top of page
  • Writer's pictureAvantia Threat Update


This week, 9 New Zealand websites caught in an International breach last week which saw a total of 775,000,000 Usernames/Passwords listed on the Dark Web; Tampa Bay USA Credit Union gets spoofed, Canada sees an uptick in data breaches, and HR/Finance employees get caught in the cross-hairs of cybercrime.

This Past Week’s Top Dark Web Compromises:*

Top Source Hits: Domains (99%) Top Compromise Type: ID Theft Forums (99%) Top Industry: High-Tech / IT Top Employee Count: 11 - 50 Employees

This Past Weeks Top Targeted Industry attacks:*

Finance Hits: 69 | Targets: Equifax Inc, BlackRock, Inc., Citigroup, PayPal, UniCredit.

Information Technology Hits: 56 | Targets: Apple, Twitter, Google, Netflix, Facebook

Software Hits: 47 | Targets: Twitter, Spotify, Google, Facebook, Adobe

Retail Hits: 28 | Targets: Apple, B&Q, Carrefour, Mondelez International Inc, GameStop

Social network Hits: 26 | Targets: Twitter, Google, Facebook, LinkedIn

This Past Week’s Top Threat Actors: *

Inj3ct0r Team Hits: 28 | Targets: WordPress, Joomla, Twitter, Apache HTTP Server, SCADA and ICS Products and Technologies

Hezbollah Hits: 14 | Targets: Israel, Syria, Lebanon, Iran, United States

APT28 Fancy Bear Hits: 13 | Targets: Democratic National Convention, Democratic National Committee, United States, Germany, United States Senate

DarkHydrus Hits: 6 | Targets: Middle Eastern government, Palo Alto Networks, Google, InfoSec, Threat Intelligence Center

VeryMal Hits: 4 | Targets: United States, Mac, Confiant, Apple

This Past Week’s Top Malware Virus Exploits: Hits: *

GandCrab Hits: 235 | Targets: Microsoft Office Word, Syria, Microsoft Windows Xp, Microsoft Windows, Russia

Redaman Hits: 17 | Targets: Russia, Banking, Wireshark

Anatova Hits: 17 | Targets: Peer To Peer, Comunidad de Estados Independientes, McAfee, RPP, Джона Макафи

ProcessHijack Hits: 12


In Other News:

New Zealand Websites caught and hacked in major world breach*:

Nine New Zealand websites have been compromised in a huge online data breach.

The data breach is the third largest ever and the largest in which the stolen information has been made public, according to a technology magazine. More than 770 million email addresses and passwords, totalling 87 gigabytes of data, have been posted online in a hackers' forum. The technology magazine Wired said they appear to have been stolen from more than 2000 websites around the world. The nine New Zealand websites targetted predominantly belong to smaller companies. No credit card information is included in the leak, only email addresses and passwords. One of the companies affected by the breach, Auckland Florist Blooms Online, said it had no idea of the breach until contacted by authorities but would be changing all passwords. Wired magazine believes the data breach to be the third largest ever, and the largest in which the stolen information has been made public. The data breach file is named "Collection #1" – Wired magazine described the breach as being "a completely random collection of sites purely to maximize the number of credentials available to hackers - There's no obvious patterns, just maximum exposure."

Cloud Customers Faced 681Million Cyberattacks in 2018*:

The most common attacks involved software vulnerabilities, stolen credentials, Web applications, and IoT devices.

Cloud customers were hit with 681 million cyberattacks last year, according to analysts at cloud security provider Armor, which recently analyzed cloud attacks detected in 2018. The most common cloud-focused threats leveraged known software vulnerabilities, involved brute-force and/or stolen credentials, targeted the Internet of Things (IoT), or aimed for Web applications with SQL injection, cross-site scripting, cross-site request forgery attacks, or remote file inclusion. Researchers based the list on volume; these are not the most advanced or lethal cloud attacks. Yet they continue to work, are easy to access, and are fairly simple to use, they explained in a blog post on their findings. Any cybercriminal can rent an exploit kit containing attack tools for a reasonable amount of cash. For example, they said, the older and established Disdain Exploit Kit was charging rental fees starting at $80 per day, $500 per week, and $1,400 per month. Kits are designed to be accessible to cybercriminals at all levels and are constantly updated with new exploits. "Organizations that ignore patching leave themselves open to attacks that can take time and resources away from their business and can cause a lot of damage," said Corey Milligan, senior security researcher with Armor's Threat Resistance Unit (TRU). TRU predicts IoT attacks, DDoS campaigns, targeted ransomware, advanced phishing campaigns, and attacks targeting containers and cloud services will be prevalent in 2019.

