Cyber Incident Victim: Coast Central Credit Union
Date:
Dec 2015
Location:
United States of America
Summary
A California-based credit union serving over 60,000 members experienced a prolonged website compromise involving a Web shell backdoor, enabling remote server control by attackers. The breach, identified through a vulnerable third-party Joomla plugin (Akeeba Backup), persisted for months before remediation after initial internal skepticism delayed response. While the full impact remains under investigation, attackers could have deployed malware to steal customer credentials or relayed spam through the compromised infrastructure. The incident reflects a broader pattern of automated exploitation targeting outdated content management system plugins, with thousands of similarly backdoored sites identified globally using identical attacker credentials. The financial institution disabled the Web shell and continued investigating the intrusion's scope and origin.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 23, 2016, cybersecurity journalist Brian Krebs contacted Coast Central Credit Union, a California-based financial institution serving over 60,000 members, after receiving information from security researcher Alex Holden indicating the credit union’s website had been compromised. Attackers had installed a web shell—a backdoor enabling remote server control via a web browser—which had reportedly been active for nearly two months. Krebs provided technical details to "Vincent," an IT staff member, including methods to verify the compromise and remediation steps, warning that intruders could exploit the shell to upload malware targeting customer credentials. Despite assurances the issue would be escalated, the web shell remained accessible two days later. Subsequent contact with another IT employee, "Patrick," revealed persistent skepticism about Krebs’ identity and refusal to validate the compromise internally. The credit union only prioritized the incident after Vice President of Information Systems Ed Christians intervened, acknowledging Krebs’ credibility and initiating immediate takedown of the web shell.
Forensic analysis suggested attackers exploited an outdated version of Akeeba Backup, a Joomla component used for website backups, to upload the web shell. Evidence included a malicious file ("sfx.php") uploaded on December 29, 2015, consistent with a known vulnerability in Akeeba’s com_joomlaupdate module documented by researcher Claudio Marcel Kuenzler. While the exact scope of the breach remained under investigation, the web shell’s presence created risks including customer credential theft, malware distribution disguised as security updates, or spam relay operations—a tactic observed in similar compromises. Holden noted over 13,000 sites were infected with identical web shells, primarily targeting outdated plugins in Joomla and WordPress systems, though most victims—including Coast Central—initially resisted external notifications. The credit union disabled the shell post-acknowledgment and continued investigating the breach’s origins and impacts, with no confirmed reports of data misuse or secondary attacks at the time of reporting.