.png){kind=small}
Ransomware operators took down 60 credit unions across the US after hacking their services provider – a classic supply chain attack.
National Credit Union Administration (NCUA) spokesperson Joseph Adamoli said the ransomware attack targeted the cloud services provider Ongoing Operations, a company owned by credit union technology firm Trellance.
Adamoli said the NCUA, which regulates credit unions at the federal level, received incident reports indicating that several credit unions were sent a message from Ongoing Operations saying the company was hit with ransomware on November 26.
“On November 26, 2023, we were victimized by a sophisticated ransomware attack,” the company told its customers in a letter.
“Upon discovery, we took immediate action to address and investigate the incident, which included engaging third-party specialists to assist with determining the nature and scope of the event. We also notified federal law enforcement.”
“At this time, our investigation is currently ongoing, and we will continue to provide updates as necessary,” the statement continues. “Please know that at this time, we have no evidence of any misuse of information, and we are providing notice in an abundance of caution to ensure awareness of this event.”
Credit unions across the US – many of which are experiencing ongoing downtime days after the attack – are notifying their clients and partners of the incident.
It's important to underline that it was not the credit unions themselves that fell victim to a ransomware attack. This was a supply-chain attack targeted at a company that provides services to many credit unions.
When a supply chain suffers a cybersecurity breach as powerful as a ransomware attack, the impact can cascade downwards, impacting many more companies that share the same common provider and - as a consequence - many more customers.
Insight Into the Attack
The ransomware attack appears to be linked to a critical and widely exploited vulnerability in Citrix networking products, CVE-2023-4966, which is also dubbed CitrixBleed, according to cybersecurity researcher Kevin Beaumont.
“Ongoing Operations’ two Netscaler devices remain offline. This is disrupting operations in a way which impacts millions of Americans,” Beaumont said in a Sunday blog post. Ongoing Operations last modified its Citrix Netscaler application delivery controller on May 12, according to logs posted by Beaumont.
The widely exploited vulnerability is also linked to recent ransomware attacks against Boeing and Fidelity National Financial. Following multiple compromises, in early November the Cybersecurity and Infrastructure Security Agency urged organizations to apply a patch, hunt for and report malicious activity.
An Increase in Attacks
The NCUA warned in August that it was seeing an increase in cyberattacks against credit unions, credit union service organizations (CUSO), and other third-party vendors supplying financial services products.
Multiple credit unions were affected by the cyberattack on the MOVEit file transfer software earlier this year and dozens of organizations have filed data breach reports with regulators in Maine over the last three years.
Inquired by the British news outfit (The Register), a spokesperson for Ongoing Operations said the incident is “isolated to a segment of the Ongoing Operations network and our team is diligently working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on our systems.”
The company is now working around the clock to determine what data (if any) the attackers got their hands on. According to the spokesperson, the organization is also busy implementing “additional measures designed to increase our data security and block further unauthorized access to our systems moving forward.”
コメント