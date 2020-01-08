Loading...

It may take longer for your money to be changed while traveling as Travelex does everything on paper due to a ransomware attack.

In April 2019, Pulse Secure released an urgent patch for a vulnerability in its popular VPN business software. This vulnerability allowed remote attackers to not only gain access without a username or password, but also to disable multi-factor authentication and view logs. User names and passwords that were saved in plain text by the VPN server. A cybercriminals group is now using this vulnerability to attack and infiltrate victims, steal data, and install ransomware.

Travelex, the foreign exchange and travel insurance company, appears to be the group’s youngest victim. On New Year’s Eve, the company was hit by Sodinokibi Ransomware, also known as REvil. The ransomware operators turned to the BBC and wanted Travelex to pay USD 6 million (GBP 4.6 million). They also said they had access to the Travelex network for six months and extracted five gigabytes of customer data – including birth dates, credit card information, and other personal information.

“In the event of payment, we will delete this (database) database and not use it and restore the entire network,” the person who claims to be part of the Sodinokibi operation told the BBC. “The deadline for doubling the payment is two days, then seven days and selling the entire base.”

Security researcher Kevin Beaumont found that Travelex has seven unpatched Pulse Secure servers. An exploit of the vulnerability has been available on the Internet bulletin boards since August 2019.

Big game hacks

Travelex is not the only victim to suffer high ransom demands. Since January 1, seven victims have been included in the REvil scoreboard:

REvil starts strongly into the new year and asks for serious money. We’re working on a blog that describes how bad it is and hope to have it published later this month.

The Sodinokibi / REvil ransomware campaign came out last spring. It was first identified by Cisco Talos in April 2019 in an attack that exploited an Oracle WebLogic server vulnerability. The ransomware itself exploits a vulnerability in the Win32k component of Windows that could increase its privileges. This enables her to end a list of processes that prevent files from being encrypted, the contents of some folders deleted, and the contents of others – including the network – from being encrypted.

The malware also sends back basic information about the infected system. But REvil itself has no means of self-propagation. Instead, the attackers used various access methods to install and launch the malware with increasing complexity, including spam campaigns, attacks on remote desktop protocol services, and in some cases, exploiting managed service providers to attack their customers.

Based on data from the Shodan security search engine, despite warnings from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency in October, organizations in the United States still operate over a thousand vulnerable Pulse Secure servers. Further attacks like that of Travelex seem inevitable.