Avantia Threat Update
OFFICE 365 CLOUD RAINS PASSWORDS
Updated: May 21, 2019

This week, employee phishing runs rampant in Office 365 Cloud – Bullphish Cyber Countermeasures launched, ransomware brings an airport offline, an NBA team’s online store leaks credit card information, and another Dark Web marketplace takes a dive.
TOP DARK WEB ID TRENDS & THREATS Top Source Hits: ID Theft Forums (99%) Top Compromise Type: Domains (99%) Top Industry: Manufacturing Top Employee Count: 11 - 50 Employees
TOP TARGETED INDUSTRIES
Finance Hits: 87 | Targets: PayPal, Equifax Inc, Western Union, JPMorgan Chase & Co., Kickstarter
Software Hits: 82 | Targets: TeamViewer, DropBox, JPMorgan Chase & Co., LinkedIn, McAfee
Software Hits: 73 | Targets: TeamViewer, WhatsApp Inc., Kickstarter, NSO Group, McAfee
eCommerce Hits: 58 | Targets: PayPal, AOL Inc
Internet Hits: 26 | Targets: Stack Overflow, LinkedIn, Best of the Web, Inc., Twitter, Facebook
TOP THREAT ACTORS
Hezbollah Hits: 26 | Targets: Israel, Syria, Lebanon, Iran, United States
CtrlSec Hits: 5 | Targets: Islamic State in Iraq and the Levant, United Nations, Twitter, United States, Tunisia
BinarySec Hits: 4 | Targets: Islamic State in Iraq and the Levant, Texas, Tunisia, Ku Klux Klan, Central Intelligence Agency
GhostSec Hits: 4 | Targets: Islamic State in Iraq and the Levant, 209.232.103.137, 208.89.215.171, 77.245.157.95, 23.94.17.37
APT3 UPS Hits: 3 | Targets: Hong Kong, Microsoft Windows, Adobe Flash Player, Object Linking and Embedding, United States
TOP EXPLOITED VULNERABILITIES
CVE-2017-0199 Hits: 859 | Related products: Microsoft Office, Microsoft Office Powerpoint, AhnLab-V3, Microsoft Windows, Microsoft Office Word
CVE-2017-8759 Hits: 849 | Related products: Microsoft Windows, VirusTotal, Microsoft Office, Microsoft .NET Framework, Microsoft Office Powerpoint
CVE-2017-0147 Hits: 83 | Related products: Microsoft Windows, Windows SMB, Microsoft Windows Server 2008, Microsoft Windows Server, Microsoft Windows Vista
CVE-2016-7255 Hits: 54 | Related products: Microsoft Windows, Microsoft Windows 7, Microsoft Windows 10, Adobe Flash Player, Microsoft Windows 8
CVE-2019-0708 Hits: 36 | Related products: Microsoft Windows, Remote Desktop Services, Microsoft TechNet, Microsoft Windows Xp, Microsoft Windows Server
TOP MALWARE
GozNym Hits: 32 | Targets: Germany, United States, Canada, Banking, Europe
UPATRE Hits: 14 | Targets: University of Florida, Personal Computer, Microsoft Windows Xp, Application Compatibility Database Installer, Microsoft Windows
VK OK Adblock Hits: 12 | Targets: Microsoft Internet Explorer, Google Chrome, Mozilla Firefox
Wcry Hits: 12 | Targets: Boeing, Microsoft Windows, United Kingdom, Bitcoin, North Korea
Pegasus Hits: 11 | Targets: Apple Mac Os X, Mexico, Android, Apple iPhone, iOS
IN OTHER NEWS:
Millions of Office 365 Cloud Based Email accounts compromised:
Over 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts in just one month thanks to a surge in account takeovers (ATOs). The security vendor recently revealed new findings from an analysis of cloud-based email accounts under fire from ATO attempts in March. It claimed over a quarter (29%) of organizations it monitored had Office 365 accounts compromised by attackers, often via credential stuffing (a type of cyberattack where stolen usernames/email addresses and the corresponding passwords, often from a data breach, are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.) using previously breached credentials, stolen passwords from the user’s personal email account, brute force attacks (A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.) and other web and application channels. One of the most popular tactics is phishing emails which impersonate Microsoft and request Office 365 log-ins from the unwitting recipient. “With more than half of all global businesses already using Office 365 and adoption continuing to grow quickly, hackers have set their sights on taking over accounts because they serve as a gateway to an organization and its data — a lucrative payoff for the criminals,” warned Barracuda Networks VP of content security services, Asaf Cidon. Once an account has been taken over, hackers don’t usually launch an attack from it immediately. “Instead, they monitor email and track activity in the company, to maximize the chances of executing a successful attack,” Cidon explained. “As part of their reconnaissance, scammers often set up mailbox rules to hide or delete any emails they send from the compromised account. In the analysis performed by Barracuda researchers, hackers set up malicious rules to hide their activity in 34% of the nearly 4000 compromised accounts.” The attackers then use their reconnaissance to target high value accounts in the organization such as executives and finance bosses, which could be used to facilitate BEC scams (Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives.) “Hackers also use compromised accounts to monetize attacks by stealing personal, financial, and confidential data and using it to commit identity theft, fraud, and other crimes,” Cidon claimed. “Compromised accounts are also used to launch external attacks targeting partners and customers. With conversation hijacking, hackers insert themselves into important conversations or threads, such as during a wire transfer or other financial transaction.”He urged the use of MFA (Multi Factor Authentication) to protect accounts, alongside tools to monitor inbox rules and suspicious activity, staff training, ATO protection and AI tools to better spot BEC and spear-phishing.
