Ransomware groups are leveraging new attacks using the Citrix Bleed vulnerability.

Late last week saw more than 60 credit unions’ operations disrupted, thanks to a common technology services provider’s unpatched Netscaler servers. Representatives from the National Credit Union Administration confirmed the outage happened in a post for The Register over the weekend.

The provider is Trellance Cooperative Holdings Inc. It owns two different providers, one called Ongoing Operations LLC and the other called Fedcomp. Both of them told their respective customers of outages affecting their systems. The former sent out a note on Dec. 2 about an “ongoing cyber security incident” that happened on Nov. 26. Fedcomp posted and then removed notice about a potential incident and didn’t respond to reporters’ inquiries.

“Trellance and FedComp have been working around the clock to get our systems along with other credit unions around the country that have experienced the same issue back online,” Maggie Pope, chief executive of the Mountain Valley Federal Credit Union in Peru, New York, wrote in a memo to its members last week.

A post from cybersecurity researcher Kevin Beaumont claims that the issues had to do with Citrix Bleed, which he claims attacked two of Ongoing Operations Netscaler servers that hadn’t been patched since this summer. Citrix Bleed was first discovered several months ago, and a patch was released by the company in October.

Citrix Bleed has become a popular way for ransomware actors to compromise their victims because the Citrix servers have a great deal of authentication knowledge encoded in their operations as load balancing appliances. The vulnerability steals session tokens to allow bad actors to avoid multifactor authentication controls.

Credit unions have been a tempting target for ransomware attacks because they have relatively immature security solutions compared with commercial banks and other larger financial services companies. Their national association put in place new rules that came into force in September requiring all federally insured unions to report any breaches within 72 hours. Since then, it has seen 146 incidents reported in the first month, a figure it typically would see in an entire year.

Image: OpenClipart-Vectors/Pixabay