REV Revlon Inc New

By Caitlin Ostroff and Anna Isaac 

A vulnerability at Travelex that was exploited by hackers to disrupt the money-exchange company existed at dozens of major U.S. companies and institutions, potentially leaving them open to similar breaches, according to cybersecurity firm Bad Packets.

Purdue Pharma LP, Revlon Inc. and Texas Instruments Inc. were among companies using Pulse Secure VPN to create secure remote logins for their staff, according to Troy Mursch, chief research officer at Bad Packets. A loophole in that tool can and has been exploited by cybercriminals, Mr. Mursch said.

Bad Packets said many organizations hadn't addressed the weakness in their technology systems as of Friday, although a fix or patch was made available in April. Among those were a California utility company, a border-police force and an appellate court, Mr. Mursch said.

On Wednesday, a Revlon spokeswoman said the problem had been patched and there had been no unauthorized access to its internal networks. A representative for Texas Instruments said the firm became aware of the vulnerability last year and acted to secure its systems.

Purdue declined to comment.

A cybercrime group named after ransomware virus Sodinokibi attacked Travelex, with the company discovering the breach on New Year's Eve. The attack disrupted cash deliveries from its global network of vaults to international banks. Travelex, a division of U.K.-listed payments conglomerate Finablr PLC, hasn't yet restored many of those operations.

Sodinokibi, also called Sodin and REvil, used the glitch in Travelex's VPN system to gain access to a server in the Asia-Pacific region, according to a person with knowledge of the investigation into the matter.

Bad Packets reached out to Travelex in September to flag the vulnerability, but didn't receive a response, according to Mr. Mursch.

Bad Packets specializes in identifying hacking threats by monitoring malicious activity and alerting vulnerable companies. The Chicago-based firm has been cited as an authority on cybersecurity issues by both U.S. and U.K. government agencies.

A Travelex spokeswoman declined to comment on the specific vulnerabilities exploited in the attack and said the company would offer an update on progress in restoring its systems later this week. The company has acknowledged that Sodinokibi malware was used.

The vulnerability in the VPN tool allowed hackers without valid usernames or passwords to connect to a corporate network, turn off two-factor authentication and view logs and cached passwords.

The U.S.'s National Security Agency and the U.K.'s National Cyber Security Centre both issued warnings about the tool in October. The Department of Homeland Security reissued the warning in January after reports of recent attacks by Sodinokibi.

London's Metropolitan police said Wednesday that its criminal investigation into the Travelex attack was ongoing.

The NCSC, which is also investigating the incident, declined to comment.

Write to Caitlin Ostroff at caitlin.ostroff@wsj.com and Anna Isaac at anna.isaac@wsj.com

(END) Dow Jones Newswires

January 16, 2020 07:41 ET (12:41 GMT)

Copyright (c) 2020 Dow Jones & Company, Inc.