A New ransomware strain is locking up Bitcoin operations in China*:

Ransomware threatens to overheat and destroy mining rigs if victims don't infect 1,000 other devices or don't pay a 10 Bitcoin ransom.

A new strain of ransomware has been observed targeting Bitcoin mining farms. Most of the infections have been reported in China, the country where most of the world's cryptocurrency mining farms are located. Named hAnt, this new ransomware strain was first seen in August of last year, but a new wave of infections has been reported hitting mining farms earlier this month. Most of the infected mining rigs are Antminer S9 and T9 devices, used for Bitcoin mining, but there have also been reports of hAnt infecting Antminer L3 rigs, used for mining Litecoin. In rare instances, Avalon Miner equipment (used for Bitcoin), were also reported as infected, but in much smaller numbers. It is unclear how Cyber Hackers first infect a mining farm's data centers or equipment, but some Chinese security experts suggest that hAnt comes hidden inside tainted versions of mining rig firmware that has been making the rounds online since last summer. According to reports in Chinese media, once hAnt infects a mining farm, it immediately locks the device and prevents it from mining any new currency. When equipment owners connect to devices remotely (via a CLI) or manually (using LCD screens) the first thing they see is a splash screen depicting an ant and two pickaxes in green ASCII characters, similar to the red skull splash screen displayed by the NotPetya ransomware. Clicking anywhere on the screen or pressing any key loads the hAnt ransom note, in both English and Chinese text. The ransom note is somewhat unique when compared to ransom demands seen on desktop ransomware variants because victims are given a choice. They can either pay a 10 Bitcoin (US$36,000) ransom to remove the ransomware from the mining farms operating systems, or they can download a malicious firmware update that they have to apply to other mining farms to further spread the ransomware worldwide. If victims fail to pay the ransom or infect at least 1,000 other devices, the ransom note threatens to turn off the mining farms computer fans and its overheat protection, leading to the device's destruction. However, an hAnt worm-like component would explain a report from Yibenchain, the Chinese news site which first broke the story. The news outlet cited an executive from BTC.Top, a local Bitcoin mining company, who claimed that hAnt infected over 4,000 devices within minutes. Besides financial losses caused by hAnt after the ransomware stopped normal mining operations, victims also reported losses caused by the time needed to reflash the infected mining equipment's SD card to remove the ransomware and install clean firmware.

Can You Spot the ‘phish’?*:

Google’s technology incubator Jigsaw has revealed a quiz that tests users’ abilities to identify phishing attacks. In asking you to distinguish legitimate emails from phishing scams, the test reveals some of the most common scenarios that fraudsters use with a view to stealing your finances, data or identity. It comes complete with to-the-point explanations as to why this or that message is, or is not, a phishing attack. According to Jigsaw’s blog post, the test is based on the company’s security trainings with “nearly 10,000 journalists, activists, and political leaders around the world from Ukraine to Syria to Ecuador”. All eight scenarios draw on real-life techniques deployed by scammers. The examples vary and include files shared via Google Drive, email security alerts, Dropbox notifications and, of course, attachments that ask for your immediate attention but are, instead, intended to download information-stealing malware onto your machine. Phishing remains the most pervasive of online cons and has for long been a highly effective method for fraudsters to steal people’s sensitive data. “One percent of emails sent today are phishing attempts,” according to Jigsaw’s figures. Indeed, many security incidents begin with a user simply clicking on a malicious link or opening a dangerous attachment that is most commonly delivered via email or social media. Even though email filters do a good job of winnowing out many such scam attempts, some fraudulent emails will still slip through. Which is where phish-spotting skills can be critical, as can anti-phishing protection that is commonly part of reputable security software. And, as Jigsaw itself recommends, you should enable two-factor authentication (2FA) wherever possible, if you haven’t done so already. The extra factor, though not flawless, offers a valuable additional layer of protection in return for very little effort. It is best implemented via a dedicated hardware device or delivered through an authenticator app, rather than via text messages (although SMS is still better than nothing). If you’re up for some more testing, you may also want to head over to this questionnaire devised by researchers at the Universities of Cambridge and Helsinki.


THREAT FOCUS: Tampa Bay Federal Credit Union - USA*

Exploit: Debit card spoofing. Tampa Bay Federal Credit Union: Financial services provider. Customers Impacted: Approximately 3,000, or 10% of all union members. Risk to Small Business: 1.555 = Severe: The debit card information of union members was recently spoofed, a technique in which cybercriminals input Bank Identification Numbers (BINs) to a software from the Dark Web that generates fake debit cards and links them to actual accounts. Thankfully, no members incurred any financial losses, but the credit union will be forced to cancel and reissue debit cards to thousands of account holders. Although there is a small risk of customer churn due to impatient members having to wait for new cards, the costs associated with card reissuance pose greater monetary risk for financial institutions.

Individual Risk: 2.428 = Severe: Since cards will be getting reissued, it is important for union members to closely monitor their mail and ensure that they receive their new debit cards. Customers Impacted: Approximately 3,000, or 10% of all union members. Effect On Customers Businesses: Knowing that hackers can simply generate new debit cards to link to your credit union account can be unnerving for those looking for a secure financial services provider. In a world where trust and reputation are paramount for new and existing customers, businesses must do all they can to avoid new headlines and demonstrate their commitment towards security. Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


Exploit: Database leak. BlackRock: World’s largest asset manager and issuer of exchange-traded funds (ETFs). Customers Impacted: Over 12,000 advisers and sales representatives. Risk to Small Business: 1.777 = Severe: The global investment management firm unintentionally displayed confidential information regarding thousands of financial adviser clients on its website. The data included personal information including names and emails, but also the assets each adviser was managing. A company spokesperson clarified that “the inadvertent and temporary posting of the information relates to two distribution partners serving independent advisers and does not include any of their underlying client information.” However, this news still has the potential to spook financial advisers from working with BlackRock and clients from entrusting their funds there. Individual Risk: 2.142 = Severe: When vulnerabilities of this magnitude are exposed within a third-party provider’s environment, the finger-pointing begins immediately. LCP Transportation, the vendor for MHS that disclosed the breach, will surface in news headlines and must answer to many other concerned clients as well. Although there is no evidence that any of the information was misused, experts are already calling for better cyber-risk management solutions to protect the healthcare industry. Effect On Customers Businesses: Data security is starting to become a priority on Wall Street due to recent losses shaking up public trust in the financial services industry as a whole. Breaches that originate from third-parties and avoid exposing end-user information still cause reputational harm, which can be measured in millions of dollars. Ultimately, companies will be evaluated by the security protocols they already have in place before a cyber-attack happens, along with the timeliness and effectiveness of their response.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Health Sciences North - CANADA*

Exploit: System infection via zero-day virus. Health Sciences North (HSN): Academic health science Centre and Hospital. Customers Impacted: To be determined.

Risk to Small Business: 2.111 = Severe: Officials were forced to shut down HSN’s electronic health record systems for 21 of 24 hospitals, interrupting care procedures and communications. Fortunately, there is no evidence of a breach, but the downtime will heavily disrupt processes and result in financial losses. Individual Risk: 3 = Moderate: Since data was not corrupted by the virus, personal health data should remain secure and intact given that the systems were backed up. Nevertheless, patients will be inconvenienced by appointment rescheduling, and the virus that infected HSN’s cancer program signals that such medical information could be valuable to future hackers. Effect on Customers: Even when a cyber-attack is mitigated, it inevitably results in the slowdown of business activities, which can lead to the erosion of customer loyalty. However, when viruses infect an information system, the time to detection becomes of utmost importance in containing the source and identifying what could be affected.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Coast Capital Savings - CANADA*

