Travelex hacked and held to ransom
Discussion
What Mcafee found out about the ransomware before this happened - https://www.mcafee.com/blogs/other-blogs/mcafee-la...
Some of the stuff on Twitter looks like a bit of a s
t show
https://twitter.com/GossiTheDog/status/12128082146...
RDP exposed to the Internet?
{Edit better Twitter link - go through the posts Kevin Beaumont)
t showhttps://twitter.com/GossiTheDog/status/12128082146...
RDP exposed to the Internet?
{Edit better Twitter link - go through the posts Kevin Beaumont)
Apparently hackers got in through a vulnerability of Travelex’s unpatched Pulse Secure VPN servers
“ That vulnerability is incredibly bad — it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords).”
https://doublepulsar.com/big-game-ransomware-being...
“ That vulnerability is incredibly bad — it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords).”
https://doublepulsar.com/big-game-ransomware-being...
Harpoon said:
Some of the stuff on Twitter looks like a bit of a st show
https://twitter.com/GossiTheDog/status/12128082146...
RDP exposed to the Internet?
{Edit better Twitter link - go through the posts Kevin Beaumont)
Also on that thread that they were notified of the pulse issues months ago... t showhttps://twitter.com/GossiTheDog/status/12128082146...
RDP exposed to the Internet?
{Edit better Twitter link - go through the posts Kevin Beaumont)
rxtx said:
Fittster said:
Hmm, large corporation taking more than 3 months to get a patch applied. I am not shocked to my boots.
I am. Given the severity of the CVE, and the ease of deployment, it should have been done as soon as they knew.Fittster said:
CVE, IaC, DevOps, etc. Big organisation with bureaucracy don't move fast in my experience.
They move pretty fast in my direct experience. Perhaps it's just Travelex that don't, or haven't invested in their infrastructure, configuration management, etc. This will be down to a networking team, nothing to do with IaC or devops or anything.rxtx said:
Fittster said:
CVE, IaC, DevOps, etc. Big organisation with bureaucracy don't move fast in my experience.
They move pretty fast in my direct experience. Perhaps it's just Travelex that don't, or haven't invested in their infrastructure, configuration management, etc. This will be down to a networking team, nothing to do with IaC or devops or anything.Fittster said:
It will be down to the general culture of the organisation (and yes, there are tools and methodologies which should automate patching). We can play who has got the most experience game if you want but I'm not shocked that a patch wasn't applied a couple of months after its release.
I wasn't trying that on, sorry, but I am shocked in this day and age people don't take it more seriously because I haven't worked anywhere so blasé in a very long time.Travelex are about to learn the hard way I suppose.
Bit of a nightmare. I suspect their IT department simply didn't have the resources/skills/experience to keep up, and the few people who did are saying "told you so" to the management. The emails/contact mentioned probably went into the "we'll deal with that later" pile and wasn't read properly.
edit: I wonder if they tried to get access to the transfer/accounts system, there must be a lot of money floating around there... perhaps it was locked down better.
edit: I wonder if they tried to get access to the transfer/accounts system, there must be a lot of money floating around there... perhaps it was locked down better.
Edited by Gareth79 on Tuesday 7th January 19:39
Trevatanus said:
Just seen this on Twitter
UPDATE: Hackers say they have 5gbs of customer data and want $6m from Travelex. The REvil group claims to have had access to the company’s systems for 6 months.
If true that would be before the vulnerability was notified to them. If already in the system then they could lie low until now...UPDATE: Hackers say they have 5gbs of customer data and want $6m from Travelex. The REvil group claims to have had access to the company’s systems for 6 months.
S1KRR said:
Four Litre said:
Oh dear - sounds like they ignored warnings and didn't apply a critical patch.
Going to be expensive whatever route they take. Probably cheaper to pay hackers!
No company that ever pays the hackers gets their info back. It doesn't work like that.Going to be expensive whatever route they take. Probably cheaper to pay hackers!
Edit: A quick Google reveals that even many US local authorities have paid, eg:
https://www.bleepingcomputer.com/news/security/ran...
Edited by Gareth79 on Wednesday 8th January 03:02
Surely they operate a vulnerability management team and were aware? If so it's bad that this wasn't escalated to CIO / CITO level.
Leaving a VPN with a critical patch that allows unauthenticated remote code execution should result in the entire IT teams involved being fired!
I guess some places just want to learn it the hard way and you'll be damn sure they'll never make the same mistake again!
Leaving a VPN with a critical patch that allows unauthenticated remote code execution should result in the entire IT teams involved being fired!
I guess some places just want to learn it the hard way and you'll be damn sure they'll never make the same mistake again!
Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff