• Avantia Threat Update


Updated: Aug 5, 2020


ACSC Issues Cyber Security Advisory after Cyber attacks by an unnamed State Actor escalates; In Cybersecurity News: Ebay staff charged with Cyberstalking - sending a fetal pig and spiders to authors of an Ebay critical newsletter; Twitter takes down over 32,000 nation state accounts involved in disinformation campaigns; Companies say strong authentication is important but they still over-rely on passwords; Popular techniques used by Cybercriminals amid Covid-19 crisis revealed; A massive data breach leaks thousands of police records going back two decades; Ransomware strikes again; New eBook on the State of the Dark Web in 2020 published and Major breaches in ITALY; CANADA; AUSTRALIA; UNITED KINGDOM and UNITED STATES.  


Top Compromise Type: Domain

Top Source Hits: ID Theft Forums

Top Industry: Manufacturing

Top Employee Count: 11 – 50




The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.  The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.

The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The un-named actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.

When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques. This spearphishing has taken the form of:

Links to credential harvesting websites

Emails with links to malicious files, or with the malicious file directly attached

Links prompting users to grant Office 365 OAuth tokens to the actor

Use of email tracking services to identify the email opening and lure click-through events.

Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed. In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.

Detection and mitigation recommendations

It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility. ACSC recommended prioritised mitigations. During the course of its investigations the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory.

(1) Prompt patching of internet-facing software, operating systems and devices

All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.

(2) Use of multi-factor authentication across all remote access services

Multi-factor authentication should be applied to all internet-accessible remote access services, including:

web and cloud-based email; collaboration platforms; virtual private network connections; remote desktop services.

Beyond the ACSC recommended key mitigations above, the ACSC strongly recommends implementing the remainder of the ASD Essential Eight controls. During investigations, a common issue that reduced the effectiveness and speed of investigative efforts was the lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs. The ACSC strongly recommends reviewing and implementing the ACSC guidance on Windows Event Logging and Forwarding and System Monitoring. Where available, campaign activity-specific and practical detection techniques have been included in this advisory. This advisory does not attempt to include detection technique recommendations for all ATT&CK techniques identified. For general detection and mitigation advice, please consult the ‘Mitigations’, ‘Data Sources’ and ‘Detection’ sections on each linked MITRE ATT&CK technique web page on the ACSC website. The ACSC strongly recommends that organisations review and implement the identified TTPs, detection recommendations and indicators in this advisory and associated files to help identify malicious activity related to this campaign. Avantia Cyber Security is a registered Partner of the Australian Cyber Security Centre.


The Pigs head mask does not look pretty, but at least it doesn’t scary. You can’t say the same for the other packages sent in a cyberstalking campaign allegedly orchestrated by eBay management and targeted at a Natick, Massachusetts couple who run an online e-commerce newsletter that’s sometimes critical of eBay. According to the Department of Justice (DOJ) in the USA, the mask was one of multiple threatening packages sent by the e-behemoth’s (now former) employees as part of a cyberstalking campaign to bully the couple into closing down their newsletter, the name of which was redacted in court documents. Other packages included a preserved fetal pig, live spiders, fly larvae, a funeral wreath, a book on surviving the loss of a spouse, a box of live cockroaches, and a copy of the porn magazine Hustler: Barely Legal that was addressed to the Natick couple but sent to their neighbors’ homes. Recently, the office of Massachusetts US Attorney Andrew Lelling announced that six former eBay employees have been charged with “aggressive” cyberstalking of the couple, including some of them coming up with an excuse to fly in to Boston in order to rent a van and drive out to Natick to conduct covert surveillance. The criminal complaint is sealed. But according to a redacted affidavit filed by FBI agent Mark Wilson, the victimized couple are the editor (she/her) and publisher (he/him) of an online newsletter that covers e-commerce companies, including eBay. Members of eBay’s executive leadership team followed the newsletter’s posts, and they were none too happy with its content, as court documents describe. Same goes for the anonymous comments left on the editor’s stories: one May 2015 comment called eBay execs a bunch of “liars” and “thugs” who should be jailed. A May 2017 comment called one of the eBay executives – identified as Executive 1 in court documents – as “the devil”, and an April 2018 comment called that same executive “delusional.” In August 2019, the newsletter published an article about litigation involving eBay. The story was about how eBay had filed suit against Amazon, saying its managers had directed dozens of workers to illegally use eBay’s private messaging system to solicit sellers onto Amazon’s platform. That, apparently, was the last straw. After the newsletter’s article about the suit was published, two members of eBay’s executive leadership team allegedly started swapping text messages suggesting that it was time to “take down” the editor. The exact wording: it’s time to “burn her to the ground.” Baugh, 45, of San Jose, Calif., was arrested on Monday and charged with conspiracy to commit cyberstalking and conspiracy to tamper with witnesses. David Harville, 48, of New York City, eBay’s former Director of Global Resiliency, was also arrested Monday morning in New York City on the same charges.Also named in the complaint are: Stephanie Popp, 32, of San Jose, eBay’s former Senior Manager of Global Intelligence; Stephanie Stockwell, 26, of Redwood City, Calif., the former manager of eBay’s Global Intelligence Center (GIC); Veronica Zea, 26, of San Jose, a former eBay contractor who worked as an intelligence analyst in the GIC; and Brian Gilbert, 51, of San Jose, a former Senior Manager of Special Operations for eBay’s Global Security Team.

