top of page
  • Writer's pictureAvantia Threat Update


Updated: Apr 1, 2019

Legislation tabled to make Company Boards "embrace" Cyber Security.

This week, a US Senator introduces legislation to force US Companies to divulge Cyber Security expertise on Company Boards, students hack into School, Canadian alcohol gets held for ransom and data doesn’t expire on the Dark Web.*

This Week’s Dark Web Compromises:*

Top Source Hits: ID Theft Forums (99%) Top Compromise Type: Domain (99%) Top Industry: Medical & Healthcare Top Employee Count: 11 - 50 Employees

This Week’s Top Targeted Industries*:

Information Technology Hits: 95 | Targets: Netflix, Google, Citrix Systems, Nokia, Microsoft

Software Hits: 76 | Targets: Google, Citrix Systems, Nokia, Microsoft, Cambridge Analytica

Finance Hits: 63 | Targets: PayPal, Equifax Inc, Western Union, JPMorgan Chase & Co., Bank of America

Media and Entertainment Hits: 36 | Targets: Netflix, Spotify, Sina Corporation, British Broadcasting Corporation, Comcast

Telecommunications Hits: 28 | Targets: Proximus Group, Nokia, Cisco Systems Inc, Comcast, Verizon

This Week’s Top Threat Actors*:

FIN7 Hits: 38 | Targets: United States, Russia, Romania, Burgerville, Saks Fifth Avenue

Hezbollah Hits: 30 | Targets: Israel, Syria, Lebanon, Iran, United States

APT28 Fancy Bear Hits: 30 | Targets: Democratic National Committee, United States, Democratic National Convention, Germany, United States Senate

Romanian Hackers Hits: 22 | Targets: Hillary Rodham Clinton, Yahoo, Washington, DC, George W. Bush, Democratic National Committee

APT32 OceanLotus Hits: 9 | Targets: Vietnam, China, Mac OS, Association of Southeast Asian Nations, Philippines

This Week’s Top Malware Exploits:*

SQLRat Hits: 46 | Targets: #squirat

LockerGoga Hits: 44 | Targets: Altran Technologies SA, Norway, Europe, Norsk Hydro, Paris

Mirai Hits: 32 | Targets: Internet of Things, Dynamic Network Services, Inc (Dyn), Deutsche Telekom, Germany, United States

NotPetya Hits: 20 | Targets: Ukraine, United Kingdom, Russia, A.P. Moller-Maersk, United States

XcodeGhost Hits: 18 | Targets: iOS, App Store, Apple, China, Apple Mac Os X


In Other News:

US Legislators come after negligent Company Directors.

A Democrat on the US House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise amid growing cyberattacks targeting U.S. companies. Rep. Jim Himes (D-Conn.) introduced the Cybersecurity Disclosure Act of 2019, a companion bill introduced in the upper chamber, that would make the Securities and Exchange Commission issue a new set of rules requiring U.S. companies to tell their investors whether they have someone who has cyber expertise on their Board. If they don't, they must explain to their investors why this is the case. The bill comes at a time when "cyberattacks and data breaches against U.S. companies are becoming more frequent and sophisticated," according to a press release accompanying the rollout of the bill. The press release cited a study from Identity Theft Resource Center that found there was a 126 percent rise of data breaches that exposed records containing personally identifiable information. This rise took place across all industries, from 197.6 million in 2017 to 446.5 million in 2018. "It's not only the shareholders of companies who are at risk, Himes said in a statement, Americans private and identifying information is in the hands of corporations who may not be prepared to protect it.” he continued. The Cybersecurity Disclosure Act will give the public information about which companies are likely to have better protections and cyber defense strategies. "Publicly traded companies should have an obligation to let their shareholders know how they are addressing these serious threats or explain why they are not taking measures to counter attacks. Billions of dollars of American wealth are at risk, and I am tired of seeing American companies play catchup against our geopolitical rivals or lone-wolf threats," he stated. The Senate companion bill has bipartisan support, with Sens. Jack Reed(D-R.I.), Mark Warner (D-Va.), Susan Collins (R-Maine) and John Kennedy(R-La.) supporting the Bill.

