New alert to credit unions notes rise in cyberattacks, including those related to web file transfer app

Noting a “concerning rise” in cyberattacks against credit unions, credit union service organizations (CUSOs) and other third-party vendors, the federal credit union regulator on Thursday urged credit unions and associated entities to take immediate steps to protect their systems, sensitive data and members’ financial well-being.

The vulnerabilities, the National Credit Union Administration (NCUA) said, include incidents directly related to critical vulnerabilities in the MOVit Transfer web application and other attacks unrelated to MOVEit.

In at least the second message related to this topic since June, the NCUA on Thursday pointed credit unions to not just one, but now three critical vulnerabilities in the MOVEit Transfer web application:

  • CVE-2023-34362;
  • CVE-2023-35036; and
  • CVE-2023-35708.

“The NCUA is asking credit unions to be vigilant in protecting their data and operations from all threats, including ransomware, phishing or social engineering leading to business email compromises, and distributed denial-of-service (DDoS) attacks,” according to Thursday’s NCUA Express message.

The NCUA, in its message, recommended the following mitigation steps and best practices to safeguard against these evolving cyber threats:

  • Patch and Update MOVEit Transfer Web Application: If your organization uses the MOVEit Transfer web application, apply the necessary security patches immediately to address the vulnerability. Progress Software released a security advisory that details the risks and mitigation steps, which can be accessed on the Cybersecurity & Infrastructure Security Agency website.
  • Multi-Factor Authentication: Implement multi-factor authentication for all sensitive accounts and systems, including email accounts and remote access portals. This adds an extra layer of protection against unauthorized access and phishing attempts.
  • Employee Cybersecurity Awareness Training: Conduct regular cybersecurity training for all employees to raise awareness about phishing, social engineering, and other common attacks. Educate employees about the risks and implications of clicking on suspicious links or opening malicious attachments.
  • Email Security and Anti-Phishing Measures: Deploy advanced email security solutions with phishing detection and blocking capabilities. Utilize Slender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Authentication, Reporting, and Conformance (DMARC) protocols to prevent email spoofing and enhance email authenticity.
  • Incident Response Plan: Develop and regularly test an incident response plan to ensure a swift and coordinated response in the event of a cyberattack. Assign specific roles and responsibilities to designated personnel and rehearse various attack scenarios.
  • Vendor Risk Management: Review and assess the cybersecurity practices of all third-party vendors that provide financial services and products, including CUSOs. Verify that vendors use sound risk management principles, have robust security measures in place, and review their security posture regularly.
  • Network Segmentation and DDoS Protection: Implement network segmentation to contain the impact of a potential compromise. Deploy DDoS protection measures, such as traffic filtering and rate limiting, to defend against DDoS attacks.
  • Regular Data Backups and Recovery Testing: Maintain frequent data backups and test the data recovery process regularly. In case of a ransomware attack, backups can prevent data loss and reduce the need to pay the ransom.
  • Threat Intelligence Sharing: Participate in threat intelligence sharing communities to stay informed about emerging threats and attack trends. Sharing information can help strengthen the industry’s collective defense.
  • Continuous Monitoring and Security Updates: Monitor network traffic, logs, and systems continuously to detect and respond promptly to any suspicious activities. Stay informed about the latest security updates and apply patches promptly.

Cybersecurity and Infrastructure Security Agency (CISA) website