Connex Credit Union in New Haven, Connecticut, recently disclosed a data breach involving the personal information of 172,000 people.
The breach, which Connex discovered as "unusual activity" on its network on June 3, involved unauthorized access or download of certain files on that and the previous day, according to a letter to affected customers.
The timeline aligns with a period during which Google publicly warned about a sophisticated voice phishing (vishing) threat actor targeting organizations for large-scale data theft. That threat actor, known as ShinyHunters, compromised other companies around the same time Connex detected unusual activity.
Connex figured out whose personal information was potentially involved on July 27, according to the letter the credit union sent to victims, disclosed by the Maine Attorney General.
The compromised data included names, account numbers, debit card information, Social Security numbers and other government identification used to open an individual's account.
The credit unions said in the letter to victims that it has "no reason to believe this incident involved unauthorized access to member accounts or funds," according to the letter it sent to victims last week.
Connex also released an alert on its website cautioning members about ongoing phishing attacks.
"Please be aware that scammers are calling/texting members impersonating Connex employees," reads the warning. The credit union reminded customers it will never call to ask for PINs, passcodes or account numbers.
Connex did not immediately respond to a request for comment from American Banker.
Timing aligns with voice phishing attacks
Google's Threat Intelligence Group
While Connex did not name ShinyHunters as the threat actor behind the data theft, the timing aligns with other attacks by the group and the warning from Google.
Google said ShinyHunters had successfully breached networks — including Google's own — by having its operators impersonate IT support personnel in telephone-based social engineering calls.
This approach effectively tricked employees, often in English-speaking branches of multinational corporations, according to the post, into actions that granted attackers access or led to the sharing of sensitive credentials, ultimately facilitating the theft of an organization's data.
These attacks often targeted Salesforce systems, but Google said the threat actor tricked users rather than exploit any software vulnerability.
A common ShinyHunters tactic involved deceiving victims into authorizing a malicious connected application, often a modified version of Salesforce's data loader, to their organization's Salesforce portal.
This inadvertently granted ShinyHunters significant capabilities to access, query and exfiltrate sensitive information.
Following initial data theft, ShinyHunters used credentials obtained through credential harvesting — the practice of collecting passwords from various breaches and phishing campaigns — or vishing to move through victim networks, accessing and stealing data from accounts on other cloud platforms including Okta and Microsoft 365.
Google said ShinyHunters is the name the threat actor uses to identify itself in extortion activities, but the company uses the identifier UNC6040 for the data theft threat actor.
Because threat actors often involve multiple people or groups of people who specialize in specific tactics and techniques, using different identifiers for different stages of an attack can help analysts better understand how they work, both together and separately.
Recommendations for banks and credit unions
The Connex data theft and similarly timed warning from Google underscore the importance to financial institutions of a robust defense-in-depth strategy — using multiple lines of defense to protect against security failures.
Third-party platforms such as Salesforce often provide security controls that banks can (and, per various state and federal regulations, often must) configure to manage access and permissions. This is known as access control.
In its post about ShinyHunters, Google's Threat Intelligence Group recommended several mitigations to defend against social engineering threats and data exfiltration campaigns:
- Adhere to the principle of least privilege: Grant users only essential permissions for their roles. Only sparingly issue permissions that allow broad data export capabilities.
- Enforce IP-based access restrictions: Implement IP address restrictions by setting IP ranges from which employees or automated services may authenticate. Deny or challenge access from unexpected or non-trusted IP addresses.
- Leverage advanced security monitoring and policy enforcement: Utilize tools for enhanced alerting, visibility and automated response. Monitor activities such as large data downloads and trigger alerts or block these actions automatically.
- Enforce multifactor authentication, or MFA, universally: Implement robust MFA across your organization. Educate users on MFA fatigue tactics and social engineering attempts designed to circumvent this critical protection.
