Virus-Crippled Travelex Was Running Windows 8, RDP Connected to Internet – Computer Business Review

Add to favorites

Users left stranded with no access to FX

Three days after foreign exchange provider Travelex pulled its systems offline after discovering a software virus on New Years Eve, the companys UK website remains unavailable and partners from Barclays to Travelex have been unable to offer online currency services through Travelex, which provides them with FX services.

Security experts say the company which is FCA regulated and was running a payment platform on AWS appears to have showed signs of poor network segmentation.

As Drew Perry, CEO of security firm Tiberium noted to Computer Business Review: Its digital transformation appears to have only covered its http://travelex.com estate (hosted on AWS using Cloudfront) while its UK domain remains down and is hosted on its own BT provided IP, so this server must be linked to internal infrastructure.

Travelex appears to have recently created https://response.travelex.co.uk, with its UK site still returning an IIS error page: even the companys investor relations pages remain offline.

Security researcher Kevin Beaumont meanwhile noticed that Travelexs AWS platform had Windows servers with RDP enabled to internet and NLA [network location service] disabled, oops.

Travelex also appears to have been running Windows Server 8 aging software that will see security support end on January 14. Insiders confirmed to Computer Business Review that it was a ransomware attack and said they understood it to have been the Sodinokibi variant, although they were not able to confirm this.

One staffer told us: Global Travelex sites are offline (excluding those operated by partners South Africa, Brazil). Services also offline include partners who whitelabel the service including Barclays, HSBC, FirstDirect, Tesco, ASDA, Sainsburys, Virgin Money, NatWest, RBS, Manchester Airport and Heathrow.

They added: Oddly their dev centre site reports no service issues probably not a priority. Right now, theres little else to tell as staff are kept in the dark.

The company is the worlds largest foreign exchange specialist, with almost 800 retail branches in more than 26 countries. It is owned by Indias Finablr, an LSE-listed financial services company that owns a range of payments and FX brands.

Many customers reliant on Travelexs cards meanwhile have been left stranded overseas without access to foreign currency.

Security experts say such attacks increasingly come at the end, rather than the beginning of targeted system intrusions, with such payloads triggered after system surveillance and in some instances data exfiltration.

Travelex provided few details about the incident, saying that the unnamed virus had compromised some of its services. It added: As a precautionary measure in order to protect data and prevent the spread of the virus, we immediately took all of our systems offline, saying that it believes no customer data has been stolen.

Customers took to social media to castigate the company for its response. One, Matt Bartlett, said he had been stuck in Canada for four days as a result.

The incident comes less than 24 months after Travelex leaked the details of nearly 17,000 Tesco Bank customers. (Travelex provides Tesco Banks FX services).

Recent ransomware strains are increasingly sophisticated, for example bypassing Windows protections by immediately rebooting computers and running them in safe mode, where end-point protection software doesnt run.

As Aron Brand, CTO at IsraelsCTERA told Computer Business Review last week, robustly protected back-ups are an essential prerequisite for a rapid recovery after a ransomware attack.

He said: Make sure all of your data is reliably backed up and physically separated from the main dataset, with backup versions in a read-only repository. In the event of an attack, you can rollback to an uninfected file version and be up and running quickly.

He adds: If your data is outside your firewall, it must be encrypted. Keys should be generated and managed internally by trusted individuals, separate from any third-party service to ensure total data privacy.

Updated 23:00 January 4, 2019, corrects Travelex owner to Finablr.

Banner image credit Tejvan Pettinger, Creative Commons, 2.0, Flickr.

See more here:
Virus-Crippled Travelex Was Running Windows 8, RDP Connected to Internet - Computer Business Review

Related Post

Comments are closed.