Security researchers have discovered problems in the web applications deployed by the top ten credit unions in the US.
Researchers at Outpost24 analyzed the top US credit unions’ web application attack surface to evaluate their security. They found 1,224 publicly exposed web applications running over 107 domains, with 10% running on old components containing known vulnerabilities.
Outpost24 selected its US Credit Unions list based on a Segmint list of the Largest US Credit Unions by Assets. Researchers examined each union’s public-facing web security environments against the seven most common attack vectors hackers use during reconnaissance to ascertain a risk score between one and 100. The risk score comprised security mechanisms, page creation methods, degree of distribution, authentication, input vectors, active contents, and cookies.
The research found that the top three attack vectors against the US credit unions targeted active content technologies, followed by authentication and page creation methods.
“It’s no big surprise to see Active Content Technologies (ACT) as the biggest scorer. As soon as an application runs scripts, the attack surface could increase if a website has been developed using multiple active content technologies, some more vulnerable than others, to build and create their applications”, said Nicolas Renard and Stephane Konarkowski, security consultant at Outpost24.
Researchers said that, overall, the attack surface score for the top ten credit unions was 16.39 out of 58.24. However, research showed the worst offender from the top ten returned a disproportionately higher attack surface score of 34.08, outweighing everyone else on the list and showing a great disparity in the security posture between credit unions.
However, this score was significantly lower when compared to US retailers, which scored 48.3. According to the researchers, this is likely because of the highly regulated business model credit unions operate in that requires them to demonstrate a standard level of security hygiene to protect the company assets and customer data against cyber criminals.
Researchers also examined the components used to develop the web applications and discovered there were, on average, 17 open port 80 among the credit unions. They said this can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules.
Researchers said it is essential for security teams to identify open ports and close unused ones or install firewalls on hosts to monitor and filter port traffic to “prevent any security issues from creeping in.”
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
