The year started with a devastating ransomware attack on Travelex, and experts warn that potentially worse cyber threats may be stalking the financial services industry.
The foreign exchange company was hit by the ransomware demand on either Dec. 30 or 31, and had to take its U.K. money transfer and wire service offline for almost a month as a result. A cybercrime gang calling itself "Sodinokibi" threatened to sell Travelex customers' data on the dark web, a part of the internet not indexed by conventional search engines and that requires specific software and applications to access — and which is heavily used by criminals due to the anonymity it offers. Shares in Travelex parent company Finablr PLC more than halved in value since the attack, trading at approximately £78 per share on Feb. 10, from about £170 on Jan. 2.
To make matters worse, some financial services companies are leaving the door open for hackers by failing to apply available updates to their security software — a mistake that appears to have played a role in the Travelex attack, and which could lead to similar attacks in future, according to experts.
Cyber experts also believe that the Travelex attack is unlikely to be an isolated incident. Cyber gangs will have their sights trained on financial services companies, and their methods are becoming increasingly sophisticated — and dangerous.
The way that the likes of Sodinokibi operate is changing, and it is making them more effective, said Raj Samani, chief scientist at McAfee.
"They run an affiliate model. The gang develops the ransomware and then recruits a network of 'subcontractors' who use their software to infect companies," Samani said in an interview.
New recruits will typically be given instructions, access to a dashboard, and even performance goals, he said.
Samani describes this approach, which means that individuals with a relatively low level of technical skill can do a cyber gang's heavy lifting for them, as "ransomware-as-a-service."
The model was pioneered by the now-defunct ransomware gang named "GandCrab" that also operated through a network of contractors, he said. The gang appears to have disbanded after European law enforcement authorities developed a decryption tool that rendered its ransomware useless.
It is not known whether Sodinokibi affiliates will target financial institutions specifically in future, but one thing is certain from the Travelex incident: they possess the necessary skills to hack one if they wanted to, Samani said.
Invasion of the body snatchers
Gangs such as Sodinokibi maximize damage by playing a long game, said Samani. Once they have breached a company's defense, they will not act immediately, but will "sit inside" and learn about their victim's business.
Historically, if you got an infection from a cyber gang, you'd know about straight away, he said.
But the Sodinokibi gang claimed that they had broken into Travelex's systems six months before making its $6 million ransom demand, during which time they downloaded and encrypted 5GB of customer data.
Becky Pinkard, chief information security officer at Aldermore, a British challenger bank, sees the same pattern.
"Attackers are working to gain footholds in banks and then attempting to remain inside for longer periods of time and hopefully unnoticed, in order to explore, seize and egress large quantities of critical and sensitive bank information," she said in an email.
Banks reported some 19 ransomware attacks to the U.K. Financial Conduct Authority in 2018, according to data obtained via a Freedom of Information request by tax and consultancy firm RSM. The FCA did not release details about which banks had been affected.
A breeding ground for vulnerabilities
Open Banking, U.K. regulation that came into effect in January 2018 aimed at breaking up the monopoly of a small number of large players in retail banking, could have unintended consequences, according to Pinkard.
It allows third parties such as financial technology companies to plug into customer account data held by banks. This exchange takes place via application programming interfaces, a piece of technology that acts as an information "middleman."
The problem is that a more open banking system creates new entry points for hackers.
"As customer demands continue to drive banks to pursue open-banking offerings, we'll see cyber attackers focus on the connectivity points between traditional banking systems and their fintech counterparts. The pace of change, coupled with technical complexity, creates a ripe breeding ground for vulnerabilities in any organization," Pinkard said.
Another potential weak spot in banks' armor is their virtual private network, or VPN, software, which is typically used to allow remote employees to log on to their systems securely.
The Sodinokibi gang appear to have accessed Travelex's systems through a bug in the company's VPN, Bad Packets, a Chicago-based cyber security firm, told S&P Global Market Intelligence.
Pulse Connect Secure VPN, the software in question, had a glitch that meant hackers could potentially get past users' defenses. Pulse put out a patch to correct the defect in April last year, but a number of companies did not apply it — Travelex included, according to Bad Packets.
Bugs in VPN software are an increasingly regular occurrence, and organizations often do not apply available fixes in time, according to Troy Mursch, chief research officer, Bad Packets.
Cyber criminals are aware of the opportunity this presents, and scan for such vulnerabilities, he said in an email.
A case in point is a recent flaw in security software provided by Citrix Systems Inc., which Citrix itself acknowledged in December 2019. This vulnerability, named CVE-2019-19781, affected clients in various industries, notably in banking and financial services, and "numerous" Fortune 500 companies, according to Mursch. Citrix provided users with steps that they could take to mitigate risks, but did not come up with an actual patch until Jan. 19, according to Citrix's website.
During this time, companies would have been vulnerable to a Travelex-style hack, Mursch said, adding that Bad Packets was aware of an uptick in opportunistic "mass scanning" activity by cyber criminals specifically targeting Citrix VPNs.