Unpatched VPN Makes Travelex Latest Victim of 'REvil' Ransomware

An anonymous reader quotes a report from Ars Technica: In April of 2019, Pulse Secure issued an urgent patch to a vulnerability in its popular corporate VPN software -- a vulnerability that not only allowed remote attackers to gain access without a username or password but also to turn off multi-factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text. Now, a cybercriminal group is using that vulnerability to target and infiltrate victims, steal data, and plant ransomware.

Travelex, the foreign currency exchange and travel insurance company, appears to be the latest victim of the group. On New Year's Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $6 million. They also claimed to have had access to Travelex's network for six months and to have extracted five gigabytes of customer data -- including dates of birth, credit card information, and other personally identifiable information. "In the case of payment, we will delete and will not use that [data]base and restore them the entire network," the individual claiming to be part of the Sodinokibi operation told the BBC. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base." Security researcher Kevin Beaumont found that Travelex had seven unpatched Pulse Secure servers. An exploit for the vulnerability has been available on Internet bulletin boards since August of 2019.

ROFL

[Anonymous Coward]

ahaha hahahaha jajaja kekeke hahahaha

"a cybercriminal group"

[Anonymous Coward]

What if I commit a seagoing crime? Am I a hydrocriminal? Or in space? An astrocriminal? Specialization could really get out of hand.

Re:

[The New Guy 2.0]

"CyberCrime" was a TechTV series that was canceled when it ran out of stories. Basically, everything they covered is still going on... there's no new problems, but we keep seeing the "caught you not patched" problems coming back.

Re:

[LenKagetsu]

Trivia: 100% of all crimes in space are committed by lesbians. No, really. [livescience.com]

Re:

[ArsenneLupin]

What if I commit a seagoing crime? Am I a hydrocriminal?

No. If you commit a seagoing crime, you are a pirate!

dupid

[Anonymouse Cowtard]

Feels like I've read this before, do the editors read /.?

Re:

[The New Guy 2.0]

Slashdot sometimes has to repeat big stories because the 11AM audience isn't the same as the 5PM audience. This may need repeated overnight so everyone sees it.

This is a big scare to world markets... Travelex is the only major currency changer left.

Re:

[thegarbz]

Slashdot sometimes has to repeat big stories because the 11AM audience isn't the same as the 5PM audience.

Well clearly the 5PM audience is better off since this "dupe" has new information the 11AM audience didn't get. In fact some may say the 5PM audience got a different article with different sources, different information and a completely different focus than the 11AM readers.

The Fox and Friends among us may however note that this story is a dupe.

Re:

[AHuxley]

Repeat for the ads so media sites staff dont have to learn to code.

Re:

[weilawei]

I'm on the 24 Hours of Slashdot regime.

Re:

[thegarbz]

Really? Where have you read that? Because a quick search on Slashdot shows that the words VPN and Travelex have never been used in the same article posted before this one. In fact the only reference to Travelex doesn't mention in either summary or linked material at all the source of the exploit, nor does it mention the company behind the VPN.

Are you against learning new information? Is that why you think this is a dupe?

Re:

[The New Guy 2.0]

What? You mean Fox News didn't report it on Fox & Friends due to the Iran issues so it must be fake?

There's a real stoppage of international trade when a company like this shuts down to remove a hacker...

patches not applied again?

[The New Guy 2.0]

I see a pattern here... patch announced months ago, then an exploit of the patched issue, then a major database found to not have the patch goes haywire.

Seems like we're at a script kiddie level of hacking again. You don't need to understand the flaw, you just "check to see if their patched" and then attack the ones showing too low a version number. We've got to get better control of this.

Re:patches not applied again?

[ceoyoyo]

We never left the script kiddie level of hacking. If anything, it's even worse now, since the script kiddies all have general purpose exploit scanners that are automatically updated over the internet.

Re:

[bill_mcgonigle]

The large corporate IT people buy proprietary security software so they can have somebody to blame - job security is more important than system security.

One small problem.

Re: patches not applied again?

[Malays Boweman]

HaXx0r tool updated over the internet - and I bet their computers are now mining Bitcoin or is a node for a bot net. There's no honour among thieves.

Re:

[ceoyoyo]

That is an intriguing idea. Do you have a newsletter I could subscribe to?

I wonder if one could find fame and fortune as a meta security researcher: tracking exploits for exploit tools.

Re:

[gweihir]

One of the reason any halfway competent security audit makes sure there is somebody responsible for updates and patches for every security-relevant application and that there are processes that force timely execution.These morons either did not have a software-inventory with application owners, or the application owners just could ignore security issues without consequences. This is not a tech-fail, this is a process-fail. On the level of how bad they did screw up, I think negligence does not get much more

Re:

[segedunum]

When stuff is outsourced, or you have contractors who come in, do their thing and leave this kind of responsibility gets completely lost.

Re:

[gweihir]

And that is why you run regular security audits. They find this stuff.

Re:

[LostMyAccount]

It's a process fail, but let's not exclude the idiots in management who think of buying computer and networking systems like buying a washing machine -- you spend once, and the system runs for 10 years without any other costs besides electricity.

The management processes exist for these tasks, but often they aren't funded right in terms of staffing levels, training, support contracts, and so on, let alone the business disruption challenges of reboots, downtime, etc.

Re:

[gweihir]

Indeed.

Re:

[segedunum]

Twas always thus. The bad news now is we are probably going to see more exploits layered together. A VPN exploit like this together with ransomeware and something like a BlueKeep exploit to propagate is bad news indeed.

Re:

[Slayer]

You can blame TravelEx all day long for not patching their VPN (and they did fail comprehensively for eight straight months!), but that's not the whole story here IMHO. Yes, TravelEx had two full months between vulnerability report and first exploitation, but how in the world can a professional security company like Pulse Secure release such a shoddy firewall product, that can be so completely exploited through the port which it is meant to protect?

14 years ago a similar situation all but wiped out most of

Travelex still down...

[The New Guy 2.0]

Travelex's website [travelex.com] is showing a press release dated yesterday instead of its normal page. They're not able to give quotes or exchange anything right now.

Ummm....

[sconeu]

It's a good thing that nobody posted this story yet [slashdot.org].

Re:

[apoc.famine]

Hey, it was a whole 7 stories ago and still on the front page. BeauHD would have to read slashdot or even scroll down in order to see that this was a dupe. That's too much to ask for someone paid to be an editor here.

Re:

[thegarbz]

Really? Where does that story mention VPNs? The exploit being used? Did you post the wrong link, because it seems you're implying this story here with completely different information is a dupe.

No big deal

[Waffle Iron]

Travelex can still make a profit on this incident. All they have to do is charge high enough exchange and service fees on the $6M ransom.

Re:

[thegarbz]

How well does that cover their 50% loss of market cap in the past week?