Company background

Travelex is a foreign exchange company that operates in 70 countries, with more than 1,200 branches, 1,000 ATM machines and revenue in excess of $850 million.  The hack cost Travelex $2.3 million in ransom and an unknown amount in lost business.  As of 22nd April 2020 Travelex is now up for sale.

Details of the attack

On New Year’s Eve 2019 the Sodinokibi hacking group launched their attack.  The first thing the group did was exploit a vulnerability in the Pulse Connect Secure VPN.  The CVE-2019-11510 vulnerability was first patched back in April 2019 even though the vulnerability wasn’t publicly available until August 2019.  I think that no more could be asked from Pulse Connect, they found an issue and responded very quickly with a fix.

Once the attackers were able to bypass the VPN and get onto the corporate network they exploited a Windows vulnerability CVE-2018-8453 to successfully gain admin rights to the systems.  From there Sodinokibi could pretty much do as they wish, and their wish was to takeover everything.  This started with stealing data, before pushing ransomware to their computers and completely taking Travelex offline.

Were Travelex targeted?

Think of a hacking group like any other business with a sales strategy.  They identity opportunities and find prospects that match a criteria, rather than targeting specific companies.

My assumption is this was the same for the Travelex hack.  It is likely that Sodinokibi found the Pulse Connect Secure VPN vulnerability in the public domain and then started scanning large company networks to find which of them have a Pulse Connect Secure VPN.  Once a few positive hits come back of VPN’s with that vulnerability, the group decide which one to target, select the best time, form a plan, and go for it.

I would imagine that they had previously broken into the VPN, maybe a month before, and ran a scan from within the network to find the vulnerabilities of their Windows computers.  It is unlikely they would leave it to chance that they would find a vulnerability in the Windows system once they were past the firewall.

My point being, that Travelex only became a target because of a weakness that was visible for all to see.  This is very different to an attacker sitting at home, deciding that come what may they are going to bring Travelex to its knees and there is nothing Travelex can do about it.

End result

Travelex lost all credibility within the market.  Firstly because they didn’t patch a VPN for over nine months and a Windows machine for over two years.  Secondly, because of the way they handled the fallout.  Instead of saying they had been hacked, they went with a misleading “Planned Maintenance” notice on their website.

They handed over $2.3 million in ransom to the attackers, which of course just fuels the fire for everyone else.  As of yesterday, they have now put the business up for sale.  Could this be the true cost of poor cyber hygiene?

Was this easily avoidable?

Yes.  Maybe you cannot patch everything, but by not patching your external facing VPN and all the Windows computers, you are leaving yourself wide open.  Unforgivable for any business, but for a financial company the size of Travelex with so much to lose it defies belief.

How to avoid being the next Travelex

Make things as simple as possible, consolidate your systems so you have less to patch, establish your biggest risks and put in an automated patching system.  For most businesses who have moved to the cloud this really is quite easy.  Follow these steps:

  1. Implement Cloud managed and patched firewalls such as Cisco Meraki
  2. Rollout an automatic Operating System patching system like Automox
  3. Monitor the health of all your Cloud Apps, Cyber Security Products and network using ThreatAware.

In short – maintain your cyber hygiene.

Leave a Reply