Foreign exchange company Travelex has become the latest high-profile victim of ransomware, with cyber criminals launching an attack that is causing untold financial and reputational damage to the business. How was the ransomware attack launched, and what can you do to protect your organisation from suffering a similar fate?
As the clock struck midnight on New Year’s Eve 2020, as glasses chinked and couples embraced throughout the UK, foreign exchange company Travelex was plunged into perhaps the biggest crisis in its over 40 year history. Cyber criminals launched a ransomware attack on Travelex that has left the business in turmoil, with employees reduced to working with pen and paper. If the cyber criminals that launched the attack are to be believed, they possess the dates of birth, credit card information and national insurance numbers of scores of Travelex customers. The cost for returning them safely? $6 million.
What do we know at this stage about the Travelex ransomware attack, and what can your organisation do to protect itself from suffering a similar fate?
Travelex Ransomware Attack: What We Know
As a result of the ransomware attack launched on New Year’s Day Travelex has taken its websites offline, preventing users from interacting with its services whilst the investigation is ongoing. At the time of writing the websites (still offline) show a holding page and press statement.
In a statement released from multiple sources (including Travelex themselves) the malware that hit the organisation was the well-known REvil (aka Sodinokibi) ransomware. The group behind the malware confirmed that they had copied upwards of 5GB of personal data, allegedly including dates of birth, social security numbers and credit card information.
What is not clear at this stage is exactly how the attack happened, how the malware got in and even if any data was indeed exfiltrated. Travelex released a statement on Tuesday 7th January stating “there is still no evidence to date that any data has been exfiltrated”, whilst the cyber criminal group behind the malware obviously claim otherwise. Whilst we may never know which side is telling the truth, there remain a number of key lessons to be learnt around how your organisation can employ preventative measures to protect itself from compromise. But first of all, what exactly is Sodinokibi?
What is Sodinokibi?
Sodinokibi (also known as Sodin or REvil) is believed by some security researchers to have come from the same group of cyber criminals that developed the GandCrab ransomware. GandCrab reportedly made $2 billion via multiple ransomware attacks before being ‘retired’ by its creators in mid-2019. Not a great deal is known about the group behind GandCrab, but they could be based in the former Soviet Union as the malware did not infect machines in the region.
At approximately the same time GandCrab was disappearing, Sodinokibi was observed in numerous cyber-attacks against multiple organisations. In some of the attacks, Sodinokibi was used as ransomware-as-a-service (RaaS). RaaS is a criminal business model where subscribers use malware for their own operations, paying some of the money earnt back to the developers.
Over the past few months there has been a great deal of activity around the Sodinokibi malware. At Six Degrees our cyber security experts have seen multiple cases of this malware family being deployed. Each time we have reverse-engineered the samples there have been subtle differences in functionality; in fact, some binaries from incident responses have even been semi-functional debug samples.
Many of our peers in the cyber security community have been tracking the activity of the Sodinokibi malware family with great interest, and there is a degree of consensus that the malware family is likely to be under active development.
What’s interesting about the outbreaks we have encountered is the method of entry, which has often differed on the occasions we have looked into the malware. Methods of entry have ranged from semi-automated email campaigns to targeted RDP endpoint attacks. One more to add to the list is now Travelex, who some researchers believe may have been infected via a number of known outdated Pulse Secure VPN endpoints.
Potential Entry Point?
Before we explore the Pulse Secure VPN endpoint theory further, it’s important to establish that details about the entry point of the malware have not been released. As with many such intrusions, the general public may never know the full technical details of the cyber-attack. What we can do however is identify trends and comment on likely scenarios, the most persuasive of which is that Travelex were using outdated and highly vulnerable Pulse Secure VPN endpoints.
You can follow the links here and here for more specifics, but in summary the successful exploitation of the Pulse Secure VPN endpoints could result in access to the network and VPN endpoint without requiring authentication. To make matters worse, once exploited the attackers would also be able to read log files and any cached usernames and passwords in plain text, which could include Active Directory credentials. At this point access to internal hosts, along with furthering access in preparation for a malware deployment, is only a few steps away, as can be established by the most basic of internal penetration tests.
Following the discovery of this vulnerability a working, publicly available exploit was published around August of last year. This prompted a spike in scanning activity for endpoints affected by the vulnerability, and since then activity linking the vulnerability to Sodinokibi in multiple attacks was also noted. This is what has prompted the widespread speculation that the outdate Pulse Secure VPN endpoints are likely to be the entry point through which cyber criminals were able to attack Travelex.
