top of page
  • Avantia Threat Update


Updated: Jan 12, 2019

Who are the 'monitors' of the 'monitors' ?

This week, Managed Service Providers get a nasty Xmas present from Cyber Criminals, an alcohol retailer in the United States had a few too many, a Canadian city has problems with Click2Gov, and business email compromises are ravaging the globe.

This past week’s Top Dark Web Compromise trends:

Top Source Hits: ID Theft Forums (99%) Top Compromise Type: Domains (99%) Top Industry: High-Tech & IT Top Employee Count: 11-50 employees (40%)

This past week’s Top Industry Compromises:

Information Technology Hits: 206 | Targets: Google, Netflix, Microsoft, Twitter, Yahoo

Software Hits: 180 | Targets: Google, Microsoft, Twitter, Quora, Yahoo

Social network Hits: 143 | Targets: Google, Twitter, Baidu, WhatsApp Inc., Tumblr

Publishing Hits: 91 | Targets: Tronc, Inc., Tribune Company, Mondo Tv S.p.A., Medical Tribune

This past week’s Top Threat Actors:

Thedarkoverlord Hits: 190 | Targets: Netflix, Larson Studios, United States, Healthcare, American Broadcasting Company

Shadow Brokers Hits: 92 | Targets: Microsoft Windows, Microsoft, Cisco Systems Inc, Iran, China

APT28 Fancy Bear Hits: 63 | Targets: Democratic National Convention, Democratic National Committee, United States, Germany, United States Senate

Inj3ct0r Team Hits: 46 | Targets: WordPress, Joomla, Twitter, Apache HTTP Server, Symantec

Hezbollah Hits: 11 | Targets: Israel, Syria, Lebanon, Iran, United States

This past week’s Top Malware exploitations:

Ryuk Ransomware Hits: 158 | Targets: Bitcoin, Check Point Software Technologies Ltd, North Carolina, United States

UEFI Rootkit Hits: 130 | Targets: Operating system, Unified Extensible Firmware Interface, InfoSec, Central Province, Europe

Wcry Hits: 26 | Targets: Boeing, Microsoft Windows, United Kingdom, Bitcoin, North Korea

Emotet Hits: 20 | Targets: Germany, United Kingdom, Banking, Microsoft Windows, United States

Webalta Hits: 10 | Targets: Google


In Other News:

Ransomware rips Christmas Goodwill from Managed Service Providers:

A cloud hosting provider headquartered in San Juan Capistrano, California USA with data centers in Los Angeles USA, Reston USA, London UK, Hamilton Bermuda, and Canada, was infected with ransomware on Christmas Eve, 2018. It appears that the firm declined to pay any ransom, and is reconstituting the files manually and from backups.

According to these notices, the ransomware concerned is Ryuk; the same ransomware that disrupted the delivery of several major U.S. newspapers in the last weekend of 2018. However, this attribution comes from Data Resolution's notice to customers: "Christmas Eve; Ryuk ransomware attach occurred -- Point of Origin North Korea."

At this point, the Cloud Hosting provider’s Data assertion is not definitively affirmed. It may simply be that encrypted files were assigned the .ryk extension as happened in the weekend newspaper attack. Similarly, the association of Ryuk with North Korea (and more specifically the Lazarus Group) is primarily based on a Check Point Study published in August 2018. Check Point was by no means definitive. It reported, "Both the nature of the attack and the malware's own inner workings tie Ryuk to the HERMES ransomware and arouse curiosity regarding the identity of the group behind it and its connection to the Lazarus Group."

Nevertheless, what little is currently known does seem to point to Ryuk. A security analyst for a US based Cyber company said "We still have limited information. However, the attack strategy is similar to those of SamSam Malware in the way that the attackers gain access to the network. Before attacking the first compromised system they do a full exploration of the network to identify the key systems and then launch a full-scale attack. By doing this, the attackers can ask for higher ransoms. I would say it is too early to talk about attribution at this point."

In November 2018, Security experts identified BitPaymer, Dharma and Ryuk as ransomware attacks that had adopted the attack strategy pioneered by SamSam; that is, manually breach the target (usually via RDP), reconnoiter the network, and then encrypt those files that will cause the most damage. This makes recovery from a targeted attack more difficult than recovery from a standard spray and pray ransomware attack, and allows the attackers to demand a higher ransom.

The most high-profile SamSam attack to date was that against the City Of Atlanta in March 2018. Like this attack, Atlanta declined to pay the ransom and sought to recover their own files. This proved more difficult than expected. In June 2018, Atlanta information management head Daphne Rackley told the City council that her department would need an additional US$9.5 million over the coming year because of the ransomware.