The Norsk Hydro cyber attack is about money, not war

At about midnight last Monday one of the world’s largest aluminium producers – with smelting plants, factories and offices in 40 countries – noticed irregularities in its systems. Hours later, Norway-based Norsk Hydro confirmed it was suffering production stoppages in Europe and the US as it battled a major ransomware attack, forcing the company to switch to manual operations while it attempted to contain the issue. By Wednesday afternoon, relative calm had settled as the company continued the painstaking task of bringing some of its systems back online. Cybersecurity experts have been watching developments closely, not least because of the type of business that was targeted. “Initially it looked really bad because of the industry these guys are in,” says Mikko Hypponen, the chief research officer at the Finnish cyber security firm F-Secure. Had disruption hit aluminium production, he adds, the metal could have solidified, causing operations to grind to a halt. Norsk Hydro has said its bauxite and alumina production was running as normal despite the disruption from the ransomware attack. Other parts of its business, though, such as primary metal and rolled products, have been subjected to stoppages and a “limited operational impact” at a number of undisclosed plants, after its entire worldwide network went down. It has been widely speculated – although not confirmed by Norsk Hydro – that the ransomware used in the highly targeted attack was a relatively new and difficult-to-detect strain, dubbed LockerGoga, which criminals use to quickly encrypt computer files, before demanding payment to unlock them. The ransomware is different to the previous industrial cyberattacks such as WannaCry and Petya, because criminals are targeting company networks and syncronising encryption across their geographical regions. There is no replication mechanism, this is not a worm, it is a targeted attack by criminals. The motivation appears to be straightforward. There is no way to connect the dots to make this look like a governmental attack at all, it’s criminal, it’s about money. The malware, researchers say, was also used in an attack on the French engineering consultancy firm Altran Technologies earlier this year. Ransomware attacks are big business and are a very common thing that happens all the time. Previously, they were mostly aimed at individuals but it now makes sense for criminal gangs to go after bigger fish. The attack shows how just attacking a Windows infrastructure – which is pretty simple to do and lots of people have the skills to do – can cause a lot of disruption. It’s not going to cost lives, it’s not going to crash aircraft and things can actually keep operating to some degree as normal, but it’s slower and costs money and takes time to resolve.

Spam direct mail over Office Printers distributed to 600,000 devices

Spam has been with us since the very first days of email, but a Russian marketing agency recently took things a stage further by sending good old-fashioned paper-based junk mail over the internet. The company claims to have advertised a graphic design course for its client Skillbox using a software bot (network) that searched for online printers. It printed a one-page promotion on every device it found, directing them to a website boasting about its exploits. The website for the company's marketing campaign explains that "by the 2024", it is "94% likely" that bots (Computer Networks) will replace accountants, auditors, and financial analysts by the million. Consequently, it says, accountants (or anyone else worried about being replaced by AI) should learn graphic design instead. The stats come from a five-year-old Oxford Martin School report. What's more interesting is another statistic: 600,000. That’s how many printers the marketing agency claim to have clogged up with advertising, according to this report from Graham Cluley. It wouldn't be the first time that someone had spammed printers online. In December last year, a hacker calling himself TheHackerGiraffe spammed 50,000 printers promoting popular YouTube celebrity PewDiePie. Other incidents have been much darker. Nazi nerd Andrew Aurenheimer, a.k.a. Weev, sent white supremacist messages to every printer in North America that he could find instead of using Shodan, he used Masscan, which is a mass IP port scanner.

US Dept Homeland Security Warns of Vulnerabilities in Implantable Medical Devices

