Home / Robin's Newsletter

Robin’s Newsletter #82

 Vol. 3  Iss. 2  12/01/2020, last updated 06/04/2020   Robin Oldham  ~7 Minutes

This week

Travelex systems still offline as team restore from Sodinokibi infection

Travelex continues to battle a ransomware infection and restore services as the 30th December outbreak Marche on towards the end of its second week. The ransomware is believed to be Sodinokibi (aka REvil.) As well as encrypting files and causing disruption to business operations, the group claim to have stolen 5GB of personal data which they are threatening to release.

Originally reported to be $3 million, reports are circulating the price demanded by the attackers as issues persist may be as high as $6 million / £4.6 million. Often demands are targeted to be ‘affordable’ and potentially covered by insurance premiums. When they skyrocket like this it is because the attacker believes they have significant leverage over the victim. This attack will have been well researched and planned. Credentials found, access gained, backups located and countless other actions before pulling the trigger to cause maximum disruption.

Perhaps in a demonstration that the group are serious about releasing data another Sodinokibi victim, who didn’t pay the ransom, had their data released this week.

There is speculation that. Particularly nasty vulnerability in Pulse Secure VPN may have been used to access Travelex’s network or view usernames and passwords. A patch was issued for the Pulse Secure vulnerability in April last year. That would be in keeping with the M.O. of previous severe ransomware attacks, such as that at Norsk Hydro (vol. 2, iss. 12) in March last year. At Norsk, the attacker credential sprayed an exposed Remote Desktop server and then deployed the ransomware using IT administration tools.

Patch management is a tough game and systems running live services can be difficult to justify taking offline for maintenance. Layered security, also known as defence-in-depth, can provide compensating controls that help to mitigate the risk. Organisations need to make sure they receive notification of critical updates from their software vendors and have a processes for triaging these.

This year will surely also now be the year of offline backups. Cloud services have encouraged firms to operate in distributed or replicated live-live models. These just propagate the issues (with alarming efficiency!) Having an offline, or read-only, copy of critical data won’t prevent an incident but will cut response times. As will testing how you will rebuild and restore services: having the data is one thing. Knowing how the steps to take in rebuilding IT systems, from scratch, is a whole other ball game.

That’s something the team at Travelex will be battling with as they inspect, rebuild or reissue computers to thousands of colleagues at 1,200 branches. They’re also coordinating efforts using WhatsApp groups and other makeshift communications channels, as seen in other incidents like Maersk.

The impacts are far-reaching as Travelex are an important part of the FX supply chain: RBS, who owns NatWest, as well as Lloyds and Barclays are all unable to offer foreign exchange services, plus supermarkets like ASDA, Tesco and Sainsbury’s are in a similar situation.

Meanwhile credit reference agency Standard & Poor’s have downgraded Travelex to a negative rating. They’re citing the low margins of the business and if it would survive as a standalone business (they’re part of Finablr group.) Conversely, opinion in the FT suggests “Finablr badly needs to contain the damage from the Travelex hack. Undeniably, it has made a good start,” and stating that the group expects ‘no big financial impact.’ I find the latter hard to believe: we’re approaching two weeks of the outage, which is almost 4% of the year (sorry, it flies by, right?!) Manual processes or not that has to squeeze margins.

There’s a good analysis of share price impact of data breaches in Interesting Stats this week (see below.) So while Finablr’s share price ($FIN) is down over 25% from 30th December, it suggests 14 days is typically the lowest point and may rebound from this week.

It’s been a busy time for Sodinokibi ransomware. The group appears to be focussing on travel companies: Albany International Airport in New York was also victim to an attack on 30th December. They paid a ‘less-than-six-figure’ ransom and fired their IT outsourcer when it came to light they didn’t have any backups.

Lastly, a nod to a piece of research Szu Ho and others at the BAE Systems team produced in 2018 on the evolving threat to financial markets. Foreign exchanges were one area investigated, citing a ‘near-term’ threat, though the lens of stealing, rather than extorting, funds.

theguardian.com, bbc.co.uk, Sodinokibi: bleepingcomputer.com, symantec.com, bleepingcomputer.com, Pulse Secure: doublepulsar.com, Supply chain: bbc.co.uk, Credit/financial impact: standard.co.uk, ft.com, Albany airport: bleepingcomputer.com, BAE/SWIFT: baesystems.com

Interesting stats

7.27% average share price drop following a data breach… 1 month taken on average to rebound and ‘catch up’ to market performance, according to Comparitech (h/t @cgunnerinfosec) comparitech.com

2-3 days average length of time for a RDP brute force attack, as attackers slow down requests to avoid detection… 0.08% of attacks are ultimately successful, according to Microsoft zdnet.com

Other newsy bits

‘Hidden cost’ of ransomware

Sticking with ransomware… Brian Krebs has an interesting read following an outbreak at healthcare company Virtual Care Provider Inc. VCPI provides IT services to approximately 2,400 nursing homes in the United States. While investigating a follow-up piece on the remediation efforts he uncovered that VCPI were originally breached 14 months earlier and, during that period ‘wholesale password theft’ had taken place. Not just of the domain and system passwords needed to pivot around the network, but saved logins from web browsers and password managers on the infected endpoints. From an attacker’s perspective, these credentials are extremely useful for getting back into systems (where passwords are not reset, or passwords are reused) but also onwards potentially into other partners, suppliers or customer systems. krebsonsecurity.com

‘No security measures’ around Microsoft grading programme

New details from Alex Hern in The Guardian this week on Microsoft’s ‘grading’ programme for voice assistants Cortana and Skype phone service. Vice (vol. 2, iss. 31) originally broke the news that Amazon, Google, Apple and Microsoft had all been using humans to review voice assistant requests last year. Now it is emerging that contractors for Microsoft operated using personal equipment and using a “[username] following a simple schema and [password] being the same for every employee who joined in any given year.” theguardian.com

DSG Retail fined £500,000 for data breach

DSG Retail, the parent company of Curries PC World and Dixons Travel, has been fined the maximum penalty allowed under the Data Protection Act for failing to secure the data of 14 million people and 5.6 million payment cards. “These failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” said Steve Eckersley, ICO’s Director of Investigations. Attackers were able to compromise the point of sales systems over nine months from July 2017 to April 2018 (which is also why the penalty is not under GDPR.) ico.org.uk

Exploits released for Citrix vulnerabilities

You’ll want to keep a close eye if you run Citrix in your organisation as exploit code for vulnerabilities announced in December became available this week. It’s a nasty one, allowing ‘directory traversal’ by unauthenticated users (i.e. you can browse / download files from the remote system.) Citrix Application Delivery Controller (ADC) and Citrix Gateway, formerly both of the NetScaler family, are affected. Citrix has promised to patch the issue ‘by the end of the month’ and opted to suggest configuration changes for users in the meantime. zdnet.com

In brief

Threat intel

  • New Iranian data wiper malware hits Bapco, Bahrain’s national oil company zdnet.com
  • TrickBot developers have spun up a new backdoor for high-value targets cyberscoop.com
  • Mozilla says a new Firefox security bug is under active attack techcrunch.com

Security engineering

  • Only 9.27% of all npm developers use 2FA zdnet.com
  • PGP keys, software security, and much more threatened by new SHA1 exploit arstechnica.com

Internet of Things

  • BlackBerry integrates Cylance with QNX to create new security framework for connected cars zdnet.com

Law enforcement

  • UK man sentenced to prison for hacking and spying on victims through their webcams zdnet.com

Mergers, acquisitions and investments

  • Accenture to Acquire Symantec CSS esg-global.com
  • Mimecast has closed on a deal to acquire the digital threat protection firm Segasec scmagazine.com
  • Insight Partners acquires enterprise security firm Armis in $1.1 billion deal zdnet.com

And finally

IT Exec $6M fraud scheme unravelled by Word metadata

Hicham Kabbaj plead guilty to creating $6 million of fraudulent invoices for IT services over four years. In a bit of an ‘OPSEC’ blunder, some of the invoices were created using the same copy of Microsoft Word and so had his name as the author of the documents. Something that didn’t escape the eye of the IRS agent investigating the case. He faces up to 20 years in prison for wire fraud. bleepingcomputer.com