top of page
  • Writer's pictureAvantia Threat Update


Updated: Jan 2, 2019

On the Dawn of 2019 - NASA suffers a major breach. Is it an omen?

This week, as we head towards the dawn of 2019, NASA is breached, Caribou Coffee gets roasted, Schools data stolen, Facebook still leaking and memes are being used as code.

This past week’s Dark Web Compromises:

Top Source Hits: ID Theft Forums (100%) Top Compromise Type: Domains Top Industry: Legal Top Employee Count: 251 - 500 employees (50%)

This past week’s top Targeted Industries:

Top Information Technology Hits: 96 | Targets: Netflix, Google, Twitter, Microsoft, Yahoo

Top Software Hits: 70 | Targets: Google, Cambridge Analytica, Twitter, GitHub, Quora

Top Media and Entertainment Hits: 59 | Targets: Netflix, Spotify, Sony Corp, Zee, SM Entertainment

Top Consumer Goods Hits: 35 | Targets: Marriott International, Caribou Coffee, Starwood Hotels & Resorts Worldwide, Sony Corp, Huawei Technologies

Top Cybersecurity Hits: 33 | Targets: CenturyLink Inc, IBM Corporation, HP, Sophos, Cylance, Inc.

This past week’s top Threat Actors:

APT28 Fancy Bear Hits: 105 | Targets: Democratic National Convention, Democratic National Committee, United States, Germany, United States Senate

Hezbollah Hits: 58 | Targets: Israel, Syria, Lebanon, Iran, United States

Ghost Squad Hits: 6 | Targets: Israel, Black Lives Matter, Ku Klux Klan, Afghanistan, Banking

Inj3ct0r Team Hits: 5 | Targets: WordPress, Joomla, Twitter, Apache HTTP Server, Symantec

Shadow Brokers Hits: 5 | Targets: Microsoft Windows, Microsoft, Cisco Systems Inc, Iran, China

This past week’s top Malware Attacks:

UEFI Rootkit Hits: 102 | Targets: Operating system, InfoSec, Central Province, Europe, Artificial Intelligence

Xrumer Hits: 101 | Targets: xevil, Brut, Valparaiso, A-Poster, Уничтожитель

Shamoon Wiper Hits: 67 | Targets: Saudi Arabia, Saudi Aramco, Italy, Europe, Sony Corp

Webalta Hits: 46 | Targets: Google

Wcry Hits: 31 | Targets: Boeing, Microsoft Windows, United Kingdom, Bitcoin, North Korea


In Other News:

NASA announces Xmas present to employees:

NASA on Tuesday disclosed a data breach involving current and former employees' personal data. The space agency discovered that one of its servers was compromised on Oct. 23, it revealed in an internal memo posted to Spaceref. The server included employees' personal info, including Social Security numbers, but the agency doesn't know if that data was stolen. NASA is working with federal cybersecurity partners to figure it out.

"Those NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected," Bob Gibbs, the assistant administrator in NASA's office of human capital management, wrote in the memo. The agency doesn't believe any of its missions, which include the InSight lander's work on Mars, were compromised by the breach.

The memo doesn't mention why NASA waited nearly two months to inform employees, but US law enforcement regularly asks hacked organizations to delay notifying potential victims during an investigation.

Not everyone is on School Holidays – Major Breach

A phishing attack against California’s San Diego Unified School District has led to hackers scooping up Social Security numbers and addresses of more than 500,000 students and staff.

The district became aware of the breach Oct. 2018. The actual breach occurred between January 2001 and November 2018, a spokesperson said. The district reported that it was first alerted to “multiple reports of phishing emails,” which were used to gather log-in information of staff members throughout the district.

Hackers then used that log-in data to access the social security numbers and first and last names of student and staff, as well as their date of birth, mailing address, home address and phone number.

“The data file contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals,” according to a notification on the San Diego Unified School District’s website last Friday. “For that reason, all of those individuals have been notified of the incident. Additionally, some 50 district employees had their log-in credentials compromised as part of the phishing operation. All students and staff who had their information accessed have been alerted by district staff.”

