just as it was granted permission to begin a second round of human trials for Sputnik-V.

Individual Impact: No personal data was exposed in this incident.

Customers Impacted: Unknown

How it Could Affect Your Business: Healthcare targets have been getting nailed with a blizzard of attacks recently. Increasing protection like security awareness training and adding secure identity and access management is a smart move. Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: Our digital risk protection platform offers businesses multiple tools for securing their systems and data, even from unexpected dangers. Learn more by calling Avantia on 07 30109711.

THREAT FOCUS: Shionogi & Company Limited - JAPAN

https://www.japantimes.co.jp/news/2020/10/23/business/corporate-business/japan-shionogi-cyberattack-data-breach/


Exploit: Ransomware

Shionogi & Company Limited: Drug Manufacturer

Risk to Business: 2.211 = Severe - Healthcare and pharmaceutical targets were on every cybercriminal’s menu this week, including Japanese medical giant Shionogi & Company Limited. The company’s Taiwanese subsidiary experienced a data breach that included sensitive information but did not impact its COVID-19 vaccine development programs. Data including import licenses for medical equipment and employee residency permits was exposed on the Dark Web as proof of the attack by the hacking gang to support a ransom demand.

Individual Risk: No individual information was reported as impacted in this incident.

Customers Impacted: Unknown

How it Could Affect Your Business: Ransomware typically arrives as the nasty cargo of a phishing email. Phishing is today’s biggest cybersecurity risk, and this kind of damage is exactly what makes it every IT professional’s nightmare.

Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: Refresh your security awareness and phishing resistance training regularly with BullPhish ID to reduce the chance of your business falling prey to a cyberattack by up to 70%. Call Avantia on 07 30109711 today

THREAT FOCUS: Nando’s Peri-Peri - SOUTH AFRICA

https://www.thehindu.com/sci-tech/technology/haldirams-crucial-data-stolen-hackers-demand-75-lakh-to-release-information/article32880074.ece


Exploit: Credential Stuffing

Nando’s Peri-Peri: Restaurant Chain

Risk to Business: 2.775 = Moderate - A credential stuffing incident gave customers of this popular high street restaurant chain a little more than they bargained for after several customers discovered that huge orders had been placed using their online accounts. to comply with COVID-19 operating regulations, Nando’s customers who are getting takeout are required to scan a QR code with their phone to order their food online, which opened up a vulnerability that cybercriminals were more than happy to exploit.

Individual Risk: 2.802 = Moderate - Some customers have had their accounts hijacked with large food orders places, but the company is working with them to restore any funds snatched from pre-paid carryout orders while encouraging customers to reset their account credentials if they suspect that they may have been impacted.

Customers Impacted: Unknown

How it Could Affect Your Business: Credential stuffing is a favorite because it’s easy and cheap. Huge repositories of passwords in Dark Web data dumps give cybercriminals plenty of ammunition and produce results with little investment. Guide to Risk Scores 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.


Avantia Cyber Security & ID Agent to the Rescue: Credential stuffing attacks are pretty easy to mitigate too. Add multifactor authentication with Passly to mount a strong defense that stops credential stuffing attacks cold.  Learn More by calling Avantia on 07 30109711

______________________________________________________________________________

POSTSCRIPT:


Access for Sale & As-a-Service Cybercrime Scored Big Bonanzas for Cybercriminals in September 

Insider threats are a menace that every business faces daily. In a challenging economy, companies hope to see their teams pulling together to drive revenue and create new opportunities. But that’s not always the case – a flood of malicious insiders is opening pathways into businesses in every sector, and they’re making a pretty penny doing it. According to a recent report, the number of ads selling “as-a-service” cybercrime including network and database access, data laundering, and similar services tripled in September 2020. What was the total estimated value of just network access listings on cybercrime forums last month? Around $505,000. By far, the largest category of “service” provided by malicious insiders is network access. Compromised credentials that open the door to data and systems sell fast, especially for privileged or administrator accounts – one recent sale of a highly prized credential fetched more than $100K. The average reported price for network access on hacker forums is around $4,960, but credentials can be obtained for as little as $25. Protecting credentials is crucial in this environment. Better security around business credentials can protect businesses from malicious insiders by delivering intelligence and protection from two vantage points to give companies exactly the edge that they need That’s why the combined power of Passly and Dark Web ID is perfect for mitigating these threats. Passly makes it hard for staffers to sell their credentials right off the bat by providing a robust suite of secure identity and access management tools, including multifactor authentication, at a great price. The single sign-on feature means that every user has an individual launchpad that connects them to the business applications and systems that they need to use. This enables IT teams to respond quickly if an employee credential is compromised to isolate that LaunchPad and mitigate damage. Dark Web ID is the essential flip side of this mitigation. Our analysts use human and machine intelligence to gather real-time data from every corner of the Dark Web 24/7/365. That means that if an employee credential is spotted in a Dark Web market or for sale on a Dark Web forum, we send up a red flag immediately so that IT teams can take care of the problem before it becomes a disaster While everyone wants to believe that their staff is just as dedicated and hard-working as they are, every business is at risk of damage from a malicious insider. By putting protections in place that make it easy to spot and stop malicious insiders, avoiding that damage becomes a little bit easier.


