Blog Post – Travelex – What went wrong?

News and information from the Advent IM team.

Blog Post by Advent IM Security Consultant, Craig Moan.

What happened?

On the 31st of December 2019, as the world looked forward to welcoming a new decade, Travelex fell victim to a type of cyber-attack that very much came to prominence in the outgoing decade…

Ransomware, and as I write this blog 20 days later the company are yet to restore all services and become full operational once more.

As most people will know, Travelex provides foreign currency exchange services to millions of people through either kiosk or online transactions.  They also provide currency services to other financial third parties, such as Barclays or Tesco Bank.

The attack affected millions of customers globally who had used Travelex’s services to obtain foreign currency, causing disruption to their travel plans with staff having to resort to manual operations to provide limited currency exchange services to customers. In response to the attack Travelex stated that their systems were taken offline to prevent the further spread of malware across their networks.

The attack is reported to of encrypted approximately 6GB of data, with the criminals behind the attack demanding £4.6 million before they would decrypt the data.  The criminal group also threatened to double their ransom demands and leak or sell sensitive data should Travelex not pay in a timely manner.

Travelex have stated that there is no evidence to suggest that customer data has been compromised at this time.  However, the criminals behind the hack have stated that they have been able to access the Travelex networks for the last 6 months and have obtained sensitive data such as, credit card details, personal information and national insurance numbers.

Travelex are reportedly working with numerous agencies, such as the Metropolitan Police and the National Crime Agency to resolve the issue.  However, the ICO have stated that no data breach has been reported to them by Travelex and they intend to hold Travelex to account over its handling of the breach once the dust settles.

How did it happen?

The strain of ransomware used on the Travelex attack is Sodinokibi, a type of ransomware that is linked to the exfiltration of data before encryption occurs and whilst it is still too early for a full post-mortem of how the attack happened, it is being reported the compromise may have occurred through a failure to patch a vulnerability in an insecure Pulse Secure VPN Server.  This method of compromise has been wide linked the Sodinokibi strain of ransomware.

The vulnerability allows you to remotely connect to networks without valid user credentials, which enables you to disable security controls, such as endpoint security or MFA.  The attackers can then install and distribute the malware around the network.

This vulnerability was first discovered in April 2019 by the vendor, with an exploit first seen in August 2019.  The NCSC believed the vulnerability was being used by APT groups, which prompted them to issue an urgent warning to patch any affected systems in October 2019.

It is thought that Travelex did not patch its servers until November 2019, despite the NCSC warnings and being informed of the insecure servers by a security researcher in September 2019.  By this point, it is likely the attack had already begun.

What should we learn for it?

Travelex have been largely condemned by many in the Cyber Security industry for their slow response to the attack, which would highlight a severe lack of fundamental security controls that would have allowed them to respond and recover in a timely manner.

Travelex continue to attempt to restore services, but are yet to become fully operational again and unconfirmed reports state that Travelex have entered into negotiations with the attackers with a view of restoring their systems.

There are a number of controls that could have prevented the attack and shortened the outage to limit the impact to business operations.

  • Vulnerability Scanning: If Travelex had been completing their own internal network vulnerability scans they would have identified the vulnerability earlier or corroborated the NCSC urgent notice and information received from the security researcher that the vulnerability was present. Travelex would then have been in a position to remediate the issue before the breach occurred.
  • Patching Schedules: If Travelex had a robust patching schedule in place for its network, the relevant patches could have been applied before the servers were exploited by the hackers.
  • System Hardening: If Travelex’s systems had been sufficiently hardened it may have prevented or limited the spread of the ransomware. Hardening measures could include, endpoint protection, boundary defences or IOC scanning.
  • System Back-ups: Without having the appropriate back-ups or system rollback procedures in place it becomes difficult to recover any data and quickly restore services to limit the impact an attack may have.
  • BCP&DR: A comprehensive, well exercised contingency plan would have without a doubt assisting in recovering from the ransomware attack and provide a clear direction for the business to take in the event of an attack of this nature.

What next?

As the Travelex attack is still affecting the business, it is unlikely we will know the full extent of the damage caused and how far the ransomware was able to spread until a full post-mortem can be conducted.  There is likely to be a full investigation into the causes of the attack and there will be definitely questions to answer as to why the company ignored repeated notices to patch the vulnerable servers.  It will be interesting to see how the ICO handles this attack as I believe they will hold Travelex to account over any breach, especially if their failure to patch is deemed as negligent.

Unfortunately, Travelex will begin this decade by joining a long list of high profile organisations to have fallen foul to ransomware attacks.  Perhaps a New Year’s resolution could be to invest in their Cyber Security capabilities and attempt to prevent the company from falling victim to this again in the future.

Share this Post