Cyber Incident Victim: CU*Answers
Date:
May 2023
Location:
United States of America
Summary
A zero-day vulnerability in the MOVEIT file transfer system was exploited by malicious actors to bypass authentication and access files, impacting a limited number of credit unions. The affected organization immediately isolated the system, initiated an investigation with third-party security experts, and confirmed no evidence of further unauthorized activity or malicious code deployment. The compromised system was permanently retired, and notifications were provided to impacted entities, regulatory bodies, and law enforcement while evaluating additional security controls.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2023, malicious actors exploited a zero-day vulnerability in the MOVEIT file transfer system used by CU*Answers, bypassing authentication mechanisms to improperly access files. This incident occurred before a security patch was available, with public reports indicating approximately 2,500 similar attacks across the United States primarily targeting government entities and financial institutions. Upon discovering the vulnerability, CU*Answers immediately disconnected the MOVEIT system from its network and initiated an investigation to assess impact on client credit unions and their members. The organization determined only a limited number of credit unions were affected, directly notifying those institutions' CEOs while confirming unaffected clients received no direct communication. CU*Answers engaged third-party security experts and MOVEIT developers during this investigation, prioritizing three key objectives: establishing the full scope of unauthorized access, verifying no additional malicious activity occurred between March 31 and June 1, 2023, and confirming absence of implanted malicious code within system files.
Forensic analysis revealed no evidence of further unauthorized activity beyond the initial exploitation or violations of CU*Answers security policies during the investigated timeframe. The company permanently decommissioned the compromised MOVEIT system rather than returning it to service. CU*Answers filed an insurance claim, retained external legal counsel, and initiated mandatory regulatory reporting including submissions to the FBI, National Credit Union Administration (NCUA), and Michigan Department of Insurance and Financial Services (DFIS). The ongoing investigation includes evaluation of additional technical controls to prevent recurrence, though no specific vulnerabilities in CU*Answers' existing procedures were identified as contributing factors. Impact remained confined to directly notified credit unions without broader compromise of client networks or member data beyond the MOVEIT system's file repository.