They’ve each been charged with conspiracy to commit cyberstalking and conspiracy to tamper with witnesses. As the affidavit tells it, Baugh, Harville, Popp, Gilbert, Zea, Stockwell, and others responded to the “burn her to the ground” order by executing a three-part harassment campaign. Step 1: send her the fetal pig, et al. According to the FBI’s confidential, anonymous witnesses, the disturbing packages were inspired by a clip from a 1988 movie, Johnny Be Good, in which two friends arranged for the delivery, to their football coach’s home, of “unwanted and distracting items and people,” including $283 in pizzas, an elephant, a male stripper, a roach exterminator in full space suit gear, and Hare Krishna missionaries, all of which arrive at the same time. Baugh’s instructions: let’s do that. He had allegedly shared a clip from the movie with some of his alleged henchmen/women. The point of the campaign was to distract the editor and make her so uncomfortable that she’d stop writing negative articles about eBay. He allegedly tasked his underlings with brainstorming more elements of the distraction campaign. Scary masks? Live insects? Porn? Check, check, check. Baugh allegedly directed Zea and other GIC analysts to erase any ties to eBay. Thus, the analysts allegedly paid for the deliveries using prepaid debit cards and made online orders using anonymous email accounts, virtual private networks (VPNs), and mobile phones and computers specifically purchased for the harassment campaign. (By the way, If these allegations prove true, they point to the likelihood that eBay’s security and intelligence departments don’t read Naked Security. We could have told them that a VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot. They don’t always deserve that trust, though.) Cue the Samoan heavies: If the distraction campaign didn’t work, Baugh allegedly said during a meeting, he’d send a Samoan gang to the victims’ house. He showed his colleagues a photo of what he said was the gang: a group he described as not being “good guys.” Whatever happened then would be “out of his control,” Baugh allegedly said.

Step 2: messages from fake eBay sellers The second part of the harassment campaign was to send private Twitter messages and public tweets criticizing the newsletter’s content and threatening to visit the victims in Natick. Baugh, Gilbert, Popp and another eBay security employee allegedly planned the messages to become increasingly disturbing, culminating with doxing the victims’ home address. They allegedly set up a Twitter account named @Tui_Elei to send the messages and used a skull for the profile. Baugh allegedly told some in the group that Executive 2 supported all this, forwarding a message in which the executive complained about a commenter named Fidomaster and ‘the [Newsletter] gal,” suggesting that eBay should do “Whatever. It. Takes” to address them: Then, the group allegedly planned to have Gilbert – a former Santa Clara police captain – approach the victims with an offer to help stop the harassment that the defendants were allegedly, secretly causing, in an effort to promote good will towards eBay, generate more favorable coverage in the newsletter, and identify the anonymous commenters.

