Cyber Defence Report - January 2020

Happy New Year! 

New year, new me… I’m sure by now many of you have set your new years’ resolutions, whether it is to get fit, read more books, or eat less. One of my resolutions is to make this report more interesting by not talking about patching, passwords or phishing. 😊

Well guess what? Just like your resolutions I am going to break mine in January!

In the early hours of the morning on 31 December 2019, the foreign exchange company Travelex shut down all their systems due to a ransomware attack. At the time of writing this report, 6 days later, their systems are still offline.

The ransomware has been identified as Sodinokibi (more on this ransomware later). Travelex, owned by the Abu Dhabi financial services group Finabir, has declared that it has fallen victim to one of the most sophisticated cyber extortion rackets. You will see the word sophisticated used a lot in these types of attacks, and while the group responsible for Sodinokibi is undoubtedly sophisticated, the way that the group gain a foot hold in the organisation is not always that … it has been identified that Travelex had failed to patch (sorry) a critical vulnerability in their Pulse Secure VPN.

Security researchers reported that Pulse Secure VPN services contained bugs that could allow people to gain covert access to a company’s network, prompting Pulse Secure to issue an advisory notice and software patches, to correct the problem in April 2019.

On 13 September, security company Bad Packets sent emails to thousands of companies with vulnerable Pulse Secure VPN services, after identifying that hackers were attempting to exploit their vulnerabilities.

It warned Travelex that it had 7 unpatched Pulse Secure VPN servers in Australia, the Netherlands, the UK and the US, with vulnerabilities that could allow attackers to access its networks.

Analysis by Bad Packets shows that Travelex did not patch the servers until early November 2019, leaving a critical window in which the servers were vulnerable to attack. It is highly likely that the Sodinokibi gang had gained persistence on the network, cracked weak passwords, and then moved laterally across the network.

According to researchers at McAfee Labs, cyber attackers use a variety of techniques to plant Sodinokibi on targeted computer networks. These include targeted phishing email attacks and exploit kits – compromised websites used to spread malware.

There you go all three new years’ resolutions broken in my first report! 😊

In other ransomware news, earlier this week it was revealed that the US Coast Guard was hit by a ransomware infection. According to a security bulletin posted by the Agency before Christmas, the malware was identified as Ryuk, which affected an unnamed port for more than 30 hours. It’s believed the point of entry was a phishing email containing a malicious link. Ryuk was first seen in August 2018 and has been responsible for multiple attacks around the world. This is a targeted ransomware, where demands are set according to the victim’s perceived ability to pay.

In both these cases the ransom demands have been well over 6 figures and according to security researcher Rik Van Duijn, the Sodinokibi group have had a high start to the year demanding a total of over £10 million since 1 January. Someone’s in for a nice bonus.

Unfortunately, ransomware is here to stay, so make sure your systems are patched, your passwords are strong, and you buy the most advanced email filter you can to prevent phishing. I promise that is the last time I mention the 3 Ps until February. 😊

Stay safe 
Paul Colwell. Technical Director