Unpatched Pulse Secure VPN Makes Travelex Latest Victim of “REvil” Ransomware

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
In April of 2019, Pulse Secure issued an urgent patch to a vulnerability in its popular corporate VPN software—a vulnerability that not only allowed remote attackers to gain access without a username or password but also to turn off multi-factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text. Now, a cybercriminal group is using that vulnerability to target and infiltrate victims, steal data, and plant ransomware.

Travelex, the foreign currency exchange and travel insurance company, appears to be the latest victim of the group. On New Year's Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $6m (£4.6m). They also claimed to have had access to Travelex's network for six months and to have extracted five gigabytes of customer data—including dates of birth, credit card information, and other personally identifiable information. "In the case of payment, we will delete and will not use that [data]base and restore them the entire network," the individual claiming to be part of the Sodinokibi operation told the BBC. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base."

Security researcher Kevin Beaumont found that Travelex had seven unpatched Pulse Secure servers. An exploit for the vulnerability has been available on Internet bulletin boards since August of 2019.
The Sodinokibi/REvil ransomware campaign emerged last spring. It was first identified by Cisco Talos in April of 2019 in an attack that exploited an Oracle WebLogic server vulnerability. The ransomware itself exploits a vulnerability in Windows' Win32k component that allows elevation of its privileges, allowing it to kill a list of processes that could keep it from encrypting files, wipe the contents of some folders, and encrypt the contents of others—including network shares. The malware also sends back basic information about the infected system. But REvil does not itself have any means of self-propagation. Instead, the attackers have used various methods of access to install and launch the malware with increasing levels of sophistication, including spam campaigns, attacks on Remote Desktop Protocol services, and in several cases the exploitation of managed service providers, to attack their customers.

Based on data from the Shodan security search engine, there are still over a thousand vulnerable Pulse Secure servers being operated by organizations in the US.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top