Global direct sales cosmetics company Avon has filed two reports with the Securities and Exchange Commission in the past few days.
The reports are referred to as Form 8K filings and are used to inform investors of unplanned issues affecting a listed company – from a director's resignation to failure to meet a financial obligation.
Avon's submissions fall into the so-called Catchall category of Form 8-K, which is simply referred to as "Other Events". The first report submitted on July 9, 2020 was simply:
(The company) suffered a cyber incident in its information technology environment that disrupted some systems and partially affected operations. The company is evaluating the scale of the incident and is working diligently to mitigate the impact, making every effort to normalize operations.
On June 12, 2020, Avon updated his situation by saying:
(The company) plans to restart some of the affected systems in the affected markets over the next week after the cyber incident reported on June 9, 2020. Avon continues the investigation to determine the extent of the incident, including potentially compromised personal information. At this time, however, it is not believed that the credit card details were likely to be affected as this primary ecommerce website does not store this information.
But what really happened and how far did the crooks get?
A Polish boutique cyber security screening and pentesting company called Niebezpiecznik, which is a play on words that very loosely translates as "security evasion" (literally: no security guard), has indicated that it is ransomware:
Potwierdziliśmy (nieoficjalnie, bo oficjalnie wciąż brak kontaktu) ne kidding niestety ransomware (DoppelPaymer)
Dobra wiadomość jest taka, nae na stronie przestępców nie ma (jeszcze?) Paczki z wykradzionymi firmie AVON danymi. Co to Oznacza? O tym w artykule: https://t.co/K51iYiGktB
– Niebezpiecznik (@niebezpiecznik) June 16, 2020
QUOTED TWEET: Something bad has happened at Avon (LINK). Employees and consultants are concerned that their data has leaked. The problems may have started in mid-March.
Main text: Update. We "confirmed" (not officially because we haven't heard from an official source yet) that it is ransomware. (DoppelPaymer.) The good news is that there are no Avon data files on the criminals' website (yet) …
Perhaps you've heard the name DoppelPaymer before – along with numerous other ransomware gangs, including Maze and Revil, the crooks behind it not only encrypt your data, they steal copies of it first.
This gives them a double reason to beat you up for money: you pay not only for the decryption key (which you don't really need if you have a recent backup), but also for the crooks to remain silent about what they did.
The danger is that if you don't pay, the crooks will publish a selection of your data where the public can find it, and then notify the relevant authorities that you have suffered a data breach.
In other words, the crooks blackmail you on the grounds that the leak, even if the stolen data is not very secret or harmful, can damage your reputation with customers and cost you fines from the Internet.
A new version of ransomware
An obvious question at this point is: "If it's ransomware, why doesn't Avon just say that?"
Well, the company has already officially and officially announced that it has been injured. The details of whether this is due to ransomware or not are a side issue at this point.
As we regularly explained in Hashtag Nerd Bag, many ransomware attacks turn out to be the last chapter in a sometimes long line of malware infections, where each infection is used as a vehicle for implanting the next.
For example, our threat response team, when called to try to rewind a ransomware attack to find out how it all came about, often finds that the attack started with some type of zombie malware – usually called a bot , short for software robots – called Emotet.
As far as we can tell, the crooks behind Emotet are not interested in logging your keystrokes, stealing your files, or zapping you with ransomware.
Your “niche of cybercrime,” if you can call it that, is essentially a B2B service where they offer pay-per-infection services to other crooks who are interested in tracking you and your network.
In other words, even if a ransomware attack takes place on your network – regardless of whether the actual data scrambling is taking place or not – you may have had crooks in your company for weeks or even months.
What happened to Avon?
So we don't yet know what happened to Avon, and to be fair, the company is probably not sure either.
It's easy to write off words like "(we) continue to investigate to determine the extent of the incident, including potentially compromised personal information" as an excuse not to speak about what really happened …
… But the truth is, it's hard to be certain of what happened afterwards, and we don't think that a company would willingly choose "We still don't know exactly what happened" as an excuse for a cyber security incident.
What should I do?
Keep in mind that we still don't know if there was ransomware in the Avon attack chain, but we do know that crooks have somehow entered the network and the extent of the violation is still not clear.
In other words, it's not so much about keeping ransomware away, but about keeping out threats that could ultimately lead to ransomware.
In a nutshell, we have five tips for you:
Protect your system portals. Don't leave RDP and other tools open where they shouldn't be. The crooks find your unprotected access points.
Choose the right passwords. Don't make it easy for crooks and their password guessing tools. Use 2FA wherever you can.
Read your system logs. Crooks that penetrate your entire network often use regular system administrator tools, but irregularly, and your logs often reveal the game. Don't wait until you hear of an attack.
Pay attention to warnings. Attempted attacks in which the crooks tried and failed could be more of an explanation for a future attack than an independent attack. (See point 3.)
Patch early, patch often. Many crooks still find their way into networks where old exploits still work. Don't be the network in which you could be ahead of the crooks, but not.
Of course, don't forget the obvious – make sure you use intrusion and malware protection, including ransomware. Sophos Intercept X and XG Firewall work hand in hand to keep cybercrime away from your business. Individuals can protect themselves with Sophos Home.