21 July 2023

6 min read

Estee Lauder and Tomra take action during extensive cyber attacks | Cyber Intelligence Briefing: 21 July

July 2023
Estee Lauder and Tomra take action during extensive cyber attacks | Cyber Intelligence Briefing: 21 July placeholder thumbnail


Top news stories this week

  1. Active defence. Estee Lauder and Tomra take systems offline in response to cyber attacks.
  2. Declassified. Thousands of users exposed in VirusTotal data leak including intelligence agency staff.
  3. Cloud security. Documents of FIA World Endurance Championship drivers found in exposed container as Microsoft increases logging visibility.
  4. Impostor syndrome. New ransomware strain impersonates cyber security firm Sophos.
  5. Behind bars. Rogue IT employee who impersonated ransomware gang gets three-year sentence.
  6. Costume change. NoEscape ransomware appears to be a rebrand of Avaddon.
  7. Word up. Criminals exploit bug in WooCommerce to hijack WordPress websites. 


1. Estee Lauder and Tomra take action during extensive cyber attacks

Ransomware groups Cl0p and BlackCat/ALPHV both claim to have successfully stolen data from Estee Lauder in separate incidents. The cosmetics giant confirmed it had suffered an attack, and said it had taken down some of its systems in response.

Separately, Norwegian recycler Tomra has disconnected systems to contain a major cyber attack. The disruption appears to be operational with no indication of data theft.

So what?

Containment and eradication actions are crucial for limiting business impact during an attack. These containment and eradication procedures should be clearly defined in an incident response plan.



2. VirusTotal inadvertently leaks details of 5,600 customers

VirusTotal, Google's malware scanning repository, uploaded a list of names and email addresses of thousands of its users worldwide. Affected customers include private sector intelligence firms and individuals affiliated with national security and defence agencies. Google removed the leaked list within an hour of its posting, and is now evaluating their internal processes and technical controls.

So what?

Anything uploaded to VirusTotal is publicly visible, which puts data security at risk. Avoid automated uploads to the platform and ensure attachments have any sensitive data removed prior to uploading.



3. Cloud security: sensitive documents of WEC drivers exposed as Microsoft increases logging visibility

Researchers have discovered exposed cloud storage buckets containing over 1.1 million files belonging to the FIA World Endurance Championship (FIA WEC). The cloud storage contained passports and driver licences belonging to FIA WEC drivers.

Separately, following the recent cloud-based Outlook breach, Microsoft has made Purview Audit logs available to all customers for free. The advanced logging feature, which was previously only available to premium customers, assisted in detecting the latest breach.

So what?

If your organisation makes use of cloud services, carefully review the settings and enable the appropriate logging functionality.



4. New ransomware strain impersonating cyber security firm Sophos

The cyber security firm Sophos is being impersonated by a new ransomware strain called SophosEncrypt, which appends '.sophos' to encrypted files and displays a wallpaper with the Sophos brand. Sophos is investigating the source of the ransomware.

So what?

Organisations should stay vigilant against innovative attack methods employed by threat actors, such as posing as cyber security vendors.


5. IT employee jailed for impersonating ransomware gang to extort employer

A former IT security analyst from the UK has been given a three-year prison sentence for impersonating the ransomware gang that had targeted his employers. The individual gained access to a board members’ private emails and attempted to redirect ransomware payments to his own bitcoin wallet.

So what?

Companies must stay vigilant against the possibility of internal threats. Involving external forensic providers to investigate a breach can help detect malicious behaviour.



6. Ransomware similarities discovered

NoEscape, a new ransomware group discovered in June 2023, is likely to be a rebranding of the Avaddon ransomware group, who were last seen in 2021. The evaluation was based on the tactics, techniques, and procedures (TTPs) of both groups, with the ransomware encryptor having close similarities. Ransom demands by NoEscape have been known to be as high as USD 10 million.

So what?

Threat actors often rebrand and form new groups, reusing the same techniques, tactics, and procedures.



7. Criminals exploit WooCommerce flaw to hijack WordPress websites

Hackers are actively exploiting a critical security flaw in WooCommerce Payments WordPress plugin, which has more than 600,000 active installations. The flaw enables attackers to impersonate users, including administrators, to take control of WordPress sites.

So what?

Technical details on the vulnerability have been public for several weeks. Organisations should update their WooCommerce Payments installations to a patched version as soon as possible.




CRA23_Winner ShieldS-RM is proud to have been voted Cyber Incident Response Team of the Year at Zywave’s 2023 Cyber Risk Awards. Read more here.



Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.