Step 3: covert surveillance According to the complaint, Harville and Zea registered for a software development conference to explain a trip to Boston on 15 August, 2019. From Boston, Baugh, Harville, and Zea (and later Popp) allegedly drove to the victims’ home in Natick several times, with Harville and Baugh intending at one point to break into the victims’ garage and install a GPS tracking device on their car. In case they were stopped by local police, Baugh and Harville allegedly carried false documents purporting to show that they were investigating the victims as “Persons of Interest” who had threatened eBay executives. The victims spotted the surveillance, however, and told Natick police they were being followed. The police investigated, finding that Zea had rented one of the cars used by the defendants. The investigators reached out to eBay for assistance. Aware that the police were investigating, the defendants allegedly lied to the police about eBay’s involvement while pretending to offer the company’s assistance with the harassment, and they allegedly lied to eBay’s own lawyers about their involvement. At one point, Baugh, Gilbert, Popp, and Stockwell allegedly plotted to fabricate another eBay “Person of Interest” document that could be offered to the police as a lead on some of the harassing deliveries. As the heat closed in, with police and eBay’s lawyers continuing to investigate, the defendants allegedly deleted digital evidence that showed their involvement, further obstructing what had by then become a federal investigation. The charges of conspiracy to commit cyberstalking and conspiracy to tamper with witnesses each carry a sentence of up to five years in prison, three years of supervised release, a fine of up to $250,000 and restitution. Maximum sentences are rarely handed out, though. Lelling called the cyberstalking campaign a “determined, systematic effort of senior employees of a major company to destroy the lives of a couple in Natick, all because they published content company executives didn’t like.”CBS asked Lelling if further charges are in the works. One would imagine so, given that two unnamed executives are included in the complaint who had roles higher than Baugh’s. Lelling responded by ying that the investigation is “active and ongoing”.The defendants weren’t just a few bad apples, Lelling said, given how high up in the company the orders were allegedly coming from: I don’t think I would characterize the conduct as rogue, because as seen in the complaint, the directive to do something about this goes pretty high up the chain within eBay. eBay told CBS that it was notified in August 2019 about the alleged conduct of its employees and launched a “comprehensive investigation.” It fired all of the involved employees in September 2019. An independent special committee formed by eBay’s Board of Directors said this in a statement: “eBay took these allegations very seriously from the outset. Upon learning of them, eBay moved quickly to investigate thoroughly and take appropriate action. The Company cooperated fully and extensively with law enforcement authorities throughout the process. eBay does not tolerate this kind of behavior. eBay apologizes to the affected individuals and is sorry that they were subjected to this. eBay holds its employees to high standards of conduct and ethics and will continue to take appropriate action to ensure these standards are followed.” Former eBay CEO Devin Wenig’s role has come into question during the investigation. Wenig resigned in September 2019, citing disagreements with the company’s board as it sought to overhaul the business. eBay says that its internal investigation found that, while Wenig’s communications were “inappropriate,” the alleged crimes couldn’t be traced to him: There was no evidence that he knew in advance about or authorized the actions that were later directed toward the blogger and her husband.“However,” eBay said, as it previously announced, there were “a number of considerations leading to his departure from the company.”


Manipulation/disinformation campaigns are running rampant on social media and Twitter just took action -- again. "Disinformation" is a form of propaganda honed into an art form by Russia. These days it's powered by bots and fake compromised accounts on social media. This week China, Russia, and Turkey were called out on the carpet by Twitter. Unless you’ve been sleeping under a rock, you probably noticed that social media platforms are rife with conspiracy theories and political bots. Disinformation campaigns are an extremely effective tool. When used by Nation States they can be weaponized as a powerful propaganda tool. Propaganda experts mix in a just enough truth with the falsehoods to make the propaganda sound plausible. The end goal is destabilization, confusion, and division meant to sow the seeds of mistrust among members of society -- a city divided. When this form of "societal" social engineering is practiced at a geopolitical level is advances the false narratives of an adversary. Twitter's been steadily removing these types of accounts in waves and now another 32,242 bogus bot accounts from China, Russia and Turkey were culled. The main culprit this time around was ... China. According to Twitter, 23,750 accounts were taken down because they were “highly engaged” with users. The Chinese campaign was targeted to a Chinese speaking audience and focused mainly trying to shape and manipulate positive opinions about China in the ongoing fight with between mainland China and Hong Kong which is fighting to retain its local political independence. According to the Twitter blog, also taken down were Russian tweets from Current Policy, a Russian media website engaging in state-backed political propaganda within Russia. “A network of accounts related to this media operation was suspended for violations of our platform manipulation policy, specifically cross-posting and amplifying content in an inauthentic, coordinated manner for political ends. Activities included promoting the United Russia party and attacking political dissidents.” Although this was internal to Russia it continues to use disinformation as a tool to divide political and social attitudes across the globe. Twitter also snagged 7,340 Turkish fake and compromised accounts being used to push and amplify political narratives favorable to the AK Parti supporting President Erdogan. Several compromised accounts associated with organizations critical of President Erdogan and the Turkish Government were found. “These compromised accounts have been repeated targets of account hacking and takeover efforts by the state actors identified above. The broader network was also used for commercial activities, such as cryptocurrency-related spam. “ You can train yourself to spot these false narratives. And you should be training your employees to spot social engineering attacks by the bad guys. If you want to learn more about how social media has become a propaganda playground for manipulating opinions we highly recommend that you read “Manipulated” written by Theresa Payton, a cybersecurity expert who served in the White House of the G.W. Bush administration. "Twenty years ago the Russians had to recruit journalists to find people to disseminate something. Nowadays they just have to start a meme." — John Schindler, former NSA analyst


