Breach, Threat Management, Data Security, Malware, Network Security, Ransomware

Avon attackers may have exploited unprotected web server

An openly accessible web server has emerged as a possible attack vector used by cybercriminals in a reported ransomware incident that affected personal care and beauty marketer Avon Products last June.

Researchers from Safety Detectives today announced its discovery of a U.S.-based Avon.com server that was not defended by a password, leaving it accessible to anyone who knew or could ascertain the server’s IP address.

This revelation follows a curious cyber incident last month that Avon disclosed to the Securities and Exchange Commission in an 8-K filing on June 9. In that document, Avon said it "suffered a cyber incident in its Information Technology environment which has interrupted some systems and partially affected operations." ZDNet would later identify the event as a DopplePaymer ransomware attack, citing a source.

The Safety Detectives research team, led by Anurag Sen, has not confirmed that the attackers behind the alleged ransomware incident leveraged the openly configured web server, but the theory is a viable one. Certainly the timelines appear to match up: the vulnerability first materialized on June 3 and was discovered on June 12, just days after the reported cyber incident happened.

DoppelPaymer has previously targeted vulnerable servers to propagate ransomware," said Kacey Clark, threat researcher at Digital Shadows. "A publicly exposed and unsecured web server gives adversaries easy access to sensitive data, which can be leveraged in ransomware attacks. While currently unconfirmed, it is certainly possible that DoppelPaymer used the vulnerable server to gain access to customer details and internal network data."

"Attackers often take the path of least resistance to carry out their attacks. To mitigate potential risks, organizations should hide their server information, remove or turn off unnecessary services, set up unique and robust passwords, encrypt traffic and regularly patch vulnerable software.”

“This attack shows how important it is for organizations to ensure that every server and endpoint is properly monitored and secured," said Hank Schless, senior manager, security solutions at Lookout. "From back-end infrastructure to end-user mobile devices, every point of access to your corporate infrastructure represents a potential vulnerability in your overall security posture."

Notably, the 7GB worth of exposed data on the servers constituted "all production server information," said a Safety Detectives blog post. This includes multiple internal logs, including roughly 665,000 technical log entries containing security token values and APIs.

Overall, the researchers counted more than 40,000 exposed security tokens -- among them both sign-in and refresh OAuth tokens that authorize applications to make API requests on behalf of users and access their data.If attackers got their hands on the tokens, they would seemingly have been able to access user accounts, the blog post explains.

Other logs contained SMS verification PIN codes, technical information about the server and administrator user emails. Altogether, the researchers found more than 19 million exposed documents, some of which also featured full names, phone numbers, birth dates, email addresses, physical addresses, GPS coordinates, last payment amounts, account settings and suspected company employee names.

If the attackers accessed the internal logs, they could have "harness[ed] the server to mine cryptocurrency, plant malware or conduct ransomware attacks upon the server owners," the report states. "Given the type and amount of sensitive information made available, hackers would be able to establish full server control and conduct severely damaging actions that permanently damage the Avon brand -- namely, ransomware attacks..."

Moreover, exposed user information could be used for the purposes of identity fraud and phishing scams.

"What’s interesting about this breach is that the targeted server contains API logs for both the web and mobile sites," said Schless. "In addition, the attackers [perhaps] were able to gain access to SMS login verification tokens. We’re seeing an increase in attacks like this that target both desktop and mobile because the attackers know that mobile devices offer a valuable and unique opportunity to catch the target off-guard. We’re trained to react quickly to notifications on our mobile devices, so attackers leverage that reactionary tendency to slip things by and oftentimes succeed if the device doesn’t have proper mobile security on it."

"Since we often use tablets and smartphones as the second form of authentication in a multi-factor authentication scenario, it’s particularly dangerous to an organization’s infrastructure when an attack like this can find its way from the servers to the mobile device," Schless continued. "Mobile phishing is one of the most common ways for bad actors to gain access to login credentials, which they could then use to access an employee’s account."

Safety Detectives said that Avon was reportedly alerted to the misconfiguration, which has since been resolved. SC Media has contacted Avon Products for comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.