Leading ‘Phishing’ Countermeasure Program launched in Australia:
This week, Avantia Cyber Security launched the Bullphish suite of Cyber Security Countermeasure to stem the rising tide of cyber exploites from Email Phishing Scams perpetrated on the staff of organisations of all sizes in Australia. The best news for Avantia Cyber Password Monitoring Clients is it’s a FREE service for them.

Bullphish ID, the latest addition to Avantia’s Cyber Security product suite, simulates phishing attacks to identify potential security risks and generate security awareness training campaigns to educate employees, making them the best defence against cybercrime. The BullPhish ID enables Avantia Cyber Security to send simulated phishing campaign emails to an organisations staff, as well as track and report their interactions with phishing content, like open, click, and data submission rates. The Bullphish Phishing Simulation tool offers a high amount of local customizability, but also provided 12 realistic pre-generated Templates and Landing pages for initial testing and will shortly be able to benchmark results against penetration results from around Australia. Working in conjunction with the Bullphish tool comes the Bullphish Training & Awareness program. This enables online video based cybersecurity training campaigns to staff based on the penetration results and tracking of completion of paired training quizzes on subjects such as 'How to Avoid Phishing Scams' and 'Good Password Practices.'
Millions using 123456 as Passwords Study Finds:
Millions of people are using easy-to-guess passwords on sensitive accounts, suggests a study. The analysis by the UK's National Cyber Security Centre (NCSC) found 123456 was the most widely-used password on breached accounts. The study helped to uncover the gaps in cyber-knowledge that could leave people in danger of being exploited. The NCSC said people should string three random but memorable words together to use as a strong password.
Sensitive data: For its first cyber-survey, the NCSC analysed public databases of breached accounts to see which words, phrases and strings people used. Top of the list was 123456, appearing in more than 23 million passwords. The second-most popular string, 123456789, was not much harder to crack, while others in the top five included "qwerty", "password" and 1111111. The most common name to be used in passwords was Ashley, followed by Michael, Daniel, Jessica and Charlie. When it comes to Premier League football teams in guessable passwords, Liverpool are champions and Chelsea are second. Blink-182 topped the charts of music acts. People who use well-known words or names for a password put themselves people at risk of being hacked, said Dr Ian Levy, technical director of the NCSC.
"Nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band," he said. Hard to guess: The NCSC study also quizzed people about their security habits and fears. It found that 42% expected to lose money to online fraud and only 15% said they felt confident that they knew enough to protect themselves online. It found that fewer than half of those questioned used a separate, hard-to-guess password for their main email account. The survey was published ahead of the NCSC's Cyber UK conference that will be held in Glasgow
Amnesty Says Hong Kong Office Hit by China-linked Cyber Attack:
Amnesty International's Hong Kong office has been hit by a years-long cyberattack from hackers with known links to the Chinese government, the rights group said. The attack comes at a time of growing concern in Hong Kong over shrinking freedoms as Beijing flexes its muscles and western nations fret about the global dominance of China in telecommunications networks. Amnesty said it first detected its systems had been compromised on March 15 when its Hong Kong office migrated its IT infrastructure to the rights group's more secure international network as part of a scheduled upgrade. The group brought in a team of experts to investigate. "Cyber forensic experts were able to establish links between the infrastructure used in this attack and previously reported APT campaigns associated with the Chinese government," the group said in a statement. Advanced persistent threats (APTs) are the most complex and effective hacks that deploy significant know how and resources -- and they are usually carried out by, or on behalf of, a state. China has long been accused by western governments, businesses and cyber analysts of using APT groups to carry out corporate and political espionage as well as pursue critics and opponents overseas, allegations it denies. Amnesty said their investigations pointed to "a known APT group" which used "tactics, techniques and procedures consistent with a well-developed adversary". It declined to name the group, saying investigations were still ongoing, but added it would release a technical report at a later date. "This sophisticated cyberattack underscores the dangers posed by state-sponsored hacking and the need to be ever vigilant to the risk of such attacks," said Man-kei Tam, Director of Amnesty International Hong Kong. "We refuse to be intimidated by this outrageous attempt to harvest information and obstruct our human rights work," he said. Tam said experts were still trying to work out when the attack began, but they believe their systems were compromised for some time. "According to our cyber forensic experts the attack has been persistent, so it has been happening already for a few years," he told AFP, adding that it has since been contained. The rights group has contacted individuals whose details may have been put at risk. It declined to detail how many people could be affected but said no financial information had been compromised. Hong Kong's civil and rights groups are already on edge about what they say are fading freedoms in the financial hub. Joshua Rosenzweig, head of Amnesty's East Asia Regional Office, which is also based in Hong Kong but separate to the local branch that was targeted, said civil society was clearly a target to state-sponsored cyberattacks. "We see this as an attack on civil society and the NGO community as a whole," he said. "We don't want to hide this. Exposing the fact that this is happening is part of, I hope, how we protect ourselves."