Exploit: Phishing, “brute force,” and social engineering fraud. Coast Capital Savings: Federal credit union headquartered in Surrey. Customers Impacted: 140members. Risk to Small Business: 2.111 = Severe: Coast Capital Savings recently reported that 140 members had money stolen from their accounts in a targeted cyber-attack between November and December of last year. The average loss per victim ranged from $3,000 to $6,000, amounting to hundreds of thousands in total. Customers are voicing their concerns publicly, stating that the credit union has not been able to say how the funds were accessed or if they would be reimbursed. Additionally, some are citing a lack of additional security and negligence in safeguarding member accounts, which drives business risk up high. Aside from a possible onslaught of lawsuits, the credit union stands to lose customers and long-term brand loyalty. Individual Risk: 2.571 = Moderate: The investigation revealed that the hackers deployed fake emails and texts asking for security information, used a computer program to guess passwords, and impersonated trusted sources to scam customers via telephone. Since payment accounts were compromised, this attack poses significant financial risk to individual members. Also, if the usernames and passwords were reused for other financial accounts, hackers could gain access to those as well. Effect on Customers: The news following this breach is characteristic of any public relations team’s worst nightmare, as it cites specific customer grievances that can significantly impact the outlook of new and existing business. When a payment compromise is discovered over a year after it initially occurs, it becomes increasingly difficult to pinpoint the source and respond to customer complaints in a timely fashion. This further emphasizes the need for businesses to invest in security solutions that offer proactive detection and prevention.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Newcastle Royal Grammar School – UNITED KINGDOM*:

Exploit: Email spam. Royal Grammar School (RGS): British independent school located in Newcastle. Risk to Small Business: 2.111 = Severe Customers Impacted: To be determined Risk to Small Business: 2.111 = Severe:

In this incident, hackers attempted to scam parents of Newcastle students by asking them to pay school fees in bitcoin to receive a 25% discount. Since the attackers had access to the email addresses of parents, the Information Commissioner’s Office (ICO) is investigating to learn more and advising caution regarding future phishing attacks targeted towards schools.

Individual Risk: 2.428 = Severe: It is still unknown how hackers gained access to parents’ email addresses, which could put personal information at risk. However, it is unlikely that payment details were exposed.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


Exploit: Magecart attack, also known as web card skimming. Adverline: Paris-based online advertising company. Risk to Small Business: 1.888 = Severe Customers Impacted: To be determined.

Risk to Small Business: 1.888 = Severe:

In November of last year, a cybercriminal group attacked the content delivery network (CDN) of Adverline. They hacked infrastructure in order to send malicious JavaScript code to online stores and steal payment card details entered by customers on checkout pages. Identified as a sophisticated form of a “Magecart” attack, cybersecurity experts are estimating a total of 277 affected sites. Although there is no further clarification on Adverline’s response, speculators can rest assured that the advertising company will be losing many of its client relationships.

Individual Risk: 2.428 = Severe: As you can imagine, there is not much end users can do to protect themselves against Magecart attacks. The risk of payment fraud is extremely high and widespread, especially with the number of sites affected since November. Consumers can protect themselves in the future by constantly monitoring their accounts and employing services that provide unique or encrypted payment card numbers for online transactions. Effect on Customers: The Adverline breach is a classic example of how an infrastructure hack can be manipulated to compromise an entire network of websites. Aside from adhering to best practices for vendor evaluation, companies must find ways to decentralize infrastructures in order to protect key assets and avoid being exposed in one fell swoop.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.



An Emerging Target for Data Breaches: HR and Finance Employees* As phishing attacks evolve in sophistication, human resource and finance teams are becoming caught in the crosshairs. Historically, such departments have been able to fend off poorly executed phishing campaigns. However, as hackers get smarter, so do their tactics. By adopting the writing styles of executives on social media, they can produce “look-alike” language that is capable of fooling even the most careful employees.

Many times, employee data can command a higher price tag on the Dark Web than customer data, since it is more likely to include social security numbers, dates of birth, names of dependents, and other lucrative data that can be used in perpetuity, instead of a one-time payment card fraud. When it comes to phishing attacks, it’s important to remember that human users are the weakest link the security chain.



* Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions.

bottom of page