Security News

First, the bad: over the holiday break, crooks who are so morally bankrupt that they target the organizations that serve children pounced on schools in the US city of Pittsburg, California. On Monday, the superintendent of Pittsburg Unified School District, Janet Schulze, put up a message about the ransomware attack on the district's Facebook page.

This week we discuss the IT exec who scammed his employer out of $6m with fake invoices and the death of Python. Peter also shares two of his latest investigations from the ransomware swamp.

A ransomware attack has held London-based foreign currency exchange firm Travelex hostage since at least New Year's Day, the company confirmed Tuesday after more than a week of vague updates. Travelex is a London-based foreign exchange firm that has over 1,000 stores and 1,000 ATMs in major transit points across 26 countries.

Take this week's revelation by researcher Kevin Beaumont that serious vulnerabilities in Pulse Secure's Zero Trust business VPN system are being exploited to break into company networks to install the REvil ransomware. His evidence comprises anecdotal reports from victims mentioning unpatched Pulse Secure VPN systems being used as a way in by REvil.

On the last day of 2019, foreign exchange company Travelex was hit by cyber attackers wielding the Sodinokibi ransomware. More than a week later, the company's websites and online services are still offline despite the company's remediation efforts.

More than a week after its website and online services were taken offline by malware, foreign currency super-exchange Travelex continues to battle through what has become an increasingly damaging outage that may have unpatched VPN servers at its heart. While the capital's cops declined to name a specific victim, a spokesperson told us: "On Thursday, 2 January the Met's Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Enquiries into the circumstances are ongoing."

Hackers are taking advantage of unpatched enterprise VPN setups specifically, a long-known bug in Pulse Secure's code to spread ransomware and other nasties. British infosec specialist Kevin Beaumont says a severe hole in Pulse Secure's Zero Trust Remote Access VPN software is being used by miscreants as the entry point for inserting malware attacks.

The Sodinokibi ransomware strain is apparently behind the New Year's Eve attack on foreign currency-exchange giant Travelex, which has left its customers and banking partners stranded without its services. The attack could have been successful in part because Travelex took several months to patch critical vulnerabilities in its Pulse Secure VPN servers, according to Bad Packets.

On Saturday, Troy Mursch of Chicago-based threat intelligence firm Bad Packets reported that his internet scans have identified 3,825 Pulse Secure VPN servers that remain at risk because they have not been updated with a patch to fix a critical vulnerability, designated CVE-2019-1150. The patch for Pulse Secure VPN servers - as with critical patches for VPN servers built by Fortinet and Palo Alto that have also required updates to fix serious flaws since last year - has been available for months.

That ransomware attackers can steal as well as encrypt data isn't a new phenomenon but the possibility that sensitive data might be revealed to the world is potentially more damaging than any short-term disruption caused by the malware. To understand this defiance, consider other recent Maze incidents in which the Maze gang released samples of the stolen data to media, and set up a special website to publish it.