Theory crystallizes as currency exchange continues to fight Sodinokibi infection
Travelex, whose systems remain offline a week after it was hit by a malware attack, has confirmed that it is recovering from an assault caused by the Sodinokibi ransomware.
In a statement issued on Monday, the currency exchange business said that it had successfully contained an outbreak the Sodinokibi (also known as ‘REvil’) ransomware.
Travelex took its systems offline to prevent the further spread of the malware soon after disaster struck on New Year’s Eve, as previously reported.
Cybercriminals using Sodinokibi have been known to siphon off data prior to encryption before threatening to leak looted data unless victimised organizations pay up.
The strain of malware is associated with the ransomware-as-a-service (RaaS) model, which means that no one group is exclusively abusing the malware.
Finger on the Pulse
Analysis of the incident by security researcher Troy Mursch has revealed that Travelex failed to patch its Pulse Secure VPN servers until early November 2019, leaving it vulnerable as a result, despite private warnings about the issue months earlier in September.
The underlying vulnerability – which was especially bad because it required no authentication to exploit – was discovered by security researcher Orange Tsai in March 2019, and patched by Pulse Secure last April.
Some months later, in August, security researchers warned that unidentified parties were actively scouring the web in the hunt for vulnerable Pulse Secure VPN installs, likely as reconnaissance in preparation for follow-up targeted attacks on corporate networks.
Unpatched Pulse Secure VPN systems are known to be among the ways into corporate networks abused by cybercriminals wielding Sodinokibi, as a write-up by infosec practitioner Kevin Beaumont explains.
Circumstantial evidence points to Travelex being compromised through an insecure Pulse Secure VPN setup.
This scenario – while plausible – remains unconfirmed.
However Travelex was compromised is secondary to more pressing concerns, as the foreign exchange businesses works to restore systems in the face of extortionate demands from cybercriminals for a payment of up to $6 million.
The supposed attackers boasted to the BBC that they had hacked into Travelex’s systems months ago before subsequently downloading 5GB of sensitive customer data.
The assailants claimed to have information including dates of birth, credit card information, and national insurance numbers of Travelex customers, which they threatened to sell on within days unless Travelex met its extortionate demands.
Putting the travel plans on hold
The breach prompted Travelex to suspend its online and mobile service offerings both in the UK and internationally as a further precaution.
The currency exchange’s websites across the world were also taken down and remain suspended. Travelex’s partners such as Barclays and Tesco Bank have been left unable to accept online money orders.
Travelex has fallen back on manual operations. The firm said it had restored some internal systems without offering any timescale for restoring its online operations to normal.
The company reiterated assurances that it has no reason to think customer data has been exposed.
“Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful,” its statement explains.
“To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted.
“Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.”
Travelex said that it is in “discussions with the National Crime Agency (NCA) and the Metropolitan Police who are conducting their own criminal investigations, as well as its regulators across the world”.
In response to queries from The Daily Swig, UK data privacy regulators at the ICO issued a statement making it clear that it will hold Travelex to account over its handling of the breach once the dust settles.
An ICO spokesperson said: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it and be able to explain why it wasn’t reported if necessary.
“All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO.”
YOU MIGHT ALSO LIKE Landry’s US restaurants hit by payment card breach