The US Federal Government on Thursday warned of a serious flaw in Medtronic cardio defibrillators that allows attackers to use radio communications to surreptitiously take full control of the lifesaving devices after they are implanted in a patient. Defibrillators are small, surgically implanted devices that deliver electrical shocks to treat potentially fatal irregular heart rhythms. In recent decades, doctors have increasingly used radios to monitor and adjust the devices once they're implanted rather than using older, costlier, and more invasive means. An array of implanted cardio defibrillators made by Medtronic rely on two types of radio-based consoles for initial setup, periodic maintenance, and regular monitoring. Doctors use the company's software in clinics, while patients use the software in homes to regularly ensure the defibrillators are working properly. No encryption, no authentication, and a raft of other flaws . Researchers from security firm Clever Security discovered that the Conexus Radio Frequency Telemetry Protocol (Medtronic's proprietary means for the monitors to wirelessly connect to implanted devices) provides no encryption to secure communications. That makes it possible for attackers within radio range to eavesdrop on the communications. Even worse, the protocol has no means of authentication for legitimate devices to prove they are authorized to take control of the implanted devices. That lack of authentication, combined with a raft of other vulnerabilities, makes it possible for attackers within radio range to completely rewrite the defibrillator firmware, which is rarely seen in exploits that affect medical device vulnerabilities. The researchers privately notified Medtronic of the critical vulnerability in January 2018. On Thursday, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an adviosory that for the first time publicly disclosed the vulnerability: Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data... The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device. A proof-of-concept attack developed by the researchers was able to take control of the implanted devices in a manner previously unseen in most exploits affecting lifesaving medical devices. With physical access to either a MyCareLink or CareLink console, the researchers could make modifications that would pull patient names, physician names, and relevant phone numbers out of the device and make unauthorized and potentially fatal changes to the shocks the devices delivered. Even more stunning, the attack was able to read and rewrite all the firmware used to operate the implant. In an email, Medtronic representative Ryan Mathre wrote, in part: Even in the unlikely scenario that an unauthorized user may be able to access the wireless technology, that access does not equate to the ability to control or manipulate the settings of an implanted heart device. An unauthorized user would need comprehensive and specialized knowledge of medical devices, wireless telemetry, and electrophysiology to fully exploit these vulnerabilities in order to harm a specific patient. An unauthorized user would need to have a specific malicious intent, and would need to have specific knowledge of:

What device model is implanted in the patientWhat changes to the device would cause a patient harmWhat settings would need to be changed to alter the device function for that patientWhat telemetry command(s) are needed to implement that changeWhen the patient's telemetry is active and susceptible to the unauthorized programming attempt

Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.

British Police Federation cops to ransomware attack on HQ systems

The Police Federation of England and Wales (PFEW), a sort-of trade union for police workers, has been battling to contain a ransomware strike on the group's computer systems, it confessed this afternoon. In a statement posted on Twitter, PFEW said it first noticed the attack infecting its systems on Saturday 9 March, "with cyber experts rapidly reacting to isolate the malware to stop it spreading to branches". It informed the ICO and the NCSC two days after the infection. It added the attack "was not targeted specifically at PFEW and was more likely to have been part of a wider campaign", saying that so far it reckons the malware had only affected the organisation's Surrey HQ. It does not believe any data was extracted from its systems, reinforcing the notion that the incident could be down to run-of-the-mill ransomware. "There is no evidence at this stage that any data was extracted from the organisation's systems, although this cannot be discounted and PFEW are taking precautions to notify individuals who may potentially be affected," said the association, which includes 120,000 constables, sergeants, inspectors and chief inspectors across 43 territorial forces. The PFEW added in an FAQ: "A number of databases and systems were affected. Back up data has been deleted and data has been encrypted and became inaccessible. Email services were disabled and files were inaccessible." The federation tweeted: "As a precaution we are contacting individuals who are potentially affected, including our members, and will be providing them with further helpful information, including as to how they can make enquiries." Police workers reacted negatively to the news, with one posting on Twitter: "Why has it taken over 11 days to inform your members?" The usual canned statement filled with apologies was also included in the customary statement, as was the insistence that PFEW took data security "very seriously" and had acted as soon as it was alerted to the malware. BAE Systems' Cyber Incident Response Division is the federation's infosec firm. Perhaps unsurprisingly, police triggered a criminal investigation, having also involved GCHQ offshoot the National Cyber Security Centre and the National Crime Agency. The federation carries out most of the functions of a trade union, inasmuch as it gives out advice to its members and engages with police managers on their behalf. However, there is one key difference: police constables are banned by law from going on strike.


THREAT FOCUS: Christchurch Cyber Scams – NEW ZEALAND

Exploit: Phishing, malware, fraudulent websites Christchurch: Largest city on South Island of New Zealand that recently suffered a mass shooting.

