On Tuesday an interesting article was given by the guardian (at https://www.theguardian.com/technology/2020/jan/07/travelex-being-held-ransom-hackers-said-demanding-3m#maincontent), the title ‘Travelex ‘being held to ransom’ by hackers said to be demanding $3m‘ almost said it all and then I noticed something. First we get “Criminals are thought to be demanding about $3m (£2.3m) – to give the firm access to its computer systems after they attacked using the Sodinokibi ransomware on 31 December“, the price is not set without quarter, this we get from “They are reportedly threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment card information – into the public domain unless the company pays up” as well as “banks who use Travelex’s foreign exchange services to stop taking online orders for currency, affecting Sainsbury’s Bank, Tesco Bank, Virgin Money and First Direct.” You see Travelex, based in London, has a presence in more than 70 countries with more than 1,200 branches and 1,000 ATMs worldwide. It processes more than 5,000 currency transactions every hour yet, even as we see that it is on the London Stock Exchange, however the group is based in the United Arab Emirates. As for the actions we see “On Thursday 2 January, the Met’s cyber crime team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Inquiries into the circumstances are ongoing” here is the snag, what are the chances that US actions are impeded as it impacts 70 countries? Is there a reason why the FBI is not equally involved? You see, Sodinokibi is a spin off from Gandcrab and as we see (at https://www.bleepingcomputer.com/news/security/fbi-releases-master-decryption-keys-for-gandcrab-ransomware/) the FBI got those keys. Now the keys will not be compatible, but if they get one solution, they might get another solution. The fact that corporations are hit and we see “the developers behind the wildly successful GandCrab Ransomware announced that they were closing shop after allegedly amassing $2 billion in ransom payments and personally earning $150 million“, we would want to think that the FBI is on top of this and get some pay-back (I had to use that pun).
We also learn from Acronis “Sodinokibi ransomware exploits an Oracle WebLogic vulnerability (CVE-2019-2725) to gain access to the victim’s machine“, and when we go to the Oracle page we see that there had been a solution from last May onwards. there is also the part “Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions” the question becomes did Travelex forget to do a few things? the article does not pan out on that.
Yet in all this IT News (at https://www.itnews.com.au/news/ransomware-shuts-down-travelex-systems-536191) gives us ‘Unpatched systems could be attack vector, say researchers‘, and they also give us “No evidence has surfaced so far that structured personal customer data has been encrypted, or exfiltrated. This is in contrast with a report in Computer Weekly that alleged the criminals deploying the Revil/Sodinokibi ransomware had attacked servers storing sensitive, confidential information that included customer names and their bank account and transaction details” and it does not stop there. They also give us “Troy Mursch, chief research officer at security vendor Bad Packets said it notified the forex multinational in September of a serious vulnerability in its Pulse Virtual Private Networking servers. The vulnerability went unpatched until November” which sets a much larger question mark on the entire issue as the news give us that the attack came almost a month after that. They curtiously also give us “Prior to that, security researcher Kevin Beaumont noted that Travelex was operating cloud instances of Windows Server on Amazon Web Services that had Remote Desktop Protocol (RDP) enabled and exposed to the internet, but with Network Level Access (NLA) control disabled. An RDP flaw, known as BlueKeep, allows for full remote compromise of Windows without user interaction” and these issues are not asked about? At least the Guardian article does not stop on them.