The need for improved access control is proven by empirical observation -- it keeps failing. But improving access control beyond passwords suffers from a fundamental contradiction: while 98% of companies believe strong authentication is necessary for secure cloud adoption, 41% believe the username/password combination is one of the most effective access management tools, and 58% allow their employees to log on to corporate resources via social media credentials. This combination -- an understanding that the status quo needs to be improved while claiming that the status quo is still good enough -- is harder to accept than it is to understand. It's all down to balancing security with convenience. Users, whether they are visiting a website to make purchases or working at a desk in the office, do not like being put through the hoops normally required by stronger authentication. This explains why companies cling to the old password-based authentication while nevertheless understanding that it is no longer good enough. The figures come from a survey conducted by Vanson Bourne and commissioned by Thales. Three hundred IT/security professionals were queried in the U.S. and Brazil for the Thales 2020 Access Management Index. Twenty-six respondents represented organizations with more than 5,000 employees, 151 with between 1,000 and 5,000 employees, 73 between 500 and 999, and 50 from organizations with between 250 and 499 employees. Ninety-five percent of respondents have implemented multi-factor authentication. This figure is difficult to reconcile with the assertion of 28% who view social media credentials as one of the best tools for protecting cloud and web-based authentication. Social media log on is well-liked by users for its convenience, but it flies against one of the fundamental requirements for all security professionals: visibility. Companies have zero visibility into how or how well their users' credentials are being protected by the social media companies. Nor will they necessarily know whether those credentials have been leaked or stolen. In March 2019, Brian Krebs reported that "between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees." The need for improved access control is now urgent with the expansion of business transformation, greater cloud adoption and growth in remote working. Ninety-seven percent of the respondents expect problems for their organization if every cloud application in use is not secured properly. There is, however, no general consensus emerging from this survey on how that should be achieved. Surveys, of course, should always be viewed critically because of the potential for unseen bias in the questions, and questionable interpretation of the answers. An example here is the report's statement that "Two-factor and biometric authentication stand out as the best tools for protecting cloud and web-based applications." There is no explanation of the difference between two-factor and biometrics (biometric authentication is two-factor), nor is there an explanation of which biometric is being used -- nor even a statement on whether it is physical or behavioral biometrics. On interpretation, it isn't clear how respondents' answers to questions on usage and plans can justify the phrase, 'the best tools'. The issue of behavioral biometric authentication is interesting -- it isn't mentioned once in the report. This may be because no relevant question was asked, or because nobody is using or even considering its use. It could be, of course, that behavioral biometrics is wrapped up in the terms 'password-less' and/or 'contextual', which is often considered to be the holy grail of future secure user authentication. There are several current initiatives (here and here) aimed at using smartphones as a form of secure user token to eliminate passwords -- but smartphone-based access control is not mentioned in the report. Similarly, the term 'password-less' has little mention. It occurs in just two of the statistics, and once in the conclusion. The conclusion states, "Organizations that utilize cloud-based access and password-less authentication to scale secure cloud adoption will be able to meet the increased need for improved security, especially at a time when access control is critical for today's remote workforce." With no discussion about what 'password-less' is or entails, there is a danger that this appears to be a preconceived opinion rather than an argument based on the survey results. Concerns aside, however, the respondents display a strong user bias towards the use or adoption of single sign-on as a method of increasing security without decreasing user convenience. Even the new smartphone password-less systems fall back on single sign-on providers to do the heavy lifting. Fifty-nine percent of the respondents said they have already "adopted Smart Single Sign-on technology" (the term 'Smart' is used to differentiate Thales' SSO from others, but it is not always clear whether this is done consistently throughout the survey report); while 86% are "planning to further expand their use of this technology in the next year." This is enough for the report to recommend, "To offer the most frictionless experience possible without sacrificing security, organizations can leverage cloud SSO combined with contextual information and step-up authentication. This allows users to access all their cloud and web applications with a single identity, while IT only needs to enforce stronger access security in high-risk situations."


