Credit unions are rich targets for ransomware groups

First Commonwealth Federal Credit Union ("First Commonwealth") has notified its nearly 99,000 members of a "Data Event" that exposed member names, addresses, Social Security numbers, dates of birth, or account numbers. First Commonwealth is a large credit union in eastern Pennsylvania, with over a dozen locations in the Greater Lehigh Valley and surrounding areas. 

The Meow ransomware group has claimed responsibility for this attack with a notice on its leak site. The group claims to have stolen over 400GB of data, including contracts, accounting records, risk management data, HR documents, audit reports, bank files, financial details, payroll information, tax documents, and more.

Here's a closer look at the description of the stolen data: 

First Commonwealth has not confirmed these claims, though the data breach notification filed with the Maine Attorney General describes the breach as an "External system breach (hacking)." The law firm of Federman & Sherwood has announced that it is investigating the data breach.

The Meow ransomware group is not as active as those we have profiled. There is some indication that it is increasing its attacks, but the exact number of victims is unknown because the group's leak site only lists the victims who have not paid a ransom. Reports are mixed regarding the origins and operational models of this group. 

The attack/incident

The credit union detected unusual network activity on June 27, 2024, and immediately began incident response and mitigation procedures. By July 1, 2024, it had been determined that "an unauthorized actor acquired certain files and data stored within our systems on or around June 26, 2024." First Commonwealth notified the consumer victims on August 2, 2024. 

The delay of consumer notification is not unusual, but it's not helpful either. If the Meow group infiltrated the systems on June 26 and exfiltrated sensitive data, it is already being processed and readied for future attacks. While there's no indication that the credentials for the online services have been compromised, it's not difficult to imagine the First Commonwealth data being combined with other stolen credentials to create lists for credential stuffing or other attacks. Our blogs on BianLian ransomware and AI/credential theft have more details on how these attacks work and why even partial sets of data can be damaging to consumers.

There are a handful of common reasons why companies might delay a breach notification to the public. In the case of First Commonwealth and many others, it may be a matter of ensuring the company provides accurate information and adheres to legal and regulatory requirements. The internal reviews from the cybersecurity and investigation teams, legal counsel, and public communications teams can cause some internal juggling on the language and substance of the notification. There may also be law enforcement delays, which occur when the notification of a breach may interfere with the investigation into the attackers. This is more likely to be the case when dealing with a threat actor like Volt Typhoon, which will infiltrate a system and then lie in wait for a future attack. The situation with First Commonwealth is more likely to be a matter of ensuring accuracy and compliance, and protecting itself from legal action and reputational damage.

Credit unions are rich targets

The National Credit Union Association (NCUA) recently submitted the latest Cybersecurity and Credit Union System Resilience Report. This is an annual, statutorily required report to the U.S. Congress that describes the association's ongoing cybersecurity efforts. The NCUA Board establishes the data protection standards for credit union member records and information and requires federally insured credit unions to report cyber incidents within 72 hours. According to the NCUA, credit unions suffered 892 cyber incidents between September 1, 2023, and May 1, 2024. You can get the details on NCUA rules and operations here.

Credit unions are attractive targets to threat actors for several reasons. In March of 2024, the NCUA listed 4571 credit unions in the U.S., controlling a total of $2.31 trillion in total assets.  Credit unions typically control fewer assets than banks, and even the largest credit union is dwarfed by the largest bank.

This leads threat actors to believe that credit unions are a rich opportunity with fewer defenses than the larger banks. Threat actors will always target banks, but credit unions are profitable targets as well.

Credit unions also tend to rely more heavily on third-party vendors for IT and other services. A vendor breach can serve as an entry point for an attack on the credit union. Several credit unions were affected by supply chain attacks in the last two years, and unlike the federal governance of U.S. banks, there is no oversight of third-party vendors for credit unions. 60% of cyberattacks reported to NCUA involved a third-party service provider. One example of this is the attack on Ongoing Operations, a provider of IT services to credit unions. Dozens of credit unions were knocked offline due to this attack.

Protect yourself

There are few details on how Meow compromised First Commonwealth, though at least one report suggests an attack on the credit union's web applications. Meow is known to use a variety of infection methods, like Remote Desktop Protocol (RDP) vulnerabilities, phishing emails, and exploit kits. SOCRadar notes that Meow has also used malvertising, web injections, fake updates, and infected installers to gain access. Frankly, the first link in the infection chain could be anything. Threat actors will do whatever they can to get into a network, so it's important to defend all of these threat vectors. Some examples:

• Foster a culture of ongoing cybersecurity training and awareness. Employees should be able to recognize phishing attacks and be encouraged to report suspicious activities. (This article on Microsoft's plan to make security a 'core priority' for employees might be of interest.)

• Enforce the principle of least privilege so that users have only the access necessary to perform their work.

• Segment networks to limit lateral movement through the network and minimize the "blast radius" of an attack.

• Continuously monitor the network for anomalous activities. A solution like Managed XDR with SOC-as-a-Service can perform these activities and initiate immediate incident response if necessary.

• Defend the attack surface with solutions like firewalls and intrusion detection systems. 

• Secure RDP and VPN configurations to protect against unauthorized access.

• Maintain regular backups to ensure the encrypted data can be restored without paying a ransom

• Encrypt data in transit and at rest

• Scrutinize vendors to ensure adherence to strict security standards.

• Follow a good patch management process that ensures vulnerabilities are mitigated as soon as possible

The 98,000+ members of First Commonwealth can't un-breach their data, but we can all take some lessons from this attack. Threat actors are always present, especially in the age of AI. Individuals should use a good password manager to generate unique, complex, and random passwords for each online account. Use multi-factor authentication when possible, and be mindful of potential email attacks like phishing attempts and malicious links or attachments. Companies like First Commonwealth have to eliminate their blind spots and security gaps, and perhaps the NCUA should have more statutory authority to examine or supervise third-party credit union service providers. Third-party supervision is currently the responsibility of individual credit unions, which often do not have the resources to thoroughly vet these service providers.

In addition to following best practices, credit unions and other small and medium enterprises can defend themselves with the Barracuda Cybersecurity Platform. This comprehensive security and data protection solution protects organizations from all major attack vectors and is backed up by complete, award-winning customer service. Working with Barracuda reduces complexity and total cost of ownership. AI-enhanced threat intelligence and the 24/7/365 Security Operations Center increase the effectiveness of this platform and improve incident response times. You can explore the platform here.