Travelex Ransomware Attack: Another Hard Lesson on Skimping Patching
The recent ransomware attack on Travelex, considered as the world’s biggest foreign currency exchange company, highlights the importance of applying security patches in a timely manner.
Travelex disclosed that on New Year’s Eve it’s corporate network was hit by the ransomware called “Sodinokibi”, also known as REvil ransomware. In a ransomware attack, legitimate users are prevented in accessing their computers or their data.
The company said it immediately took all its systems offline to prevent the spread of REvil ransomware across the company’s network, forcing the company’s staff to resort to using pen and paper. The company’s ransomware attack disclosure came seven days after the attack.
The group behind the REvil ransomware told the BBC that it gained access to Travelex’ computer network six months ago and that 5GB of sensitive customer data, including dates of birth, credit card information, was stolen from the company’s network.
The group behind the REvil ransomware said last January 7th that it wants Travelex to pay $6m (£4.6m). “The deadline for doubling the payment is two days,” the group said. “Then another seven days and the sale of the entire base.”
Last month, the group behind REvil ransomware announced in a hacking forum that it will publish data stolen prior to encryption for ransomware victims that refuse to pay ransom.
Skimping Patching
According to Computer Weekly, it took Travelex eight months to patch a critical security weakness in its Pulse Secure virtual private network (VPN) servers.
In April 2019, Pulse Secure issued a patch for the security vulnerability CVE-2019-11510 found on its VPN products. CVE-2019-11510 is an arbitrary file disclosure security vulnerability that allows an unauthenticated remote attacker to view cached plaintext user passwords and other sensitive information. Exploitation using leaked credentials can lead to further security vulnerability CVE-2019-11539that allows attackers to gain access inside the private VPN networks of the victims.
Bad Packets told Computer Weekly that it informed Travelex in September 2019 that the company had seven unpatched security vulnerabilities in Pulse Secure VPN servers in Australia, the Netherlands, the UK and the US – vulnerabilities that could allow attackers access to the company’s networks, but the information was never acknowledged. Bad Packets earlier reported that thousands of organizations were vulnerable to security vulnerability CVE-2019-11510.
On August 14, 2019, someone posted an exploit for the CVE-2019-11510 vulnerability on OpenSecurity.global’s forum. On August 21, 2019, a public exploit for the CVE-2019-11510 vulnerability created by Alyssa Herrera and Justin Wagner was published.
In August 2019, the Canadian Centre for Cyber Security issued an alert to organizations in Canada of the active exploitation of Pulse Secure VPN products. In October 2019, US CISA, US National Security Agencyand the UK’s National Cyber Security Centre issued warnings to organizations to apply the patch issued by Pulse Secure.
Scott Gordon, Chief Marketing Officer at Pulse Secure, in a statement said, “Threat Actors will take advantage of the vulnerability that was reported on Pulse Secure … VPN products – and in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers.”
Security researcher Kevin Beaumont said that security vulnerability in Pulse Secure VPN is being used to deliver REvil ransomware into organizations. “I understand Travelex has been ransomware’d by this group,” Beaumont said. “They had 7 unpatched Pulse Secure servers.”
Kevin Beaumont added that CVE-2019-11510 vulnerability is alarming as “it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords).”
In early August 2019, DEVCORE researchers disclosed at Black Hat 2019that they were able to infiltrate the corporate network of Twitter via the company’s unpatched Pulse Secure VPN. In a blog post dated September 2, 2019, researchers at DEVCORE expounded how they were able to gain access to Twitter’s network, including bypassing 2-factor authentication, as the company failed to apply Pulse Secure’s available security update. The DEVCORE researchers reported the vulnerability to Twitter via HackerOne.
Preventive Measures
Patching VPN devices in a timely manner is important as these devices are internet-facing and cybercriminals abound on the internet. In the case of the Pulse Secure vulnerability, all that a malicious actor has to do is scanned the internet for vulnerable devices.
On August 22, 2019, Bad Packets reported that mass scanning activity was detected from an IP address in Spain checking for Pulse Secure VPN devices vulnerable to CVE-2019-11510. On January 7, 2020, another mass scanning activity was detected from an IP address in the U.S. checking servers using a version of Pulse Secure vulnerable to CVE-2019-11510.
Scanning the internet for servers using a version of Pulse Secure vulnerable to CVE-2019-11510 is relatively easy using Shodan – a search engine that allows users to find specific types of internet-facing computers using a variety of filters. The only way to protect your organization’s servers using a version of Pulse Secure vulnerable to CVE-2019-11510 is to apply the patch or security update released by the company in April 2019.
As shown in this latest cyber incident, it’s important to keep all your organization’s IT systems and software up to date. Malicious actors are quick to exploit software vulnerabilities, especially those with available public exploits.
IT security can be an overwhelming topic for most businesses. Our experts are trained and certified by major software vendors and are ready to help you protect your valuable information.
For a quick assessment and a free consultation, please call us today (416) 920-3000 or email us at sales@genx.ca