Citrix Bleed Ransomware Poses a New Risk for Many Credit Unions

Highlights:

• Ransomware groups are employing new tactics by exploiting the Citrix Bleed vulnerability.
• Ransomware actors increasingly favor Citrix Bleed, exploiting the abundant authentication information stored in Citrix servers, which operate as load-balancing appliances.

New attacks are being leveraged by ransomware groups using the Citrix Bleed vulnerability.

Operations of over 60 credit unions were disrupted recently due to unpatched Netscaler servers from a common technology services provider. Representatives from the National Credit Union Administration provided confirmation of the outage in a post on The Register.

Trellance Cooperative Holdings Inc. is the supplier. It is the owner of two distinct providers: Fedcomp and Ongoing Operations LLC. They both informed their respective customers about system outages. On December 2, the latter mentioned an “ongoing cyber security incident” that occurred on November 26 in a note. Fedcomp published a notice about a possible incident, took it down, and ignored questions from reporters.

In a memo to members recently, Maggie Pope, Chief Executive of the Mountain Valley Federal Credit Union in Peru, New York, shared, “Trellance and FedComp have been working around the clock to get our systems along with other credit unions around the country that have experienced the same issue back online.”

According to a post by cybersecurity expert Kevin Beaumont, the problems were caused by Citrix Bleed, which he claims attacked two Ongoing Operations Netscaler servers that hadn’t been patched since the summer. Citrix Bleed was identified many months ago, and the company issued a fix in October.

Citrix Bleed has grown in popularity as a method for ransomware operators to compromise their victims since Citrix servers include much authentication knowledge encoded in their operations as load-balancing appliances. The vulnerability steals session tokens, allowing bad actors to bypass multifactor authentication restrictions.

Ransomware attacks have increasingly targeted credit unions due to their comparatively less mature security infrastructure when compared to commercial banks and larger financial institutions. In response to this vulnerability, their national association implemented new regulations effective in September, mandating all federally insured credit unions to report breaches within 72 hours. In the initial month following the enforcement of these rules, the association observed 146 reported incidents, a number that would typically be recorded over an entire year.