- About 60 credit unions are contending with outages due to a ransomware attack against Trellance, a third-party IT vendor for the industry, the National Credit Union Administration said Friday.
- Trellance-owned Ongoing Operations told affected credit unions it was the target of a ransomware attack on Nov. 26, Joseph Adamoli, acting director and media relations manager at NCUA, said in an email. FedComp, another Trellance-owned unit serving credit unions, also reported a nationwide outage.
- Ongoing Operations said the incident is isolated to a segment of its network. “The investigation to determine what impact this incident may have had on information stored on our network systems is ongoing,” the company said in a Friday statement.
The ransomware attack appears to be linked to a critical and widely exploited vulnerability in Citrix networking products, CVE-2023-4966, which is also dubbed CitrixBleed, according to cybersecurity researcher Kevin Beaumont.
“Ongoing Operations’ two Netscaler devices remain offline. This is disrupting operations in a way which impacts millions of Americans,” Beaumont said in a Sunday blog post. Ongoing Operations last modified its Citrix Netscaler application delivery controller on May 12, according to logs posted by Beaumont.
The widely exploited vulnerability is also linked to recent ransomware attacks against Boeing and Fidelity National Financial. Following multiple compromises, in early November the Cybersecurity and Infrastructure Security Agency urged organizations to apply a patch, hunt for and report malicious activity.
NCUA said it informed the Treasury Department, FBI and CISA, and noted member deposits at federally insured credit unions are covered by the National Credit Union Share Insurance Fund up to $250,000.
An increasing number of ransomware attacks hit credit unions this year, including multiple credit unions that were impacted by the spree of attacks against MOVEit file-transfer service environments in late May.
“The NCUA has a framework to evaluate and respond to these types of incidents,” Adamoli said. After the agency required federally insured credit unions to report a cybersecurity incident within 72 days, NCUA received 146 incident reports in the first month, NCUA Chair Todd Harper said in October.