Risk to Small Business: 2.222 = Severe: Government agency CERT NZ warned citizens of opportunistic scams seeking to exploit the recent Christchurch tragedy. These cyber-attacks have taken the form of phishing emails for fake donations, malware-embedded videos, and fraudulent websites. Companies that offer work-from-home policies to employees and operate on networks that unsecured should beware of resulting compromises.

Individual Risk: 2.428 = Moderate: Individuals can avoid putting themselves at risk by simply exercising basic cybersecurity awareness. However, giving payment information on the wrong website or clicking the wrong video can result in fraud and malware that is difficult to trace.

Customers Impacted: Unknown

Effect On Customers: Businesses that allow employees to use devices outside of secure networks should make cybersecurity training mandatory. Without proper internal and external controls in place, the chances of being breached increase exponentially.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Sizmek Advertising – USA

Exploit: User account takeover Sizmek: American online advertising platform based in Austin Risk to Small Business: 2.111 = Severe: Security researcher Brian Krebs caught hackers auctioning access to a Sizmek user account on the Dark Web, specifically a Russian-language cybercrime forum. The bidding began at $800 per account. With account access in hand, threat actors are capable of infecting ongoing ad campaigns or siphoning profits from ads in the system. After investigating, Sizmek believes that the account in question was simply a regular user account, without higher level administrator access. Nevertheless, the platform will be forced to upgrade security and deal with a PR nightmare to retain customers and continue to do business Individual Risk: 2.714 = Severe: Given that the company connects over 20,000 advertisers with 3,600 agencies across 70 countries, such a compromise could have displaced advertising revenue from clients and passed undetected for quite some time. This type of attack poses high risk for Sizmek clients and their end-users, who have the most to lose in the event of breach. Customers Impacted: To be determined. Effect on Customers: In an ecosystem of evolving B2B2C business models, companies that provide services for business users must acknowledge the possibility and gravity of a cyber-attack. As evidenced by this event, cybercriminals are peddling access to attack vectors that have the potential to cripple businesses on the Dark Web. Partnering with an MSP who can proactively monitor and navigate the inner workings of the Dark Web is crucial to securing small business customers and end users. Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Delaware Guidance Services – USA

Exploit: Ransomware attack Deleware Guidance Services: Non-profit that offers mental health services for children, youth and families Risk to Small Business: 1.666 = Severe: The Delaware-based organization issued letters to 50,000 patients notifying them of a ransomware attack that took place on December 25, 2018. After records were locked by hackers, DGS ended up paying a ransom in exchange for a decryption key to regain access. Although their investigation concluded that no data was compromised, they are offering free credit monitoring and reporting services for one year to those affected. Individual Risk: 2.428 = Severe Personal details including names, addresses, DOBs, SSNs, and medical information was impacted. All members have been advised to review financial and credit reports for any suspicious activity. Customers Impacted: 50,000 patients Effect On Customers: The threat of ransomware is increasing at alarming rates, and small businesses must begin to consider the potential impact of an attack on their systems. In the event of breach, management is forced to decide whether to pay the ransom or risk losing access to customer records forever. Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Orchard View School District - USA

Exploit: Internal data breach Orchard View School District: A high school district in Muskegon Township, Michigan Risk to Small Business: 2.223 = Severe: Students allegedly hacked the school’s information system, PowerSchool, and altered grades and attendance records. The school has notified parents of the students who may be responsible and is investigating the incident. However, what data was modified and how access. Individual Risk: 2.857 = Moderate Risk Depending on whether a ledger of the previous data was stored or removed, other students could be at risk for having their grades modified. Regardless, the possibility of losing such data can be upsetting for students, to say the least..

Customers Impacted: To be determined

Effect On Customers: Organizations that store important information must remain vigilant for cyber-attacks, especially originating from within. To protect valuable data from getting in the hands of the wrong people, internal systems must be “fool-proofed” by partnering with the right security provider.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Container World – CANADA

Exploit: Ransomware attack Container World: One of the largest supply chain companies for beverages in British Columbia. Risk to Small Business: 2.111 = Severe: Cybercriminals were able to breach business systems at the logistics company, demanding a ransom to restore access. In response, Container World chose not to pay the ransom and acted to protect their systems by shutting down affected systems. All systems were taken offline for over a week as their engineers scrambled to rebuild the IT infrastructure from the ground up. Aside from the hefty costs associated with interruptions to business processes and time spent rebuilding systems, the company may have to answer to disgruntled business customers. Individual Risk: 3.0 = Moderate Risk Although no financial information of customers was accessed, private liquor stores, bars, and restaurants suffered a major disruption to business. For a small family chain, such an incident could be crippling