How Can You Protect Your Organisation?
It is commonly acknowledged that many of these attacks follow a similar pattern. The attacker gains initial access via some means, be it a vulnerability in the external infrastructure or via email campaigns aimed at harvesting credentials. They will then spend time searching the network for high value target hosts; if you think about it from the attacker’s point of view, the greater the value of the data, the greater the chance of someone paying up.
So how do you prevent your organisation from suffering a similar fate to Travelex? Here are some key takeaways we should all be aware of:
- Carry out regular checks of your external infrastructure. By this we mean all of it. There is a real temptation within many organisations not to include all of their external assets within the scope of penetration tests and general vulnerability scanning activities. This happens for countless reasons ranging from cost and fear of what might be found all the way to assets simply not being tracked. This is not good enough. Making sure all endpoints are known and checked multiple times a year as part of a full manual penetration test is recommended, and this should be backed up with monthly or quarterly vulnerability assessments where possible. It is always better to know about and address vulnerabilities affecting external infrastructures quickly, as they are often the starting point for cyber-attacks. Once that foothold is gained, the rest (be it ransomware or any other internal compromise) can snowball easily from there.
- Make sure you are aware of your external exposure. This is similar to the penetration guidance above and really, one feeds the other. If you know for example that you run Pulse Secure VPNs that act as your only external touchpoint between external and internal networks then these need to be priority hosts. Monitor patch releases and include them in monthly update cycles. Leaving them exposed and vulnerable to avoid disruption and downtime may be tempting, but is absolutely not an option; the consequences if something goes wrong will always outweigh the short-term inconvenience.
- Running Pulse Secure? Check it’s not vulnerable. If you need help checking, get in contact. We would be happy to carry out an assessment and advise you of your exposure to the vulnerability should it be a concern. The full advisory can be found here.
- Combine proactive and reactive cyber security measures. The combination of proactive and real-time reactive services as part of annual IT security spend is also vital. Identifying external exposure and potential vulnerabilities is one thing, but monitoring and detecting internal movement prior to a ransomware deployment is another. Attackers can spend weeks, months or even longer inside networks cherry picking hosts of value. The deployment of ransomware should not be the first you hear of it; dedicated Cyber Security Operations Centre (CSOC) services such as those offered by Six Degrees can help combat this and provide an early warning to such activity.
- Reduce external attack surfaces. This is something we see a lot in penetration tests even today. It’s not uncommon to see protocols like SMB, RDP, SSH, SNMP etc. all exposed to the Internet with no filtering on them, whilst most offer a second line of authentication (keys, certificates etc.). You shouldn’t rely on these as in Travelex’s case, all it takes is one vulnerability to upset the apple cart. Bake security into the design – don’t overlay it afterwards.
- Review your mail filtering options. Whilst the Travelex attack seems to be far more sophisticated, one can’t ignore the volume of malware spread via simple mail campaigns – it remains one of the key entry points to the corporate perimeter, and as such needs some advanced mail filtering attention.
- Implement robust multi-factor authentication. At Six Degrees we attended a large number of incident responses last year where the initial infection began with the compromise of an Office 365 or similar account. If you are not using multi-factor authentication already this is simple to turn on technically. Operational acceptance is another matter, but given the potential cost and consequences of a large scale breach it should not really be optional.
- Be prepared if the worst happens. So far our guidance has focused on preventative protections. But what about if you’re past that stage? The advice remains the same as ever when it comes to ransomware outbreaks: ensure regular backups are taken for all key data should you need to restore, reset passwords for known comprised accounts post-breach, and invest in malware protection that offers anti-ransomware measures. Some vendors now offer copy-on-write solutions among other technologies that can help ring fence important data and combat many common ransomware traits.
Protect Yourself and Your Organisation
The ongoing Travelex ransomware saga is testament to the massive financial, operational and reputational damage a successful cyber-attack can inflict on an organisation. This isn’t a time for burying your head in the sand and hoping the same fate doesn’t befall you. Take proactive steps to protect yourself and your organisation from the very real threat posed by cyber criminals in 2020 and beyond. You can start by registering for one of our free penetration testing training sessions, which will enable you to gain insight, discover tools, and learn hands-on ethical hacking skills.