Cybercriminals constantly leverage fear and confusion by launching cyberattacks during major world events. Such attacks are mostly carried out with social engineering campaigns using malicious emails that attract victims to install malware that steals financial data and other valuable personal information, or oftentimes, they will transform a user’s device into a crypto-mining robot.    In light of the COVID-19 crisis, an examination was made the VMware Carbon Black Cloud attack data to evaluate how the move to remote work affected how cyber attackers stepped up their campaigns; when certain campaigns were initiated, and which industries are by far the most commonly targeted.  What distinguished this crisis from previous crises is its immediate and rapid effect on the cybercrime economy, with criminals leaving no stone unturned in their attempt to unleash Coronavirus ransomware. The following are the many scams found along with best practices in protection as we see an increasing surge in attempted fraud.

Account Takeover (ATO) (Account takeover is a commonly reported scheme where fraudsters use stolen data credentials to gain access to customer accounts. ) Setting a secure and strong password is the first step when it comes to protection against cybercrime. But, knowing that children around the world are out of school during this time, fraudsters reach out directly to children, hoping to access their gaming and other online accounts. One approach involves obtaining the login information and password of a player to “edit” their account. Instead, their new “online friend” takes over the account, who immediately changes the password and steals hundreds of dollars in expenses credited to the registered credit card.

Phishing There’s no scarcity in phishing scams exploiting COVID-19 fears, but among the most blatant found are phishing emails claiming to come from the World Health Organization (WHO). Preying on fear is a common phishing technique, but preying on someone’s fear of getting their identity stolen or their credit ruined is one thing. It is quite another to prey on their fear of a new, often deadly disease.  In one example, the fraudster poses as a doctor promising to exchange details on security measures to protect against the global pandemic. If an unwitting target then clicks on the link in the email, malware gets installed that instantly starts to collect private information from the receiver’s computer in order to gain remote access to their network system or steal the user’s contacts’ information to enable the scammer to send the same email to connections or friends of the receiver. 


During the COVID-19 pandemic, the financial sector has been increasingly targeted. Between February and May, the VMware Carbon Black Cloud attack data showed a 238% rise in cyberattacks against financial institutions, raising questions as to the effectiveness of current preventative measures against becoming ransomware victims. It is interesting to see how the majority of attacks have shifted to larger financial organizations, indicating that as retail organizations moved to remote business models, their attacks may have actually dropped as attackers switched their methods.  An unusual attack included one by a scammer who sent an email to bank customers urging them to contact the bank to fix a missed payment. The email included a VoIP number (as in “v” for “vishing”) to call instead of a malicious link. In the guise of aid, this scammer dropped a powerful incentive to users who may have lost their income or suffered financially from the ongoing pandemic.  Although vishing attacks typically involve an unsolicited VoIP call from someone claiming to represent a bank or other entity, this newer form of attack, called reverse vishing, uses emails, web advertisements or social media posts to convince potential victims to call a fraudster-controlled phone number.


A smishing attack is a phishing attack that makes use of SMS texts instead of email messages. Fraudsters now add a coronavirus twist to this tried-and-true scam. Someone pretending to be from the Tax agency reports of a “goodwill reward” reportedly part of the government’s attempt to counter COVID-19.  Other popular ones popping up are part of a new fraud pattern involving loyalty points, where a text pretending to come from a rewards company entices the user with a bonus point bid. Usually, these attempts seek to manipulate anyone who responds to offering account details as a condition for accepting the payment or points being provided. 

