On the last day of 2019, foreign exchange company Travelex was hit by cyber attackers wielding the Sodinokibi (aka REvil) ransomware. More than a week later, the company’s websites and online services are still offline despite the company’s remediation efforts.
“Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated,” the company stated on Tuesday.
“Having completed the containment stage of its remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems. To date Travelex has been able to restore a number of internal systems, which are operating normally.”
IT specialists and cyber security experts are working on getting everything back in order, but the company did not say when they expect to resume normal operations. The attack has also disrupted the work of many banks who rely on Travelex to provide their foreign exchange services.
“Travelex is in discussions with the National Crime Agency (NCA) and the Metropolitan Police who are conducting their own criminal investigations, as well as its regulators across the world,” the company added.
The BBC reports that the attackers are asking for $6 million (£4.6 million) in exchange for giving the firm access to its encrypted files, and are threatening to publicly release 5GB of customers’ personal data if Travelex doesn’t pay the ransom.
The attackers claim to have had access to the company’s computer network for the last six months, which allowed them to download customer data.
The UK Information Commissioner’s Office (ICO) has yet to receive a data breach report from the company and neither have the customers who ordered currency from Travelex before the attack and paid for it, but are unable to collect it.
How did the attackers manage to breach Travelex?
We still don’t know for sure through which hole the attackers managed to infiltrate the company’s networks, but there’s speculation that unpatched Pulse Secure VPN servers were the way in.
Pulse Secure patched CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure that can be easily exploited remotely to download files/extract sensitive information from the vulnerable servers, in April 2019. A few months later, exploits were made public and researchers released technical details about the flaw.
Cyber threat intelligence outfit Bad Packets has been pinpointing owners of unpatched Pulse Secure VPN servers and notifying them about the threat for many months now, and notified Travelex (through national CERTs) about their own seven vulnerable servers on September 13, 2019.
We notified Travelex about their vulnerable Pulse Secure VPN servers on September 13, 2019.
No response. pic.twitter.com/lCjk7IY3OM
— Bad Packets Report (@bad_packets) January 4, 2020
Apparently, it took Travelex two months to patch them.
Also, according to Kevin Beaumont, “Travelex’s AWS platform had Windows servers with RDP enabled to internet and NLA disabled,” meaning that the attackers could have connected to and executed code on the servers after brute-forcing their way in through internet-accessible login screens.