Major Companies Shared Vulnerability Used in Travelex Cyberattack
16 January 2020 - 11:56PM
Dow Jones News
By Caitlin Ostroff and Anna Isaac
A vulnerability at Travelex that was exploited by hackers to
disrupt the money-exchange company existed at dozens of major U.S.
companies and institutions, potentially leaving them open to
similar breaches, according to cybersecurity firm Bad Packets.
Purdue Pharma LP, Revlon Inc. and Texas Instruments Inc. were
among companies using Pulse Secure VPN to create secure remote
logins for their staff, according to Troy Mursch, chief research
officer at Bad Packets. A loophole in that tool can and has been
exploited by cybercriminals, Mr. Mursch said.
Bad Packets said many organizations hadn't addressed the
weakness in their technology systems as of Friday, although a fix
or patch was made available in April. Among those were a California
utility company, a border-police force and an appellate court, Mr.
Mursch said.
On Wednesday, a Revlon spokeswoman said the problem had been
patched and there had been no unauthorized access to its internal
networks. A representative for Texas Instruments said the firm
became aware of the vulnerability last year and acted to secure its
systems.
Purdue declined to comment.
A cybercrime group named after ransomware virus Sodinokibi
attacked Travelex, with the company discovering the breach on New
Year's Eve. The attack disrupted cash deliveries from its global
network of vaults to international banks. Travelex, a division of
U.K.-listed payments conglomerate Finablr PLC, hasn't yet restored
many of those operations.
Sodinokibi, also called Sodin and REvil, used the glitch in
Travelex's VPN system to gain access to a server in the
Asia-Pacific region, according to a person with knowledge of the
investigation into the matter.
Bad Packets reached out to Travelex in September to flag the
vulnerability, but didn't receive a response, according to Mr.
Mursch.
Bad Packets specializes in identifying hacking threats by
monitoring malicious activity and alerting vulnerable companies.
The Chicago-based firm has been cited as an authority on
cybersecurity issues by both U.S. and U.K. government agencies.
A Travelex spokeswoman declined to comment on the specific
vulnerabilities exploited in the attack and said the company would
offer an update on progress in restoring its systems later this
week. The company has acknowledged that Sodinokibi malware was
used.
The vulnerability in the VPN tool allowed hackers without valid
usernames or passwords to connect to a corporate network, turn off
two-factor authentication and view logs and cached passwords.
The U.S.'s National Security Agency and the U.K.'s National
Cyber Security Centre both issued warnings about the tool in
October. The Department of Homeland Security reissued the warning
in January after reports of recent attacks by Sodinokibi.
London's Metropolitan police said Wednesday that its criminal
investigation into the Travelex attack was ongoing.
The NCSC, which is also investigating the incident, declined to
comment.
Write to Caitlin Ostroff at caitlin.ostroff@wsj.com and Anna
Isaac at anna.isaac@wsj.com
(END) Dow Jones Newswires
January 16, 2020 07:41 ET (12:41 GMT)
Copyright (c) 2020 Dow Jones & Company, Inc.
Revlon (NYSE:REV)
Historical Stock Chart
From Apr 2024 to May 2024
Revlon (NYSE:REV)
Historical Stock Chart
From May 2023 to May 2024