Failure to Patch caused Travelex to shutdown

Image result for ransomware travelex


Infosecurity Magazine reports that currency exchange bureau Travelex was hit by a new year’s eve cyber attack. This attack disrupted UK bank customers.  Travelex took all of its system offline as a precaution. They identified the culprit as Sodinokibi (REvil).  Travelex has been unable to resume normal operations since the attack.

Meanwhile, Soidnokibi creators says that “Travelex will pay, One way or another”. The attackers are applying pressure to pay a multi-million dollar ransom by stating that they will release or sell stolen data that allegedly contains Travelex’ customer personal data.

How did this happen? and SANS both report that the Travelex attack may have exploited a flaw in VPN software Pulse Secure.  The VPN company has already issued advisories for their clients to apply a security patch. The advice stemmed from reports of attacks exploiting the flaw tracked as CVE-2019-11510 to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools.  The patch for the flaw was made available as early as April, 2019.

SANS’ editors note:

“While keeping services updated with the latest security patches is important, prioritize services at the perimeter and pay even more attention to boundary and access control devices such as VPNs, Firewalls, Routers, Proxies and WAFs.

It is worth noting that Pulse Secure has been reaching out to customers to make sure that they are applying the patch. The Pulse Secure VPN flaw is being actively leveraged for REvil attacks, including CyrusOne, several managed service providers, 20 Texas local government offices and over 200 dentist offices per ZDN”