Travelex cyber-attack provides learning on ignoring patching updates

Pulse Secure is one of many companies that deliver secure cloud and connectivity solutions to organisations worldwide. Such mission critical solutions require consistent maintenance and updating in accordance manufacturer guidelines and recommendations.

However, in April 2019, Pulse Secure published an urgent patch to a vulnerability in its widely used corporate VPN software. This vulnerability allowed remote attackers to gain access to administer the software without a username or password. Naturally the consequences of such action could be catastrophic with the ability to change settings, view passwords cached by the VPN server in plain text, view logs and also turn off multi-factor authentication.

Organisations, such as Pulse Secure, publishing urgent patches doesn’t just get picked up by customers, but also cybercriminal groups who can exploit these know vulnerabilities. A particular cybercriminal group has been targeting this vulnerability – amongst many others – for some time with the aim of infiltrating systems, stealing data and planting ransomware.

It is the lack of updating and patching of the VPN server software which led to Travelex being infected with ransomware. Ignoring security patches on your network devices could have significant business consequences.

On New Year’s Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $6m (£4.6m). They also claimed to have had access to Travelex’s network for six months and to have extracted five gigabytes of customer data—including dates of birth, credit card information, and other personally identifiable information.

“In the case of payment, we will delete and will not use that [data]base and restore them the entire network,” the individual claiming to be part of the Sodinokibi operation told the BBC. “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

Security researcher Kevin Beaumont found that Travelex had seven unpatched Pulse Secure servers. An exploit for the vulnerability has been available on Internet bulletin boards since August 2019.

The Travelex cyber-attack does provide a key learning to all organisations about ensuring there is a programme in place for monitoring and patching updates, particularly security updates, to all network and server systems in accordance with the software manufacturer.