THREAT FOCUS: Emcare – USA
Exploit: Employee email account breach EmCare: Dallas-based healthcare provider Risk to Small Business: 1.666 = Severe: An unauthorized third party accessed employee emails, allowing them to view sensitive personal information and confidential patient data. Through this vulnerability, hackers were able to access as many as 60,000 individual records, including 31,000 patient records. The company was quick to indicate that they don’t believe any personal data has or will be misused, and it’s unclear why this information was accessed. Nevertheless, EmCare will now bear the costs of providing free credit monitoring services and managing public relations. Individual Risk: 2.149 = Severe: Employees and patients who received care from the company could have had their name, birth date, age, social security number, and driver’s license number exposed. In some cases, protected health information was also made vulnerable.
Customers Impacted: 60,000
Effect On Customers: This episode is a reminder that even minor vulnerabilities can have extensive consequences. In this case, accessing just a few email accounts compromised thousands of patient records, creating serious problems for both the victims and the company. Since healthcare organizations are explicitly charged with protecting this information, they need to take every precaution to make sure that their systems are secure. By monitoring where and how hackers use patient and employee information on the Dark Web, providers can offer lasting protection.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: United States Doctors Management Service – USA
Exploit: Ransomware attack Doctors’ Management Service: Medical billing service provider Risk to Small Business: 1.444 = Extreme: Nearly 40 healthcare centers were significantly impacted by a ransomware attack that compromised patient data. Although the company deployed a network backup to avoid paying the ransom, the hackers had access to sensitive patient information including names, addresses, dates of birth, social security numbers, driver’s license numbers, and health insurance information.
Individual Risk: 2 = Severe: The company was unable to determine if personal health information was viewed or downloaded, and patients at any of the healthcare providers working with Doctors’ Management System could be impacted by the breach. Therefore, all patients within this network are encouraged to obtain credit and identity monitoring services.
Customers Impacted: Unknown
Effect On Customers: Ransomware is a serious problem for healthcare companies and those tasked with managing patient data. Having the right backup infrastructure in place is important, and, in this case, allowed the company to avoid paying a ransom to reclaim its data. However, implementing the right security measures for proactive detection is even more critical for preventing attacks from occurring in the first place.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach
THREAT FOCUS: Cleveland Hopkins International Airport - USA
Exploit: Ransomware attack Cleveland Hopkins Int'l Airport: A public airport located in Cleveland, Ohio Risk to Small Business: 2.111 = Severe: A ransomware attack on the airport disabled information screens that provide information about incoming arrivals, imminent departures, and baggage claim status. At the same time, other network components including email, electronic payroll, and record keeping services were also affected. These disruptions occurred for many days, and the FBI is investigating the source of the attack.
Individual Risk: 3 = Moderate: There is no indication that any personal information was compromised in this attack, but users with information stored on this network should be mindful of its vulnerabilities while monitoring for possible misuse of stored information.
Customers Impacted: Unknown
Effect on Customers: When data breaches occur at companies providing critical services like air travel, the prospect of a disruptive data breach can have far-reaching consequences. While this data breach didn’t compromise any critical infrastructure, travelers might be less likely to trust the company’s infrastructure to guard against more progressive or intrusive tasks. When public safety is concerned, preventing a breach becomes an even more critical concern.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Partners For Quality – USA
Exploit: Compromised email accounts Partners for Quality: Pennsylvania-based agency providing educational services for children with intellectual and developmental disabilities Risk to Small Business: 1.222 = Extreme: A malicious third party gained access to several employee email accounts, giving them broad access to their users’ sensitive personal information. This is the company’s second data breach this year, and, since the company handles uniquely sensitive information about their customers, the responsibility to secure this data is magnified.