Customers Impacted: Undisclosed

Effect On Customers: Understanding the widespread impact that breaches can have in the B2B world is crucial to valuing cybersecurity. A weeklong halt in distribution can create a ripple effect that not only affects current sales, but also future customer loyalty. In a world of increasing options, corporate customers will begin to diversify and move their valuable business elsewhere when they can no longer have faith in their supplier.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


Exploit: Card-stealing Javascript malware FILA Brand: UK branch of sportswear brand Risk to Small Business: 2.0 = Severe: Russian security vendor Group-IB discovered that a malware dubbed GMO was installed into clothing brand’s website for at least the past 4 months. The attacker responsible was able to secretly collect card data entered by customers through the company’s server, researchers reported. However, the company was unable to remove the card-stealing code from their site until very recently. Along with the threat of fines and lawsuits, the business will certainly face customer churn.

Individual Risk: 2.428 = Severe Anyone who ordered from the website should be contacting their bank and checking their statements. Since the company has yet to issue a statement, it could be months before customers are notified and able to act, potentially putting them at severe risk.

Customers Impacted: An estimated 5,600 cardholders

Effect On Customers: As the world of e-commerce grows increasingly competitive, especially in the lens of the apparel industry, businesses should know that such a breach can produce catastrophic consequences. Keeping online shoppers on your website is hard enough as-is, and companies must avoid breaches at all costs to retain trust. In order to do so, it becomes a simple matter of enlisting the help of an IT security provider.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Sir John Colfax Academy – United Kingdom

Exploit: Employee phishing breach Sir John Colfox Academy: Secondary school in Bridport, England Risk to Small Business: 2.111 = Severe: Hackers were able to infect the academy’s computer network after a staff member opened a phishing email that appeared to be from a colleague. Coursework saved in the school’s system was lost, which means that the school will have to determine how to rectify the situation for students and their families. Such an attack can certainly affect future enrollment, as parents may reconsider before sending their kids back to the same school that lost valuable academic information. Individual Risk: 2.857 = Moderate: The school announced that it does not store the personal data of staff, students, or parents. Nevertheless, it is still possible that hackers will be able to leverage the information obtained.

Customers Impacted: To be disclosed

Effect On Customers: Hackers have identified company workforce as the path of least resistance when it comes to executing damaging cyber-attacks. In order to prevent further exploits, companies must invest in security solutions that can guard against phishing exploits to protect employees and customers.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.



The worst business hacks of all time

If we were to record a time-lapse of data breaches across the world, the result from the last few decades would be quite stunning. All stolen data is not created equal, since records can range from names to fingerprint records, and are sometimes encrypted well. Nevertheless, when SSNs, credit card numbers, or other financial information is involved, customers become increasingly vulnerable to identity theft.

Simultaneously, organizations that are breached must deal with enhanced regulatory scrutiny, customer churn, and settlement fines in the immediate future. But the long-term consequences are even greater. Small businesses that are responsible for compromising the data of their patrons face the threat of diminishing loyalty and ultimate disinterest. As a result, the ROI of cybersecurity investment should be measured in hundreds of thousands.

Why data never expires on the Dark Web

In the ongoing slew of mega data breaches, it’s likely that our personal information has been breached and is being auctioned off on the Dark Web. Hackers are not only scooping up more personally identifiable information (PII) than ever before, but also additional information that can be leveraged to conduct damaging fraud. At the same time, we are falling prey to the phenomenon of “data breach fatigue.” Indoctrinated with daily news of compromises, we’re beginning to ignore the possibility of future cyber-attacks. Simply changing a few passwords is not enough. When a hacker gets his hands on persistent records such as a Customer Name, Social Security (SSN)/ Tax File Number (TFN), or permanent address, it almost never expires. The only way to survive in this new reality is by protecting employees and customers from identity theft. How can this be accomplished? Investing in identity theft solutions that can detect compromises proactively by monitoring for an organization’s employee and customer data on the Dark Web.


Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions.

bottom of page