At a glance.
- Avon investigates cyber incident, "potential compromised personal data."
- North Korean services phishing in LinkedIn.
- CISA warns of Ripple20 IoT vulnerabilities.
Avon discloses a cyber incident to the SEC.
Cosmetics giant Avon Products, Inc. notified the US Securities and Exchange Commission last week that it had "suffered a cyber incident in its Information Technology environment which has interrupted some systems and partially affected operations." A follow-on 8k filing added, "Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data. Nevertheless, at this point it does not anticipate that credit card details were likely affected, as its main ecommerce website does not store that information." ZDNet, which was unable to reach Avon for comment, says that some sources believe the incident was a DoppelPaymer ransomware attack, but that this remains unconfirmed.
Phishing in LinkedIn aims at both intelligence and business email compromise.
The security company ESET describes a North Korean campaign of targeted attacks against European defense and aerospace companies. They call it "Operation In(ter)ception," and it has two purposes: espionage and financially motivated business email compromise. Pyongyang's operators start with LinkedIn, proffering meretricious job offers to workers at selected companies. They seek to develop relationships into sources of information; they also in some cases work to compromise their email accounts in order to induce companies to fall for fraudulent fund transfer requests. This is consistent both with North Korea’s intelligence requirements and its chronic need for cash.
The bogus job offers are of course intended to induce the targets to engage with the attackers, providing them with personal and professional information that might otherwise be difficult to come by.
Ripple20 is a widespread set of vulnerabilities.
The Israeli security firm JSOF reports the discovery of nineteen zero-days, collectively called "Ripple20," that afflict the Internet-of-things software supply chain. They're flaws in software that handles the TCP-IP protocol, and the low-level TCP-IP library that contains them has been out since the late 1990s. Treck, the company that developed the code in question, has fixed its products, but as WIRED observes, that software is at the beginning of a long and complicated supply chain through which vulnerabilities propagate in difficult-to-control ways.
The research team says that “Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries.”
The US Cybersecurity and Infrastructure Security Agency, CISA, looked at the bugs and rated six of them as scoring between seven and ten on the CVSS scale, where ten is the most severe. CISA recommended that users take steps to minimize the risk of exploitation, including placing vulnerable devices behind firewalls and removing connections to the public Internet:
- "Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- "Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- "When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- "Use an internal DNS server that performs DNS-over-HTTPS for lookups."
Such mitigations may be easier recommended than accomplished. JSOF began quietly disclosing the vulnerabilities to vendors back in February, and many of them have already patched. But IoT devices are notoriously easy to overlook, and in any case a lot of the buggy code may still be undetected.