Coast Central Credit Union Website Hacked
The $1.1 billion Eureka, Calif.-based Coast Central Credit Union took its website down Thursday after it was hacked. The credit union said there was no compromise of personal member data, but faced criticism from cybersecurity experts regarding the way it handled the event.
“It is the public facing website,” Coast Central Vice President of Marketing Dean Hart told CU Times. He added the credit union took the website down early on Feb. 25 for about 24 hours for maintenance. Hart confirmed reports of the hacking, but explained the online banking portal was unaffected by the hack or the site maintenance.
Brian Krebs, author of the blog “Krebs on Security,” wrote that he learned of the compromise from Alex Holden, founder of Milwaukee-based Hold Security. Krebs wrote that hackers retrofitted the credit union’s site with a web shell, a backdoor program that provides attackers with remote control of a website and server. Shell components used by hackers can spread malware and promote malicious websites.
Krebs also described in his blog unsuccessful attempts to alert the credit union to the site’s likely compromise before the credit union finally disabled the web shell.
“Notifying people and companies about data breaches often can be a frustrating and thankless job,” Krebs wrote in a Feb. 25 post. “Despite my best efforts, sometimes a breach victim I’m alerting will come away convinced that I am not an investigative journalist but instead a scammer. This happened most recently this week, when I told a California credit union that its online banking site was compromised and apparently had been for nearly two months.”
“On Feb. 23, I contacted Coast Central Credit Union, a financial institution based in Eureka, Calif., that serves more than 60,000 customers. I explained who I was, how they’d likely been hacked, how they could verify the hack, and how they could fix the problem,” he continued. “Two days later when I noticed the site was still hacked, I contacted the credit union again, only to find they still didn’t believe me.”
Dodi Glenn, vice president, cybersecurity at the Sioux City, Iowa-based PC Pitstop, criticized Coast Central’s breach planning.
“As of 8:06 a.m. PST today, the site remained down. This [Krebs] article really shows that Coast Central Credit Union does not/did not have a plan in place in the event of a breach,” Glenn told CU Times. “Not only do they not have the lines of communication in place, they also have not trained employees what to look for or who to go to.”
Hart defended the credit union response saying it exercised proper caution upon receipt of an unsolicited call informing them of a potential compromise.
“One of the current problems in cybersecurity: The stage of denial. Often this takes the form of director and executive-level employees denying that they could be hacked,” Ondrej Krehel, founder/CEO of the New York City-based LIFARS, said. “We too have seen this happen, as they figure that denying the hack will just make it go away and maybe that by not acknowledging it, it can save share prices.”
Krebs said evidence suggested the exploitation might stem from an outdated version of Akeeba Backup, a Joomla (an open-source content management system) component that allows users to create and manage complete backups. It also appeared the backdoor component, a file called sfx.php, dropped on the credit union’s site on Dec. 29, 2015.
It is not clear yet whether the hackers who hit the credit union’s site did anything other than install the backdoor file.
“The attackers could just have easily booby-trapped the credit union’s site to foist malicious software disguised as a security update when customers tried to log in at the site,” Krebs reported.
Coast Center said it will continue to investigate the scope and source of the incident and said it engaged an outside agency to perform forensic analysis.
Holden discovered more than 13,000 sites currently infected with Web shells similar to the one that might have hit Coast Central and said a vast majority of them are Joomla and WordPress blogs that become compromised through outdated and insecure third-party plug-ins.
“CMS systems, like Joomla in this case, are popular but dangerous because they introduce vulnerabilities,” Pablo de la Riva Ferrezuelo, founder and CTO of buguroo, a company of bug gurus out of Deloitte Europe, said. “We find that anyone using open source CMS tools must continuously monitor their website infrastructure for vulnerabilities. Anybody operating a website, especially financial services companies, should have dynamic application and infrastructure security testing with active intelligence, to identify vulnerabilities.”
Paul Jespersen, vice president of emerging technologies at the Clifton, N.J.-based Comodo, agreed.
“In today’s environment, it is imperative for companies of all sizes and across all industries, to take a hard look at their network, data and endpoint security and ensure they have technologies like breach detection and prevention,” he said.
Earlier this month, US-CERT urged website administrators to update sites that utilize the WordPress content management system following a surge in website servers redirecting visitors to a ransomware-delivering exploit kit known as Nuclear.