Dark Web Data Powers Impersonation & Business Email Compromise Scams 

Dark Web danger doesn’t just come to your company’s doorstep from compromised passwords – it also comes from data dumps full of email addresses, employee information, website user logs, supplier records, medical data, and more that can provide cybercriminals with exactly what they need to lure your staffers into a nasty (and expensive) trap.  Every kind of data about your employees that you can think of is available on the Dark Web – sometimes for free. As the 2020 US elections race to the finish, voting registration data and records from special interest groups have fueled extremely dangerous spear phishing attacks including impersonation scams. General business email compromise attempts are landing in employee inboxes every day too. A recent survey reported that over 30% of respondents reported receiving one every day. Running the gamut of impersonations including scary vendor notices, fake unpaid invoices, spoofed supplier communications, and even fake emails from colleagues, cybercriminals are pulling out all the stops to trick your staffers into falling into a business email compromise scam. The most efficient and effective way to put the brakes on business email compromise risks is to mitigate the foundation that they’re built on: phishing email. With a more than 600% increase in phishing attacks clocked in 2020, making sure that your staff is ready to defend against phishing attacks is crucial to protecting your business from cybercrime like business email compromise. BullPhish ID can help with that. Regular security awareness training including phishing awareness can reduce your company’s risk of falling prey to a cyberattack by up to 70%. The key is regularity though – research shows that employees only retain security awareness training for about 4 months unless it’s regularly refreshed. That’s not a problem with BullPhish ID. Featuring a huge library of more than 80 plug-and-play phishing simulation campaign kits in 8 languages, we also add 4 new kits every month to make sure that your staffers are getting the training that they need to be on guard against the latest threats. Regular training doesn’t mean expensive either – BullPhish ID is affordable and effective. Improved cybersecurity awareness and phishing resistance training isn’t something that can wait. Protect your systems and data from impersonation and business email compromise scams now to avoid a mess tomorrow.

__________________________________________________________________________________


AVANTIA CYBER SECURITY - PARTNER FOCUS


TrustGraph®: Advanced, Patented AI Technology. TrustGraph® analyzes over 50 different attributes of your employees’ communications, including the devices they use, who they message most, what time of day they communicate, and so on. The powerful AI uses this data to create profiles of trusted relationships. TrustGraph® then compares incoming communications to these profiles to detect and prevent sophisticated phishing, spear phishing, and business email compromise attacks.

FOR MORE INFORMATION ON GRAPHUS AI DEFENSE GRADE CYBER SECURITY, PLEASE CONTACT AVANTIA CYBER SECURITY

ON +61 7 30109711 / info@avantiacorp.com.au

_________________________________________________________________________________


DISCLAIMER*

Avantia Corporate Services Pty Ltd T/A Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, other members of the 5 Eyes Alliance, the Australian Cyber Security Centers, and other sources in 56 countries who provide cyber breach and cyber security information in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.


*COPYRIGHT 2020* Avantia Corporate Services - All Rights Reserved.

(427,800)




Want The Information  Cyber Criminal's  Don't Want You To Know?

Subscribe below to receive our weekly Threat Updates straight to your inbox.

Call (07) 3010 9711 

info@avantiacorp.com.au

 

Avantia Corporate Services Pty Ltd,                    Level 7, 320 Adelaide Street

Brisbane, Queensland 4000

AUSTRALIA.

  • LinkedIn Social Icon
  • Facebook Social Icon

DISCLAIMER*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cybersecurity information to us in real-time. Given their international focus and experience in the cyberspace arena, we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the content's accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services  PTY LTD - All Rights Reserved.