by Jeff Giroux
Posted on December 20, 2023
Want to interview Jeff?
ContactAs member-owned, not-for-profit financial institutions which are generally much smaller than commercial banks, credit unions tend to be extremely popular among their members.
In 2023, however, more than ever before, credit unions became unfortunately popular among threat actors as well. Even before the late-in-the-year huge spike in ransomware attacks (more about these below), 2023 was shaping up to be a tough year.
In late May, at least 18 credit unions – and likely more – were infiltrated by the CI0p ransomware group in a supply-chain attack that exploited a vulnerability in the MOVEit file transfer tool. Third-party vendors serving the credit union industry, including CU*Answers and Sovos, were also affected by the vulnerability, multiplying the impact on credit unions and their members. Credit union members whose personal information was exposed in the breach have filed numerous lawsuits against their own credit unions as well as against Progressive Software, which owns MOVEit, as a result of the breach.
A July 2023 Sophos report indicates that the financial industry at large has been experiencing accelerating rates of ransomware attacks, increasing from 34% of financial service organizations surveyed in 2021 to 55% in 2022 and 64% in 2023.
Vulnerabilities – such as the CVE-2023-34362 SQLi-to-RCE flaw exploited in the MOVEit attacks – were responsible for 40% of the attacks, with malicious emails and phishing accounting for another 32%. Among the financial institutions that experienced ransomware attacks, over 80% reported that their data was encrypted. In 20% of cases, it was stolen as well. Over 43% of financial service organizations paid ransom to recover encrypted data, down from 52% the previous year. Most organizations used back-ups to restore data, either in addition to paying ransom or instead.
In late November, just a few months after the Sophos report appeared, the cybersecurity scene for credit unions took a more negative turn. A ransomware attack on Ongoing Operations, a business continuity service provider owned by Trellance, wreaked havoc with over 60 credit unions, shutting down their data processing systems and online and mobile banking services. FedComp, another Trellance-owned company, was attacked as well. As in the MOVEit attack, threat actors exploited an unpatched vulnerability, which triggered an industry-wide supply chain attack.
In this case, the ransomware gangs exploited Ongoing Operations’ Netscaler ADC and Netscaler Gateway products with unpatched CitrixBleed vulnerabilities (CVE-2023-4966). The vulnerability, which allows threat actors to bypass multifactor authentication (MFA) through use of stolen session tokens, is particularly attractive to threat actors for two reasons: First, it is easy to exploit, which means that even amateur extortionists can get in on the action. This seems to be happening with CitrixBleed, since most attacks have not been claimed by known groups. Second, exploitation is not logged, so discovery is delayed and threat actors have plenty of time to establish persistence and find the data they want.
A few points about this attack are particularly notable. First, beyond the irony that Ongoing Operations provides information security and business continuity services along with other offerings, is the fact that an attack on a single link in the supply chain can take down tens – perhaps hundreds – of credit unions, impacting millions of end users.
Also noteworthy is the fact that Citrix issued a patch for the CitrixBleed vulnerability in early October – over a month before Ongoing Operations was attacked. Despite widespread coverage of the CitrixBleed flaw, including the fact that it had been widely exploited in the wild since August, Ongoing Operations had not updated their Netscaler products since May 2023.
Ongoing Operations was not alone in neglecting to quickly apply patches. Fidelity National Financial, Sprout IT, HTC Global Services and many more companies have also fallen victim to ransomware attacks that exploited CitrixBleed via unpatched NetScaler products. Many additional organizations that have not publicly acknowledged being attacked appeared briefly on ransomware group portals and then disappeared, presumably after paying ransom.
Shortly before these most recent attacks, the National Credit Union Administration (NCUA) instituted a cybersecurity incident reporting rule. In October 2023, the first month the rule was in effect, 146 incidents were reported, roughly the same number that were reported in the entire year before the rule went into effect. Over 60% of these incidents involved third-party technology service providers and credit union service organizations (CUSOs).
For many years, the NCUA has been lobbying for the US Congress to update the Federal Credit Union Act to grant it regulatory authority to examine and certify third-party service providers. While fintech software and third-party service providers serving the banking industry are required to comply with numerous regulations across multiple jurisdictions, businesses providing software solutions and third-party services to credit unions face no similar requirements.
Patching is the “eat your peas” of cybersecurity. Everyone knows that it is essential – perhaps the most basic and important way to protect organizations from cyberattack. But in truth, numerous factors get in the way, ranging from the siloed nature of many businesses’ cybersecurity departments to understaffed, overworked IT teams. Regulation can help, but even regulated organizations fall victim to zero=day cyberattacks.
Today, financial services are delivered to customers almost exclusively via web applications. There is virtually no aspect of work in the sector that does not take place online. Ericom Zero Trust Network Access (ZTNA) is a more secure option for remotely accessing essential applications than using Netscaler VPN mode, even when patches have been properly applied.
For cases in which employees or third-party contractors access applications from unmanaged devices – and internal web applications, in particular – Ericom Web Application Isolation (WAI) helps protect against even zero-day exploits by cloaking application surfaces from the view of threat actors probing for vulnerabilities. Critically, WAI is a clientless, centrally managed solution to already stretched IT teams need not oversee software installation on private devices.
To protect credit unions and other financial service organizations from the phishing attacks and internet-delivered malware that are the initial cause of 32% of cyberattacks on financial industry organizations, Ericom Web Isolation opens website content in virtual browsers located in the cloud. Users interact only with safe-rendering data that is sent to their browser of choice, where the experience is indistinguishable from native browsing. Yet any malware on websites or activated by links within emails remains isolated in the cloud and is destroyed when the user stops browsing. Unknown sites are opened in read-only mode to prevent credential theft. And attachments are sanitized in the cloud with content disarm and reconstruction (CDR) before being downloaded to endpoints.
As amply demonstrated by recent events, credit unions are attractive targets for threat actors since they hold both valuable member data and funds but—presumably—have leaner IT teams and are thus less well-secured than larger, richer commercial banks. In addition, multiple organizations can be attacked via a number of easily identified and crucially, unregulated suppliers.
Contact us today to learn about isolation-based Ericom solutions can prevent ransomware attacks, phishing and supply chain attacks from impacting your members’ financial well-being and your organization’s hard-earned reputation.
Air Gapping Your Way to Cyber Safety
Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.
Motion Picture Association Updates Cybersecurity Best Practices
The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.
FTC Issues Cybersecurity Warning for QR Codes
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.