Travelex – A case for Oversight

On December 30th Travelex succumbed to a ransomware attack that has kept operations offline for weeks, costing millions in damage. The hackers used a relatively new vulnerability in Pulse Secure VPN to infiltrate the Travelex network – the very same vulnerability that Oversight (Monitoring Service) had reported to its affected client months earlier.

Thanks to Oversight’s short response time all our affected clients had been notified of the Pulse Secure VPN vulnerability within 24 hours of us detecting it. Details of every affected host were provided, along with our recommendation to immediately take each of them offline to apply patches. We made the severity of the threat clear, saying that it essentially bypassed any security measures they may have in place and that it left their network wide open to attackers. Our clients were able to act immediately with this alert, taking their hosts offline and applying relevant patches.

Travelex had reportedly patched the Pulse Secure vulnerability in November, months after we had reported it to our clients. This was curiously also over a month before the ransomware was activated. Activation of ransomware is often delayed as intelligent attackers will wait for an ideal opportunity to act in order to maximise the impact of their attack. Holiday periods are particularly prone as organisations are reduced to skeleton crews just to keep the wheels turning. The hackers claimed to have extracted at least 5GB of client data from the point of compromise, and it seems that Travelex had no idea this was happening until the ransomware struck. This may make them subject to a fine from the ICO with a maximum of 4% of their annual turnover.

The underlying threat was never the ransomware, but the vulnerability that allowed for hackers to infiltrate the network. Because of this it is important that organisations react quickly to these types of critical vulnerabilities which paint them as a target to hackers, something that Travelex failed to do.

Oversight customers had little to worry about however, as our technology was monitoring their externally facing infrastructure around the clock. If Travelex were enrolled to Oversight, then we would have detected the presence of vulnerable Pulse Secure VPN software running on their hosts. This would have prompted us to contact them with useful advice on what to do, how to do it, and details on the urgency of their situation. This quick turnaround would have massively reduced the timeframe for hackers to discover and compromise Travelex’s systems, which would have ultimately prevented the entire attack which has them held at a $6m ransom.

Oversight is a product developed in-house at Cyberfort that allows us to monitor an organisation’s external infrastructure for vulnerabilities. It provides 24/7 monitoring that allows us to immediately notify you if vulnerabilities are introduced, whether that is by changes in your configuration or newly developed attacks. The question is not whether you will become a target to attackers but when. Oversight’s purpose is to minimize the timeframe from when a vulnerability arises in your infrastructure to your security team responding to it.

As 2020 has begun so has a new in-house project; along with further development of Oversight we are beginning the construction of a Security Operations Centre (SOC). This will allow us to provide real-time internal infrastructure monitoring on top of the already existing external infrastructure monitoring. This will give our clients 360-degree coverage of every aspect of their network, 365 days a year. This product will be commercially available by Q4 2020.

At Cyberfort we employ first-class CHECK & CREST accredited penetration testers. These employees, in combination with an industry leading QA process, ensure that we perform tests and produce reports that consistently impress our clients, and that further the expectations of the cyber security industry.