Social Media Attacks

Not all cyberattacks are created equally. There are certain types of spyware and ransomware that – with a reasonably high-fidelity malware scanner – can be easily handled. However, the malware we are exposed to on a daily basis is not that easy to detect, as the social media attacks have proved.  This method was truly well thought out by the criminals behind it. At first glance, the target would receive a message via social media that would appear like a credible social media message from one of the big retailers who want to gift the receiver with a shopping spree. 

As with so many other examples in this article, the cybercriminal uses COVID-19 as a cover for false generosity. But what fraudsters really want from these types of social media attacks is for the user to click on their post or ad, as well as provide their personal data or unknowingly subscribe to costly services in order to make some money.  For these cybercriminals, the best thing their victim can do in addition to providing their details or is to share the fake post with their friends and family so that even more victims can be deceived into providing their particulars. 

Avoid Becoming a Victim

While cybercrime is more severe than most of us can imagine and includes the breaching of government agencies, hospitals, and healthcare providers, it is important to realize that the above-mentioned scams can all be avoided if we all start acting smarter online.  People typically forget that personal finance is not about how much money you make but rather about your financial strategy and planning. The same can be said about a good cybersecurity policy or strategy. It’s about the small steps we take to protect ourselves. These tips can also be used to avoid falling victim to fraud scams: 

Do not respond to calls or texts from unknown numbers or those that seem suspicious.

Never share your personal or financial details via email, text, or phone.

Be vigilant if you are forced to share details or pay immediately.

Scammers frequently spoof phone numbers in order to get you to respond. Remember, financial institutions and government agencies will never call you for personal information or money.

Do not open a suspicious link in any text message. If a friend sends you a text that seems out of character, rather call them to make sure they were not hacked.

Always verify a charity before making a donation (for example, by contacting them or browsing their actual website).


As the fight against COVID-19 unfolds worldwide, it should be clear that cybercriminals will continue to threaten vulnerable groups and organizations. Modern cybersecurity is about keeping up with the attackers and remaining vigilant. 

However one of the only ways to do this is through detailed understanding that can only be gained through the study of big data. Without these analytics, businesses can only rely on detecting and preventing attacks by using known methods and preventative actions, leaving them vulnerable to the latest, emerging attacks



Exploit: Unauthorized Database Access

Netsential: Web Development Firm 

Risk to Small Business: 1.272 = Extreme A security breach at this Texas-based web development company led to the exposure of hundreds of thousands of potentially sensitive files from U.S. police departments. Dubbed “BlueLeaks”, this massive data breach contained 270 gigabytes of information going back 24 years, from August 1996 through June 19, 2020. Files contained names, email addresses, phone numbers, PDF documents, images, and video, CSV, and ZIP files related to criminal investigations. Some of these files also contained sensitive financial information as well as personally identifiable information and images of suspects from law enforcement and government agency reports.  Individual Risk: 1.405 = Extreme While there is no estimation of how many individual records were exposed, anyone who suspects that their information may have been affected should monitor their personal and financial accounts for potential fraud and beware of spear phishing attempts. 

Customers Impacted: Unknown

Effect On Customers: One compromised credential can lead to a data breach that has a devastating impact on any business, destroying the trust that partners have in a company’s commitment to making and maintaining secure, high-quality software -especially when it’s intended to handle sensitive information.

Breach Risk Levels 

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & ID Agent to the Rescue: Dark Web ID uses human and machine intelligence to watch the Dark Web 24/7/365. We scour every corner for leaked passwords, compromised credentials, or sensitive data that could create a data breach risk for Avantia’s Customers and alert them in real time when they appear. Book a FREE demo by calling Avantia on 07 30109711


Exploit: Ransomware

SB Tech: Online Gambling Technology Provider 

Risk to Small Business: 2.302 = Severe In an SEC filing made as part of a three-way merger including Diamond Eagle Acquisition Corporation last week, DraftKings noted that SB Tech had been hit with a ransomware attack in March 2020 that caused an approximate one-week outage its online sports and casino betting capability. It also caused online betting sites that used the platform to suffer service outages.  As a result, DEAC renegotiated the merger to include a $30 million fund to fend off future litigation and costs associated with the attack.

Individual Risk: No individual data was reported compromised

Customers Impacted: Unknown

Effect On Customers: The results of a cyberattack aren’t just problematic immediately – they can affect future business transactions. While the attack did not stop this merger, it did add potential additional cost and could cause future partners to think twice. 

