Global direct-sales cosmetics company Avon has filed two reports with the US Securities and Exchange Commission in the past few days.
The reports are known as Form 8-K filings, used to advise investors about unplanned issues affecting a listed company – all the way from the resignation of a director to failing to meet a financial obligation.
Avon’s filings fall into what you might call Form 8-K’s catchall category, known simply as Other Events, and the first report, submitted on 09 July 2020, said simply:
[The Company] suffered a cyber incident in its Information Technology environment which has interrupted some systems and partially affected operations. The Company is evaluating the extent of the incident and working diligently to mitigate the effects, applying all efforts to normalize operations.
On 12 June 2020 Avon updated its situation by saying:
[The Company], after suffering the cyber incident communicated on June 9, 2020, is planning to restart some of its affected systems in the impacted markets throughout the course of next week. Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data. Nevertheless, at this point it does not anticipate that credit card details were likely affected, as its main ecommerce website does not store that information.
But what really happened, and just how far did the crooks get?
A boutique Polish cybersecurity audit and pentesting company called Niebezpiecznik, which is a play on words that very loosely translates as “security bypass” (literally, no safety fuse), has suggested it was down to ransomware:
Nowe informacje:
Potwierdziliśmy (nieoficjalnie, bo oficjalnie wciąż brak kontaktu) że to jest niestety ransomware (DoppelPaymer)
Dobra wiadomość jest taka, że na stronie przestępców nie ma (jeszcze?) paczki z wykradzionymi firmie AVON danymi. Co to oznacza? O tym w artykule: https://t.co/K51iYiGktB
— Niebezpiecznik (@niebezpiecznik) June 16, 2020
QUOTED TWEET: Something bad happened at Avon [LINK] Staff and consultants are worried that their data was leaked. The issues may have started in mid-March.
MAIN TEXT: Update. We’ve “confirmed” (not officially because we haven’t yet heard back from an official source) it’s ransomware. (DoppelPaymer.) The good news is that there aren’t any Avon data files on the criminals’ website (yet)…
You may have heard the name DoppelPaymer before – along with numerous other ransomware gangs including Maze and Revil, the crooks behind this one don’t just scramble your data, they steal copies of it first.
That gives them a double reason to hit you up for money: you’re not only paying for the decryption key (which you don’t actually need if you have a recent backup), but also for the crooks to keep silent about what they did.
The threat is that if you don’t pay up, the crooks will publish a choice selection of your data where the public can find it, and then alert the relevant authorities that you’ve suffered a data breach.
In other words, the crooks are blackmailing you on the basis that even if the stolen data isn’t super-secret or damaging in its own right, the leak itself nevertheless has the potential to harm your reputation with customers and cost you fines from the authorities.
A new take on ransomware
One obvious question at this point is, “If it was a ransomware, why doesn’t Avon just say so?”
Well, the company has already formally and officially disclosed that it got breached, so the details of whether this was down to ransomware or not is something of a side-issue at this point.
In fact, as we’ve regularly explained in Naked Security, many ransomware attacks turn out to be the final chapter in a sometimes lengthy series of malware infections, where each infection is used as the vehicle to implant the next.
For example, our threat response team, when called in to try to rewind a ransomware attack to figure out how it all came about, often find that the attack started with a strain of zombie malware – what’s usually called a bot, short for software robot – called Emotet.
As far as we can tell, the crooks behind Emotet aren’t themselves interested in logging your keystrokes, stealing your files or zapping you with ransomware.
Their “cybercrime niche”, if you can call it that, is essentially a B2B service where they offer pay-per-infection services to other crooks who are interested in going after you and your network.
In other words, even if a ransomware attack happens on your network – whether or not the actual data scrambling takes place or not – you might already have had crooks wandering around inside your business for weeks or even months.
What happened to Avon?
So, we don’t yet know what happened to Avon, and to be fair, the company itself probably isn’t sure either.
It’s easy to write off words such as “[we are] continuing the investigation to determine the extent of the incident, including potential compromised personal data” as an excuse not to open up about what really happened…
…but, in truth, it’s hard to be certain what happened after the fact, and we don’t think that any company would willingly choose “we still don’t quite know what happened” as an excuse for a cybersecurity incident.
What to do?
Remember that we still don’t know if there was any ransomware in the attack chain experienced by Avon, but we do know that crooks got into the network somehow, and that the extent of the breach still isn’t clear.
In other words, this isn’t so much about keeping ransomware out but about keeping out any threats that might ultimately lead to ransomware.
In quick form, we have five tips for you:
- Protect your system portals. Don’t leave RDP and other tools open where they aren’t supposed to be. The crooks will find your unprotected access points.
- Pick proper passwords. Don’t make it easy for crooks and their password guessing tools. Use 2FA wherever you can.
- Peruse your system logs. Crooks who permeate your entire network often use regular sysadmin tools but in irregular ways, and your logs will often give the game away. Don’t wait until after you know about an attack to go looking.
- Pay attention to warnings. Attack attempts where the crooks tried and failed could be reconnaissance for a future attack rather than an attack in their own right. (See point 3.)
- Patch early, patch often. Many crooks are still finding their ways into networks where old exploits still work. Don’t be the network where you could have been ahead of the crooks but weren’t.
Of course, don’t forget the obvious – make sure you are using protection against intrusions and malware, including ransomware. Sophos Intercept X and XG Firewall are designed to work hand in hand to keep cybercrimals out of your business. Individuals can protect themselves with Sophos Home.