The San Diego Unified School District serves more than 121,000 students and is the second largest school district in California.

Other accessed information included:

-Student enrollment information like schedule, discipline incident information, health information, attendance records, transfer information, legal notices on file, and attendance data

-Student and selected staff State Student ID Number

-Student and staff parent, guardian and emergency contact personal identifying information (including first and last name, phone numbers, address, email address, employer information)

-Selected staff benefits information

-Selected staff payroll and compensation information (including viewable paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information)

The district said that police have identified “a subject of the investigation” and blocked all stolen credentials; however, they could not comment more due to the ongoing nature of the investigation. Meanwhile, staff members whose accounts were compromised had the security on their accounts reset.

The San Diego Unified School District did not immediately respond to a request for comment.

Facebook, What Are You Doing?

Facebook continues to let down its users this week… this time by providing user data to a wide variety of large companies for commercial purposes. Some of the companies that took advantage of Facebook’s fast and loose outlook on its customers’ data include Apple, Amazon, Microsoft, Spotify, and Netflix. The information even included private messages between users. When Amazon was asked about how it used the user data Facebook provided them, their official statement stated they used the data “appropriately,” which is not very comforting.

Who’s Listening – Nova Entertainment in Perth Australia nailed:

Nova Entertainment has announced on Friday that a legacy dataset containing information collected from their listeners during the period from May 2009 to October 2011 has been publicly disclosed. Nova is in the process of notifying individuals affected by this incident of the steps they can take to prevent any potential misuse of their information.

The types of information disclosed in this incident varies from person to person, but generally includes biographical information (such as name, gender and date of birth), contact information (such as residential address, email address, and telephone number), and user account details (such as user names and passwords, which were protected by 'hashing', an easy to decrypt countermeasure.).

Nova confirmed that no other information, including copies of identity documentation or financial information is contained in the dataset disclosed in this incident. Nova has notified the Office of the Australian Information Commissioner of this incident, and are in the process of contacting law enforcement bodies.


Threat Focus - Caribou Coffee – United States

Exploit: Compromise of POS systems. Caribou Coffee: A large coffee chain in the United States. Risk to Small Business: 1.777 = Severe: A breach of this magnitude would have a negative impact on any organization for a long time. Around 40% of the company’s locations were affected by the breach, with all cards used during the breach being considered accessed. Individual Risk: 2.428 = Severe: Those affected by this breach are at an increased risk of identity theft. Those who used a credit or debit card at the organization between August 28, 2018, and December 3, 2018. Customers Impacted: 239 of the organization’s stores were affected by the breach. Effect on Customers: Credit card information being accessed is never good for business. Customers tend not to forget the company whose breach resulted in them losing money.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.

Threat Focus – Steelite – United Kingdom

Exploit: Ransomware. Steelite: A Middleport-based company that manufactures tableware for the hospitality industry. Risk to Small Business: 1.888= Severe: The risk to small business in this scenario is very high. Ransomware is becoming more and more prevalent in the cyber-crime scene as it is a low-risk/ high reward attack vector. Individual Risk: 2.571= Moderate: It is unclear if payroll information was accessed, but due to the sensitive nature of the encrypted files, it would be best to be cautious. Customers Impacted: The employees who work at the organization are the ones at risk. Effect on Customers : Payroll information is vital for operating a business, which makes this attack particularly damaging. Many organizations would not have the resources available to rebuild their payroll servers so quickly, which would leave them in a precarious situation. Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.



Twitter Memes Researchers have discovered a malware that is being distributed by hackers, which receives instructions from… memes. That’s right, this form of malware that targets Windows systems can “capture local screenshots, enumerating applications on the system, checking for vulnerabilities in them, capturing clipboard content, and sending files back to the attacker.” It also can receive instructions from Twitter memes. This type of communication is known as stenography and hypothetically could be used to instruct many people at once with memes, while surpassing most detection systems.

So, stay alert this holiday while perusing the interwebs for memes! Make sure all your systems are up to date and your credentials aren’t compromised… better to enjoy this season!

Happy New Year to all our readers.



* Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions.

bottom of page