Individual Risk: 2 = Severe: Hackers gain access to protected health information (PHI) including names, social security numbers, diagnosis/treatment, medical records, billing claims, health insurance credentials, passport information, and banking numbers. Those impacted by the breach should enroll in credit and identity monitoring services to ensure that their information is not used for malicious purposes.
Customers Impacted: 3,673
Effect On Customers: Every company managing PHI needs to be especially aware of their cybersecurity vulnerabilities, since a breach not only imperils their users but it also casts doubt on their competence. Since most email-based threats are preventable, companies handling PHI should take every action to educate their employees and to secure their networks.
1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: Aebi Schmidt - SWITZERLAND
Exploit: Ransomware attack Aebi Schmidt: Manufacturing company that produces vehicles for airport maintenance and road cleaning Risk to Small Business: 1.888 = Severe: A company-wide ransomware attack paralyzed the organization’s global operations, sending their manufacturing systems and email network offline. Major workflows were disrupted for 24 hours, including other ancillary systems that were shut down as a precaution. The company regained operations by launching a backup recovery process that restored the network and limited the attack’s damage.
Individual Risk: 3 = Moderate: While the company’s business operations were significantly restricted, there is no evidence that any personal information was compromised or put at risk.
Customers Impacted: Unknown
Effect On Customers: Unlike other recent victims of ransomware attacks, Aebi Schmidt was able to quickly restore operations by launching a backup system that was free from the malady. By having a plan in place to adequately address a ransomware attack, the company was able to mitigate the damage while avoiding having to a pay a ransom to the perpetrator. As malware infections continue to make news headlines on a weekly basis, businesses must partner with providers of comprehensive cybersecurity suites.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
THREAT FOCUS: GetGo - PHILIPPINES
Exploit: Unauthorized server access GetGo: The rewards platform of Cebu Pacific, a Philippines-based airlines Risk to Small Business: 2.222 = Severe: A tweet by a prominent hacking group alerted GetGo that its servers were breached. In response, the company shut down its servers and contained the incident. Although the Twitter post promised a significant data breach, no stolen data has been publicly posted. Nevertheless, the business may have to deal with customer attrition and an erosion of brand equity.
Individual Risk: 2.428 = Severe: The company claims that credit card information was not stored on the affected server, but it’s still unclear if any other personal information was compromised. In the meantime, GetGo users should monitor their accounts for potential misuse.
Customers Impacted: To be determined
Effect on Customers: Without proper detection tools in place, Cebu Pacific had no means of determining the severity of the breach and was forced to temporarily shut down its website and mobile app. For a business operating in a cutthroat market such as airfare, every second offline can translate into millions of dollars in revenue lost. Additionally, rewards platforms are designed engender trust and loyalty with the customer, but a breach can produce the opposite result. It goes without saying that security should be a priority, with employee and customer privacy at the forefront.
Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
POSTSCRIPT:
Cyber-attacks are soaring in 2019
It’s no surprise that cyber criminals are always looking for new vulnerabilities to take advantage of, and we are now becoming inundated, and even accepting, of breaches making daily news headlines. However, their swift increase in the first quarter of 2019 is shocking even by today’s standards. According to recent report by Malwarebytes, cyber threats are up 235% year-over-year, primarily the result of a surge in ransomware and trojans. However, bad actors aren’t just increasing the frequency of their attacks. They are changing their focus. The study found that cyber criminals are targeting SMBs because they have less money and resources to spend on cyber defence. Most prominently, cyber criminals are relying on ransomware. Corporate ransomware attacks are up 195% from the last quarter, and they have grown at an astonishing 500% since April 2018. It’s no secret that today’s threat landscape is always evolving, and protecting small businesses requires a continual re-evaluation of your organization’s most prominent vulnerabilities. However, in order to fight fire with fire, companies must enlist the help of security solutions that are designed to keep a pulse on hacker activities and employee/customer information.
Another Dark Web marketplace shuts down
The Dark Web, a section of the internet that has become famous for selling illegal drugs, weapons, malware, and other illicit materials, is undergoing a major shakeup. Authorities have already shuttered many of the most prominent marketplaces, culminating in last month’s announcement that Dream Market, the oldest and biggest platform, would close. Now, another major player, Wall Street Market, is ending as well. According to multiple reports, the website’s admins have “exit scammed” the site’s users, siphoning $14.2 million in user funds into Bitcoin wallets not associated with the marketplace. At the same time, there are reports that customer support staff are blackmailing users who shared their information during customer support requests. The Dark Web is a nefarious place, and it’s difficult to feel bad for anyone who is scammed when participating in such overtly illegal activities, but the episode is a reminder of the expansive marketplace fuelling many cybersecurity vulnerabilities and the extensive demand for security-compromising products.

*Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions