Threat Management, Malware, Ransomware, Vulnerability Management

Travelex recovering from ransomware, but more firms at risk of VPN exploit

Beleaguered foreign currency exchange company Travelex confirmed on Friday that the first of its U.K.-based customer-facing systems were back up and running after the New Year’s Eve discovery of Sodinokibi ransomware on its network prompted a shutdown of key systems.

Meanwhile, a worrisome report revealed that dozens of major U.S. organizations and businesses have also failed to patch the same Pulse Secure VPN server vulnerability through which Travelex was infected, even though the a fix was issued in April 2019. Citing research from Bad Packets Report, the Wall Street Journal today named several of these potentially affected companies, including Purdue Pharma, Revlon and Texas Instruments.

Other companies included a California utility, a border-police force and an appellate court, said Troy Mursch, Bad Packets’ chief research officer, per the WSJ report.

“We have continued to make good progress with our technology recovery. Having already restored some of our internal and order processing systems, we have started to restore customer-facing systems, beginning with the in-store systems that process customer orders electronically. The first of these are now successfully live in the UK,” the Travelex said in an online customer information hub it has set up. “We have decided to take a phased approach to ensure the integrity and security of our systems and therefore certain limitations will be in place as we move towards restoring full functionality across the entire Travelex estate.”

Since Dec. 31, affected Travelex locations have been processing transactions manually while digital and online services were taken offline to prevent further spread of the ransomware. “We have started restoring forex order processing electronically in our UK stores and in some of our UK retail partner locations, and we are also now starting our VAT refund service in UK airports. We are also making good progress on restoring our proprietary UK International Money Transfer Service, which will be available by the end of the month,” the company said.

“Our focus is to ensure the integrity and robustness of the network and therefore Travelex is bringing systems up in a controlled and secure manner,” said Tony D’Souza, CEO of Travelex, in a video one the customer hub side. While making these fixes, the company is also enhancing and upgrading its systems in line with our longer-term technology strategy,” he said at another point in the video.

On Jan. 10, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning that unsecured Pulse Secure VPN servers “continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, can become compromised in an attack.”

“Although Pulse Secure disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510,” the alert continues. “CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.