Breach Risk Levels 

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & Huntsman Digital Auditor to the Rescue: Helping SME’s to understand the importance of security is no easy task. With an ‘Essential8’ Digital Security Audit we offer a remote access, independent, ‘real time’ audit of our clients critical operational infrastructure systems to determine where the gaps are, with recommendations for remediation.

Its the first step to real cyber security. Call Avantia’s office on 07 30109711 or visit:


Exploit: Ransomware

Agromart Group: Agricultural Services Conglomerate 

Risk to Small Business: 2.020 = Severe - As ransomware attacks ramp up around the globe, Dark Web DDoS group REvil has innovated their attack tactics to include auctioning off stolen data if victims refuse to pay the ransom. This just happened to Canadian agribusiness services company Agromart Group, which also owns Sollio Agriculture. The first 22,000 files stolen from the agricultural company entered Dark Web markets last week with the starting price of $50,000.  

Individual Risk: No individual data was reported compromised

Customers Impacted: Unknown

Effect On Customers: A data breach at a third-party partner can be just as problematic as a data breach at home for businesses. Compromised financial and identity information can hang around in Dark Web markets for a long time, creating continued risk.  

Breach Risk Levels 

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & ID Agent to the Rescue: Dark Web ID uses human and machine intelligence to watch the Dark Web 24/7/365. We scour every corner for leaked passwords, compromised credentials, or sensitive data that could create a data breach risk for Avantia’s Customers and alert them in real time when they appear. Book a FREE demo by calling Avantia on 07 30109711


Exploit: Credential Compromise  

Wiggle: Sporting Goods Retailer 

Risk to Small Business: 2.807 = Moderate - Online sporting goods retailer Wiggle has announced that an indeterminate number of customer accounts have been tampered with, including delivery address changes and unauthorized purchases made on customers’ stored payment cards. Complaints about unauthorized purchases have been reported since mid-May, but the UK retailer just announced the incident this week. The company has released a statement saying that a small number of accounts were affected and blaming the incident on customers reusing passwords that have been compromised elsewhere online.

Individual Risk: 2.623 = Moderate - Customers with online payment information stored in the company’s online shopping platform should suspect potential suspicious activity on those payment cards, and all customers should change their account login credentials for Wiggle’s online store.

Customers Impacted: 100+

Effect On Customers: It’s not just customers – reusing passwords is a common behavior among staffers too, and that’s a sure-fire way to open a channel to trouble. Staffers must learn the importance of password security and how to make strong, unique passwords to protect systems and data.

Breach Risk Levels 

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & BullPhish to the Rescue: BullPhish ID simulates phishing attacks and conducts security awareness training campaigns to educate your employees, making them the best defense against cybercrime – now with COVID-19 scam awareness kits. Call Avantia on 07 30109711 (office Hours) to find out how you can get started.

THREAT FOCUS: National Health Service (NHS) - UNITED KINGDOM

Exploit: Email Compromise

National Health Service (NHS): UK National Healthcare System

Risk to Small Business: 2.671 = Moderate - 113 internal email accounts from Britain’s NHS were used to send malicious spam to targets outside the organization. The NHS confirmed last week that this misuse by bad actors occurred between May 30 and June 1, 2020. The account compromise discovery comes as part of a larger investigation by the National Cyber Security Centre (NCSC) into a widespread phishing attack campaign across many public service organizations in the UK that the NHS first reported in October 2019. 

Individual Risk: 2.892 = Moderate - All of the internal NHS accounts that were compromised and used to send out malicious emails in this incident were identified, and everyone who received a malignant email has been warned. Authorities noted that no personal information was leaked, but targets of the scheme did receive a phishing email sent from an NHS account. Customers Impacted: 500+

Effect On Customers: Phishing campaigns are always dangerous, whether the attacks are intended to compromise 10 accounts or 1000 accounts. All staffers must be alert to phishing attempts and ready to report them quickly to administrators. 

Breach Risk Levels 

1 – 1.5 = Extreme Risk 1.51 – 2.49 = Severe Risk 2.5 – 3 = Moderate Risk Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.

Avantia Cyber Security & BullPhish to the Rescue: BullPhish ID simulates phishing attacks and conducts security awareness training campaigns to educate your employees, making them the best defense against cybercrime – now with COVID-19 scam awareness kits. Call Avantia on 07 30109711 (office Hours) to find out how you can get started.