It is impossible to say how deeply this new attack has gone. However, the implication is that recovery is not straightforward. A status update from the firm to its customers shows that by 2 January 2019, the firm was still struggling to restore many of its services more than a week after the attack became apparent.

Because the affected party is an MSP (Managed Service Provider), the attack has also been linked to the Cloud Hopper Campaign’ emanating from China. "The ransomware attack should leave other MSPs (Managed Service Provider) with no doubt," said Brian Downey, senior director, security product management at Continuum in an emailed comment: "the channel is now the target for cybercriminals. Gaining access into an MSP's (Managed Service Provider) service network can provide access to the individual customers they serve. Just two weeks ago we saw that law enforcement has identified the threat from organized cyber attackers and we now have the first public reports of an MSP (Managed Service Provider) getting hit."

He added, "Make no mistake: this new attack proves that cybercriminals know the money is in attacking small businesses through their MSPs (Managed Service Provider) "

This is obliquely accurate. While this campaign seems to have been motivated more by espionage than direct financial gain, the attack is motivated primarily by financial gain.

It is perhaps a bit premature to claim that no data has been stolen, but that would certainly fit the normal approach taken by targeted ransomware. However, one motivation for attacking MSPs with ransomware may be an attempt to manipulate service level agreements between the MSP and its SMB clients. It may be that the cost of breaching SLAs because of the loss of service could be considered a major incentive to just pay the ransom.

It hasn't worked in this instance -- and Downey is accurate in his suggestion that MSPs are emerging as a primary target for hackers: for access to customers, and for direct extortion.

ATM’s attacked:

Attacks against automated teller machines (ATMs) are nothing new, for obvious reasons. They are a perfect target for both conventional thieves and hackers, standing at the intersection of physical theft and cyber crime. Particularly in the developing world, ATMs often lack basic cybersecurity precautions, with archaic operating systems and minimal authentication requirements within the machines. The past few years have seen criminals applying their creativity to stealing money from ATMs, with considerable success. Methods of attack have included:

• Insert skimmers—physical devices placed in card slots to capture information from swiped cards.

• Remote cyber attacks—taking control of ATM servers to dispense cash, using malware.

• Direct malware attacks—using physical access to an ATM to deploy malware variants.

2018 saw at least two new major threats to ATM security: a “ jackpotting” attack that presents a unique challenge because of its speed, efficacy, and comparative lack of resources required from attackers; and “shimming”, a simple way to steal data from chip-enabled cards.


Thieves have come up with many different ways to trick ATMs into spitting out large amounts of cash, but this new variation was first found in Europe around 2016 and has been tied to approximately a dozen attacks in 2018. It involves cutting a small hole next to the PIN pad, inserting a cable to connect a laptop, and commanding the ATM to dispense its money. Researchers were able to recreate the attack using just $15 worth of equipment, swapping out the laptop for a simple microcomputer.

The attack works because the minimal encryption and authentication requirements in many ATMs mean that once certain ports are accessed, the attacker has total control. What makes this technique so potentially dangerous is that it can dispense cash in just a few seconds and empty an ATM within minutes. Jackpotting has always been difficult to pull off in the developed world, because of faster police response times, but the speed of this technique could make it extremely lucrative in any country. Fortunately, this type of attack does not affect consumers, but it could become a major problem for financial institutions.


As previously mentioned, “skimming” is when thieves insert a device into an ATM’s card reader to steal data from swiped cards. “SHIMMING” is a new variation on this attack that can steal data from chip-enabled cards in ATMs or point-of-sale machines using a paper-thin insert in the card reader.

This type of attack is more expensive to pull off than the jackpotting attack, because of the tech involved, but it’s especially dangerous because of how simple the attack is. All thieves need is a few seconds of access to the machine, and it can be quite hard to detect once deployed. The best way to spot the shimmer is by feeling for the tighter fit that the device creates when inserting a card.

Once a card has been compromised, the attackers can create a replica of the card for use in swipe machines. We understand that they are currently unable to create a chip-enabled duplicate to be used for insert and tap payments. For this reason, chip cards are still a more secure option for consumers.

What Should Businesses Do to Protect ATMs?

The current state of ATM security is far from optimal, but the unique security challenges around ATMs make improvements difficult. That said, there are short- and long-term possibilities to make these types of attacks, and others, more difficult to pull off.

Better physical security will make the biggest difference, because even most malware attacks start with physical access to the ATM. However, this is easier said than done, especially in developing countries and rural areas. ATMs could conceivably be built to shut down completely when anyone tampers with the machine, but manufacturers are unlikely to do so because of how easy it would be to trigger a false positive and disable the machine.

