So, Travelex is under the gun. Many guns, in fact.
An international foreign-exchange services enterprise is offline across 30 countries following a New Year’s ransomware attack. Its operations are back to pen and paper, and their heavyweight banking partners like Barclays, HSBC, First Direct, Tesco and Virgin Money, among others, are left adrift with no way to buy or sell foreign currency, never mind thousands of retail customers who are potentially stranded without being able to exchange local currency.
During the course of the currently ongoing investigation, Travelex’s parent company Finablr Plc has confirmed that the malware was identified as a ransomware known as Sodinokibi, also commonly referred to as REvil, which attempts to encrypt customer data. As of now, Travelex stated that there is no evidence of stolen data. BBC reports that hackers behind the attack want Travelex to pay $6 Million USD in ransom.
The Information Commissioner's Office (ICO) said it had not received a data breach report from Travelex. A spokeswoman added: "Organizations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people's rights and freedoms. If an organization decides that a breach doesn't need to be reported, they should keep their own record of it and be able to explain why it wasn't reported if necessary.” Under General Data Protection Regulation (GDPR), a company that fails to comply can face a maximum fine of 4% of its global turnover.
Why did this happen?
Researchers suspect the cybercriminals attacked using an unpatched critical vulnerability in the company’s seven Pulse Secure VPN servers.
The attack could have been successful in part because Travelex took several months to patch critical vulnerabilities in its Pulse Secure VPN servers, according to Bad Packets.
Pulse Secure offers a widely-used remote access services for corporations. Pulse Secure issued an urgent patch for two critical vulnerabilities in its Zero Trust VPN service in April 2019. CVE-2019-11510 is an arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords, according to the advisory; further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.
“On August 25th 2019, Bad Packets scanned the internet and found almost 15,000 endpoints across the world had the issue directly exploitable,” explained researcher Kevin Beaumont (a.k.a. Gossi the Dog). “Those results included networks at governments across the world — many incredibly sensitive organizations included — and basically a list of the world’s largest companies. It was clear organizations were simply not patching.”
Unfortunately, in the list of these corporations was Travelex, which had 7 unsecured Pulse Secure servers, according to Bad Packets; they have also stated that Travelex waited until November – 8 months after the vulnerability disclosure – to patch the issues.
“If there was ever any doubt that a cyber attack could have a significant effect on financial markets, this proves otherwise.”
“That vulnerability is incredibly bad — it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords),” added Kevin Beaumont, in a posting this week.
“The ongoing attack against Travelex is arguably the worst case scenario for how crippling ransomware can be,” Stuart Reed, vice president for cybersecurity at UK-based web services firm Nominet said. “If there was ever any doubt that a cyber attack could have a significant effect on financial markets, this proves otherwise.”
“...the lost business and negative publicity from a scenario such as this can be crushing." - Jonathan Knudsen
“The ransomware situation at Travelex shines a harsh spotlight on the potential devastation of a cybersecurity incident,” Jonathan Knudsen, senior security strategist at Synopsys, said in an emailed statement. “The lost business and negative publicity from a scenario such as this can be crushing. Ransomware continues to be a popular tool for cybercriminals…If you fall victim to a ransomware attack, you must have a plan ready to execute. The plan should include removing infected systems from your network, wiping them and reinstalling the operating system and applications, then restoring data from your backups.”
Seeing how the financial markets are interconnected, cyber criminals will always find the weakest link, in order to compromise the entire supply chain of financial command. In case with Travelex, they have deliberately ignored the comment from external consultants and their service providers on the best cybersecurity practices, in order to keep their operations secured. It has taken the company well over half a year to even notice the security patches that had been disclosed for immediate adjustment.
At this moment, it's difficult to say whether the company will be able to restore its reputation, corporate partnerships and customer loyalty.
If you would like to avoid such dire circumstances for your own institution, enterprise or even a small business, make sure your cybersecurity protocols are up to date. Pay attention to advice of external security partners, consultants and cyber risk professionals. They are looking out for your best interests.
Senior Consultant, Cyber Risk