Security News for the Week Ending January 10, 2020
Albany Int’l Airport Hit By Ransomware via MSP
In what is becoming an all too common story, the Managed Service Provider that supported Albany, NY’s airport, Logical Net of Schenectady, NY, was hacked and from there, the hackers were able to connect to the airports administrative network and infect it with REvil ransomware, the same ransomware that hit Travelex (see below). I say supported because after the airport paid the under 6 figure ransom (? $99,000), they fired the MSP. The ransomware encrypted the airport’s backups in addition to the live data. Given that we are hearing about these attacks against outsourced service providers almost weekly, customers need to start putting pressure on these providers to improve their security. Source: Bleeping Computer
Cyber Attack Events From Iran Nearly Tripled
Soon after the attack that killed General Soleimani, attacks originating from Iran were up 50% and grew from there. Cloudflare says that for their little piece of the world Internet, there were a half billion attack attempts in a 48 hour period. Source: MSN
Info on 56 Million U.S. Residents Sits Exposed – On a Server in China
This does not appear to be a hack. 22 gigabytes of data on 56 million U.S. residents is sitting exposed on a server in China. The data appears to belong to CheckPeople.com, one of those for a fee information sites; It is hosted on a web farm run by the Chinese giant Alibaba. While this data is not super valuable, it could be useful for any number of foreign adversaries because of the volume and that whoever created it did all of the work of aggregating and organizing it. Did CheckPeople license it to the Chinese? Or did the Chinese steal it? Or does CheckPeople use servers in China? If so, that is something we should stop. Source: The Register
Travelex Woes Continues
NOTE: I am providing a bit of a blow by blow of the Travelex attack because it is a useful learning lesson for everyone on what to do, what not to do and how to communicate about it. We usually don’t get as much direct information about these attacks are as are seeing here, even though most of the information is NOT coming from Travelex.
This has got to be one of the worst incident response examples I have seen since, say Equifax. Really, really bad and getting worse by the day. They said this won’t have a material effect on their business, but that is hard to believe.
FRIDAY January 10, 2020
As of Friday night, Travelex’s website is still down.
Given the size of the organization, it is surprising that 10 days into the ransomware attack, the company is still offline.
According to Bleeping Computer, the hackers originally demanded $3 million not to sell Travelex’s data but have now upped the number to $6 million.
While Travelex’s public position is that no “structured” personal data has been stolen, the hackers say that Travelex is negotiating a price with them.
Hackers behind the REvil ransomware say, on a Russian hacker forum, that if Travelex does not pay the ransom, they will sell the data on the black market.
As we watch this dumpster fire of an attack from a distance, one of the many lessons to learn is about alternate providers. Travelex provides services to a number of banks such as Barklays, Lloyds and Westpac. Those banks have had to shut down currency services to their customers.
As part of your disaster recovery and business continuity plan, you need to consider the impact on YOUR business not only if you are hit by a ransomware attack but what if one of your key providers is taken offline for a week or two or more from an attack.
In this case, the banks have had to refund customer orders and customers have gone to competing banks for their currency needs, possibly never coming back.
THURSDAY January 9, 2020
The NY Times is reporting that the hackers claim to have uploaded 5 gigabytes of “sensitive customer information” and have been in Travelex for 6 months. They say that if Travelex doesn’t pay them $6 million by January 14th, they will publish the data (AKA Ransomware 2.0). Their web site is still down. Banks like Barclays and Royal Bank of Scotland that use Travelex as their foreign currency provider are also still down.
WEDNESDAY January 8, 2020
Travelex finally admitted they were hit by the REvil ransomware. London’s Met (Metropolitan Police) said that their elite cyber team was not contacted until January 2, 3 days after the attack.
They are also saying that there is no EVIDENCE that STRUCTURED personal customer data has been encrypted. I am not quite sure how to read between those lines.
They also say that, 9 days into the attack, they still don’t have a complete picture of all the data that was encrypted.
Their web site is still down, although there is a new press release on it, updated from the old one.
Finally, they say that they don’t currently anticipate any material financial impact from the breach. (British Airways was fined $230 million for their breach – not counting lawsuits, remediation, etc. Not sure what they are thinking).
TUESDAY January 7, 2020
The Travelex web site still shows the message that says they were hit by malware with no explanation and no expected up time.
MONDAY, January 6, 2020
I wrote in Last weekend’s newsletter that Travelex, who had an IT incident (likely ransomware, but unconfirmed), seemed to have recovered by last Sunday night. At least their web site was back up. It turns out that I spoke too soon and as of Monday, their website is still/again down.
Still being tight-lipped about things, information is leaking out around the edges – something that businesses would be well advised to understand. They cannot keep these things under wraps.
What we do know is that booths at airports are still operating, although they are doing it with a pen and a pocket calculator.
Travelex says that they don’t know when things will be back online. I assume this means that people who took Travelex’s advice and put their money in a Travelex cash card still do not have access to their money. This is the perfect stuff for lawsuits – actual harm.
The Register is reporting that Travelex had/has public facing Windows servers with Remote Desktop Protocol (RDP) enabled with no network authentication. This is kind of like playing Russian Roulette with 5 live bullets – not recommended.
The servers are running Windows Server 2008 R2, which will be officially unsupported on January 15th – just a few days from now. The servers are also running .Net 4.0.30319, which is also “rather old”.
I am sure that regulators on both sides of the Atlantic will be asking some uncomfortable questions. This may also be a GDPR violation.
Stay tuned for details. Source: The Register
Computer Weekly says the attack is ransomware, specifically the REvil Ransomware and the bad guys are asking $3 million for the decryption key. They are also saying that Travelex waited 8 months to patch a critical flaw in Pulse VPN servers. Source: Computer Weekly.