Scores of US credit unions offline after ransomware infects backend cloud outfit
Supply chain attacks: The gift that keeps on giving
A ransomware infection at a cloud IT provider has disrupted services for 60 or so credit unions across the US, all of which were relying on the attacked vendor.
This is according to the National Credit Union Administration, which on Friday told The Register it is fire-fighting the situation with the credit unions downed this week by the intrusion. The NCUA regulates and insures these financial orgs.
"I can confirm that approximately 60 credit unions are currently experiencing some level of outage due to a ransomware attack at a third-party service provider," the NCUA spokesperson said. "Member deposits at affected federally insured credit unions are insured by the National Credit Union Share Insurance Fund up to $250,000."
We're told the unions' IT provider Ongoing Operations – ironic – was hit by ransomware on Sunday, sparking days of disruption for the biz's clients. It's believed the cloud provider was infiltrated via the Citrix Bleed vulnerability.
Ongoing Operations, which is owned by Trellance and provides things from disaster recovery solutions to remote virtual desktops and hosted applications, told its customers:
On November 26, 2023, we were victimized by a sophisticated ransomware attack. Upon discovery, we took immediate action to address and investigate the incident, which included engaging third-party specialists to assist with determining the nature and scope of the event. We also notified federal law enforcement.
At this time, our investigation is currently ongoing, and we will continue to provide updates as necessary. Please know that at this time, we have no evidence of any misuse of information, and we are providing notice in an abundance of caution to ensure awareness of this event.
On Thursday, northern New York's Mountain Valley Federal Credit Union appeared to be one of the many orgs suffering "system downtime" as a result of a ransomware infection at Ongoing Operations. Mountain Valley's CEO described it as a "nationwide" issue. MVFCU has four branches in New York state.
"It has been brought to our attention by our data processor – FedComp Inc, that the third-party vendor of our computer operating system 'Trellance' was the victim of a ransomware attack," boss Maggie Pope said [PDF] in a letter to her credit union members.
(FedComp had posted a note, since removed, on its website confirming it had been caught up in the aftermath of the ransomware attack: "The FedComp Data Center is experiencing technical difficulties and is under a countrywide outage. We are down with no ETA, but Trellance is still working on resolving the issue. There is no email support, but the Tech line is available.")
- US readies prison cell for another Russian Trickbot developer
- Black Basta ransomware operation nets over $100M from victims in less than two years
- Europol shutters ransomware operation with kingpin arrests
- Ransomware-hit British Library: Too open for business, or not open enough?
Mountain Valley's Pope continued in her note to customers: "Trellance has indicated that our member information has not been affected by this incident. Because of this, Trellance must move to a new server system. Trellance and FedComp have been working around the clock to get our systems along with other credit unions around the country that have experienced the same issue back online."
Pope did not respond to The Register's inquiries, nor did Trellance. Ongoing Operations, meanwhile, told us much of what it informed its clients earlier, adding:
This incident is isolated to a segment of the Ongoing Operations network and our team is diligently working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on our systems.
The investigation to determine what impact this incident may have had on information stored on our network systems is ongoing. We are committed to data privacy and security, and we take this matter very seriously. We are also engaging leading experts to recommend and implement additional measures designed to increase our data security and block further unauthorized access to our systems moving forward.
According to its website, Trellance has "hundreds" of customers across the US.
A FedComp employee told The Register that both Trellance and FedComp are "working to fix" the mess, while a FedComp spokesperson said the outfit had "no comment on the third-party incident."
The NCUA told us it has informed the US Treasury Department, CISA, and the FBI about the cyber-break-in. ®