New Africa - stock.adobe.com
BlackCat and Clop gangs both claim cyber attack on Estée Lauder
Cosmetics conglomerate Estée Lauder is experiencing operational disruption in the wake of a cyber attack that seems to involve two different cyber crime gangs
Estée Lauder Companies, the organisation behind global cosmetics brands such as Aveda, Clinique, Estée Lauder, Mac and Origins, has suffered a cyber attack that appears to have been the work of two distinct groups, namely the ALPHV/BlackCat and Clop ransomware operations.
Full details of the still-unfolding incident have yet to emerge, but in a statement, the organisation said it believed it has resulted in data exfiltration. It is currently seeking to establish the nature and scope of that data.
In a statement, the group said: “The Estée Lauder Companies Inc has identified a cyber security incident, which involves an unauthorised third party that has gained access to some of the company’s systems.
“After becoming aware of the incident, the company proactively took down some of its systems and promptly began an investigation with the assistance of leading third-party cyber security experts. The company is also coordinating with law enforcement.”
The organisation said it was currently implementing further measures to secure its operations and would take additional steps if needed. It added that it remains fully focused on remediation, including attempts to restore impacted systems, but acknowledged that the incident has and will continue to cause disruption to parts of its operations.
Meanwhile, the disclosure has attracted attention in the security community since both BlackCat and Clop have claimed responsibility.
On 18 July, Clop, the ransomware-cum-extortion operation behind the ongoing MOVEit Transfer breach, named Estée Lauder Companies on its dark web leak site, following either the failure or non-occurrence of negotiations.
Other victims
At the same time, the gang named a number of other victims, according to researcher Dominic Alvieri, including American Airlines and comms regulator Ofcom, which has already disclosed it was victimised in the MOVEit incident.
It remains unknown if Estée Lauder Companies was itself a user of Progress Software’s MOVEit Transfer file transfer tool, which was first attacked via a zero-day by Clop almost two months ago, or whether it was compromised, as many others have been, via a third-party supplier.
Later in the evening, BlackCat also named Estée Lauder Companies to its own website. No details of how it supposedly accessed the victim’s systems have been made public. Other recent victims claimed by the highly active gang include Barts NHS Trust and storage supplier Western Digital.
In screengrabs shared by Emsisoft’s Brett Callow via Twitter, a Clop representative claimed it had extracted 131GB of data from Estée Lauder Companies. Its representative posted: “The company doesn’t care about its customers, it ignored their security!!!”
A BlackCat representative wrote: “Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen. We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe their data was worth a lot more.
“And another note to the public, ELC been attacked [sic] by our colleagues at Cl0p regarding the MOVEit vulnerability attacks. We are not sure if anything came of this, but we only knew because they mentioned it in their emails.
“We have reiterated to ELC that we are not associated with them and that this is completely separate.”
MOVEit cyber attack timeline
- 31 May: Rapid7 observed exploitation of a SQL injection vulnerability in Progress Software’s managed file transfer product.
- 5 June: Microsoft said the recently disclosed zero-day flaw in Progress Software’s managed file transfer product is being exploited by threat actors connected to the Clop ransomware gang.
- 6 June: The BBC, Boots and British Airways are among the victims of cyber incidents arising from a recently disclosed vulnerability in the MOVEit file transfer product, exploitation of which is spreading fast.
- 7 June: The Clop cyber extortion and ransomware operation demands organisations pay a ransom to avoid data stolen via an exploited vulnerability in a file transfer product being leaked.
- 8 June: The Clop cyber extortion gang may have been keeping the MOVEit SQL injection vulnerability they used to penetrate the systems of multiple victims secret for two years.
- 9 June: Network equipment and services supplier Extreme Networks revealed its instance of Progress Software’s MOVEit tool was compromised in the ongoing Clop cyber attack.
- 9 June: Progress Software released a patch for a second MOVEit Transfer issue, which was uncovered by third-party security specialist Huntress Security during post-incident code scanning.
- 12 June: Communications regulator Ofcom said data on employees and regulated communications companies was stolen by the Clop gang.
- 14 June: A seven-day deadline set by Clop for victims of its latest attack to contact it to arrange payment passed on 14 June.
- 14 June: Clop uploaded details of 12 new victims to its dark web leak site late on 14 June.
- 16 June: CISA director Jen Easterly said "several" US agencies suffered intrusions via their MOVEit Transfer instances, but have not seen significant effects from the attacks.
- 11 July: Clop's data theft extortion campaign against MOVEit Transfer customers has apparently compromised hundreds of organisations. But it's unclear how many victims have paid ransoms.
- 13 July: Five weeks after the mass MOVEit breach, new vulnerabilities in the file transfer tool are coming to light as the Clop cyber crime group continues to terrorise victims. But has the gang bitten off more than it can chew?