For better digital security, ATM manufacturers should leverage more encryption within the software of the machines, require more authentication measures, disable unused ports, and create whitelists of allowed processes so that alerts are automatically generated by unauthorized processes—just to name a few ideas.

There are some promising developments in the industry that could lead to better ATM security in the long term. Many ATM companies are moving fully off of Windows XP—which has long been one of the biggest weaknesses in ATM cybersecurity—to Windows 7 or 10, with the deadline to upgrade coming in January 2019. Separately, a group of 125 ATM companies are looking at developing their own standard for ATM software, with the goal of moving away from Windows entirely. However, this will take some time, so upgrading operating systems is an important intermediary step.

There are some potential upgrades in security that would come at the cost of convenience, and therefore might not be implemented any time soon. For example, requiring two-factor authentication for withdrawals and transactions over a certain dollar amount would go a long way to reduce the value of skimmed cards, but would consumers tolerate the inconvenience?

What Should Consumers Do to Protect Themselves?

To avoid shimming, skimming, or other methods of payment card information theft, use tap payments and smartphone payments like Apple Pay when possible. They are safer due to being much harder for thieves to replicate. When using ATMs, look for machines inside banks, or in well-lit, busy areas that would not allow thieves any uninterrupted access. When using an ATM that you think may have been compromised, look for anything that seems out of place. Scratch marks on the surface of the machine or any disturbance around the keypad might suggest that the machine has been tampered with. To avoid shimmers, feel for unusual resistance when inserting your card. Finally, it is wise to check your transaction records regularly to look for any unauthorized payments.

The Cost Of Business Email Compromises :

According to the FBI, business email compromise (BEC) schemes have amounted to $12.5B in losses to companies in 2018 alone. From Q1 to Q3, there was a 46% lift in the number of attempts recorded, signalling that hackers are doubling down on email fraud due to its simplicity and effectiveness. The top three countries most often targeted by email scammers? The United States, Australia, and United Kingdom.


Threat Focus - BevMo - USA

Exploit: Malicious code inserted into e-commerce checkout page. BevMo: Alcohol retailer. Risk to Small Business: 2 = Severe: As payment security continues to rise in importance to online shoppers, such an attack can strike a crushing blow to sales and bottom-line profits. Competition in the online retail landscape is cutthroat as is, so a newsworthy breach like this has the potential to turn customers away by shining a spotlight on personal and payment information concerns. Individual Risk: 2.428 = Severe: The malicious code placed on the checkout page was able to siphon customer names, credit/debit card numbers, expiration dates, CVV2 codes, billing addresses, shipping addresses, and phone numbers. Visitors who entered payment details into the website are at a high risk for account fraud. Customers Impacted: Nearly 15,000 customers who used the online portal. Effect on Customers: Due to an increased level of vigilance surrounding data breaches, especially those involving payment data, it is crucial that companies place greater importance on preventing breaches from happening in the first place.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

Threat Focus - The City of Saint John, N.B - Canada

Exploit: Compromise in third-party software product ‘Click2Gov’. City of Saint John: Large municipality that manages online parking payment systems. Risk to Small Business: 2.111= Severe: The breach does not pose a great threat to the city itself, but it does signal a much larger concern for the service provider CentralSquare Technologies. It remains to be seen if the company was aware of the breach, and if the compromise may have impacted many more cities across North America. A recent report from the Gemini Advisory firm discovered that nearly 300,000 payment records were stolen from 46 North American cities since 2017, including 6,000 from Saint John, and may be directly linked to the Click2Gov vulnerability. Individual Risk: 2.571= Moderate: As many as 6,000 people who used the online parking system could have had their personal information exposed. However, the investigation is underway and more details will emerge in the weeks ahead. Customers Impacted: 6,000 parking customers since 2017. Effect on Customers Businesses: The everyday consumer is growing increasingly hesitant in trusting online legacy payment systems. By showcasing a comprehensive security solution that protects identities proactively, your customers can come out on top and distinguish themselves in the marketplace.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.



Cybercrime: A Self-Sustained Economy Imagine virtual, hyper-connected marketplaces across the globe where you can purchase the latest round of stolen payment card information, malware toolkits, and keyloggers for sale.

Bad news: They already exist. Cybercrime has evolved into its own ecosystem, offering licensing models, 24/7 support, anonymous payment methods, free trials, and more. Although this is certainly meant to alarm and keep you aware, it’s not how we want you to ring in the New Year. Rest assured that you can keep your business far from the reaches of modern cybercrime by focusing on three key pillars: protection, prevention, and detection

The good news is, we can help! Work with us to protect your employees and get back to focusing on your business



* Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions.

bottom of page