Luxottica, one of the world's largest sellers of eyewear products, had to take its servers offline after a ransomware attack struck its systems on Friday, due to which the websites for Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision stayed offline for many hours.
Luxottica designs, manufactures, and distributes a variety of fashion, luxury, and sports eyewear. The company owns a number of well-known eyewear brands such as Ray-Ban, Oakley, Vogue Eyewear, Persol, Oliver Peoples, Arnette, Costa del Mar, and Alain Mikli as well as licensed brands such as Giorgio Armani, Burberry, Bulgari, Chanel, Coach, Dolce&Gabbana, Ferrari, Michael Kors, Prada, Ralph Lauren, Tiffany & Co., Valentino, and Versace.
According to the Italian media, Luxottica, which generated $9.4 billion in revenue last year, suffered a ransomware attack on Friday, and after detecting the attack, the company took all its servers offline. This ensured that the websites for Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision went offline.
The reports were also based on the fact that workers in the production chain of Luxottica's Agordo and Sedico offices in the Belluno area were told about the suspension of a shift on Monday due to an unspecified "computer system failure". Reportedly, portals such as one.luxottica.com and university.luxottica.com were also unavailable.
According to Bleeping Computer who spoke to cybersecurity intelligence firm Bad Packets, Luxottica had a Citrix ADX controller device that is vulnerable to the critical CVE-2019-19781 flaw in Citrix devices. This vulnerability is routinely exploited by ransomware actors to infiltrate corporate IT networks and steal credentials.
According to Citrix, CVE-2019-19781 affects Citrix ADC and Citrix Gateway version 13.0 all supported builds before 22.214.171.124, and the company has advised users of Citrix ADX controller devices to either upgrade to a fixed build or apply the provided mitigation which applies to Citrix ADC.
Commenting on the ransomware attack targeting Luxottica, Michael Barragry, operations lead at Edgescan, says this appears to be an unfortunate example of a failure to patch against a vulnerability which was originally made public 9 months ago, and it looks like the punishment has been quite severe.
"Remote Code Execution (RCE) vulnerabilities are among the most dangerous and can allow an attacker to execute code of their choosing on the machine being targeted – such as downloading and running ransomware. Organisations need to ensure that a robust patch management system is in place – especially for their public-facing infrastructure. This should be supplemented with regular security assessments and penetration testing," he adds.