The most hilarious response is seen at the very end of the IT News article with “Despite the attack closing down online systems, Travelex said it does not currently anticipate any material financial impact for its parent Finablr” Travelex might have numerous issues to consider, but the customer does not make the high point of that, or as I would mildly put it, who cares about Finablr? Well I reckon that the London Stock Exchange cares as the value of Finablr made a crashing 17% loss, that is almost one in five pounds that is lost too those bright young lads (ladies also). They advertise (on their website) ‘Finablr is a global platform for Payments and Foreign Exchange solutions underpinned by modern and proprietary technology‘ instead of ‘Finablr is a global platform for Payments and Foreign Exchange solutions underpinned by modern and proprietary hackable technology‘. It is a small difference, but a distinct one, especially as Oracle had placed a solution for months and the second message by Kevion Beaumont does not help any I reckon. In support a source gave the BBC that they feel let down, complaining that their travel money is “in limbo”, which is interesting, as the Guardian article gives us “Travelex first revealed the New Year’s Eve attack on 2 January, when it sought to assure that no customer data had yet been compromised” and as the article came 5 days after, the absence of victim mentioning is an interesting one, it seems that Travelex is not handling this situation well on a few levels, optionally also in arrear of making mantion towards the customers, all in opposition to the text on Travelex.com, which gives (among more data) “Tony D’Souza, Chief Executive of Travelex, said “Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise. We take very seriously our responsibility to protect the privacy and security of our partner and customer’s data as well as provide an excellent service to our customers and we sincerely apologise for the inconvenience caused. Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim. We are working tirelessly to bring our systems back online.””
As such we get Travelex giving us one part and the BBC giving quite the opposite, and at this point my question becomes, exactly how much money is ‘in limbo‘?
That and a few more parts all rise to the surface when I look into this matter, the entire time gap on the side of Travelex being the most prevalent one. The one part that Acronis made me wonder about was the exemption list, the fact that It will try not to infect computers from countries based on the locale setting of the computer, which gives us “Romania, Russia, Ukraine, Belarus, Estonia, Latvia, Lithuanian, Tajikistan, Iran, Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyzstan, Turkmenistan, Uzbekistan, Tatarstan“, the reason is unknown to me, perhaps they fear those countries and their ‘justice system’?
By the way, the entire Finablr website mention was essential, they are so for the ‘future’ yet security is seemingly not among it. That part is seen when we consider “In April 2019, the Cybereason Nocturnus team analyzed a new type of evasive ransomware dubbed Sodinokibi“, as such it took the Oracle team months to get a solution made (which makes perfect sense) yet the lack of implementation by Travelex is less normal. From all information it seems to me that Travelex should have made larger steps to be secure no later than Halloween, so the issue is a little larger than we consider, and the fact that Sodinokibi is a much larger field that goes back a few billion dollars. This is a contemplated speculation when we look at CSO Online where we get “While Sodinokibi is not necessarily a direct continuation of GandCrab, researchers have found code and other similarities between the two, indicating a likely connection” implying that for at least one person $150 million was not enough.
As such, the entire Travelex issue will be around much longer than the ransomware will be, there will need to be a larger amount of questions to its mother organisation Finablr as well. From my speculative side it seems that some players are lacking certain IT skills, or/and a larger shortage of it, that is the initial feeling I got when I saw the information that Troy Mursch and Kevin Beaumont handed over to the press, and so far the information as seen supports a larger failing in Travelex and optionally Finablr as well. There is support for my way of thinking, no matter who is on the board of directors, none of them are IT experts and that is fine, yet by not having a visionary IT expert leading the charge we see a larger failing coming their way. It is not merely having an IT department and a security department, someone needs to spearhead and protect IT issues in the Board of Directors and there is no evidence that this is happening, actually the Travelex issue gives rise that it is not happening at all. More important, the issue with the website is that it is highly sales oriented, and when I had a look there (I reckon the Sodinokibi members as well), I wondered how secure are Unimoni, Xpress Money, Remit2India, Ditto and Swych? When one of these points get attacked, will the board of directors act appropriately? It is optionally a little ironic that they are hit whilst they advertised a paper on their site on November 20th (a month before the attack) ‘Why data protection is your new strategic priority‘, my initial thought? ‘Sarcasm, when it backfires it becomes irony!‘ Yes it seems like a cheap ride from my side, but we forget that Common Cyber Sense is a real thing and corporations need a much larger vested interest in being safe than ever before, GandCrab showed that part months before this event took place and I reckon that Financial corporations need to take a much larger vested interest in that matter, or so I am led to believe, I could (of course) be wrong.
What do you think?