Fidelity National Financial Cyberattack Spotlights a Surge in Threat Activity Against Financial Services Industry

The financial services sector has been hit with a rash of attacks recently, most notably Fidelity National Financial (FNF), whose services have been paralyzed this week by what the company is calling “a cybersecurity incident.” In a filing with the Securities and Exchange Commission (SEC), FNF stated that it blocked access to its systems, which impacted services related to title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries:

Based on our investigation to date, FNF has determined that an unauthorized third party accessed certain FNF systems and acquired certain credentials. The investigation remains ongoing at this time. FNF will continue to assess the impact of the incident and whether the incident may have a material impact on the Company.

FNF is one of the "Big Four" title insurance companies, ranked #359 in Fortune 500 companies, with 54.86% market share within the insurance brokerage industry. The impact of the disruptions to critical customer services is staggering. FNF’s title insurance services comprise 41.2% market share, capturing nearly 2 in every 4 transactions. The company's offices collectively insured more than $743 billion worth of commercial real estate in 2022.

Customers reported inability to pay their mortgages, homeowners and buyers in the middle of real estate transactions were stalled on closings, and the company’s employees had no access to send or receive emails.

FNF did not specify the type of attack but ransomware is suspected, as the Alphv/BlackCat ransomware group took credit and added FNF to its leak site, which was created to boost the visibility of their attacks (accessible via Tor). Alphv/BlackCat later removed the blog post from the site, prompting speculation that FNF paid a ransom. In a followup SEC filing, FNF stated that the incident, which began on November 19, “was contained on November 26, 2023,” and the company is restoring normal business operations and is coordinating with its customers.

In October, mortgage lender and servicer Mr. Cooper was the target of a similar attack, prompting a filing with the SEC, stating that the company experienced a cybersecurity incident where an “unauthorized third party gained access to certain technology systems.” It took two weeks for Mr. Cooper to restore its automated phone systems and website, as the company investigated how much data from its 4.3 million customer base was exposed.

Earlier this month, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a warning regarding Lockbit 3.0 ransomware exploits of the Citrix Bleed vulnerability (CVE-2023-4966). The advisory notes that Lockbit’s ransomware attacks have impacted “multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation.”

Citrix Bleed allows threat actors to bypass password requirements and multi-factor authentication to hijack legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances, making it possible to harvest credentials and access data. Multiple threat groups have been observed exploiting this vulnerability across various industries.

It’s not confirmed whether Citrix Bleed led to Fidelity National Financial’s recent security incident, but researcher Kevin Beaumont used a Shodan scan to demonstrate that FNF took two weeks to patch their systems after the vulnerability was published and the patch made available. Beaumont was also among the first to suggest that Citrix Bleed was the cause of the recent ransomware attacks on China's biggest lender, the Industrial and Commercial Bank of China (ICBC), which also disrupted the $26 trillion U.S. treasury market. The ICBC is the world's largest bank with $5.5 trillion in assets. Reuters has since reported that Lockbit claims ICBC paid the ransom, although ICBC did not confirm.

"We don't often see a bank this large get hit with this disruptive of a ransomware attack," ransomware expert Allan Liska told Reuters.

"This attack continues a trend of increasing brazenness by ransomware groups. With no fear of repercussions, ransomware groups feel no target is off limits."

Lockbit has also claimed credit for hacking TCW, a global asset management firm with $202 billion under management, that was also slow to patch the Citrix Bleed vulnerability. TCW manages many of the world’s largest corporate and public pension plans, central banks, sovereign wealth funds, financial institutions, endowments and foundations, as well as financial advisors. Lockbit has a countdown for releasing exfiltrated data on December 19 if the company doesn’t comply with demands.

As threat activity is ramping up, enterprises in financial services need to be more nimble in patching vulnerabilities like Citrix Bleed, which are rudimentary to exploit but can lead to catastrophic security incidents. Radically reducing the bureaucracy around patching critical infrastructure will enable organizations to respond faster to the recent surge in ransomware attacks.

“Focusing on cybersecurity fundamentals for enterprise scale organizations is a challenge, as often people are chasing after the perceived next big thing — metaverse (remember that?), NFTs, generative AI — without being able to do the fundamentals well,” Beaumont said. “Large scale enterprises need to be able to patch vulnerabilities like CitrixBleed quickly.”

Earlier this year Checkmarx’s research team highlighted the emerging threat of open source supply chain attacks targeted at the banking sector, with malicious packages planted on npm with preinstall scripts that executed code on installation, among other strategies. Socket automatically secures users against installing these types of malicious packages, in addition to protection from known CVE’s. These types of threats to the financial sector stand to increase as attackers are seeing payoffs for their efforts. The rapid proliferation of open source in the financial services industry will also lead to more varied attacks.

In 2022, the Fintech Open Source Foundation (FINOS) published an annual report that found 41,277 GitHub repositories with financial services committers, which is an increase of 43% compared to last year's results. The reported commits also increased at a slightly lower level. The ability for financial services employees to contribute to OSS is also up 75% (20% in 2021 and 35% in 2022).

Regulator scrutiny is increasing and consumers may become more aware of these breaches now that the FTC has modified its Safeguards Rule as of October. It requires non-banking financial institutions to report when they discover that information affecting 500 or more people has been acquired without authorization, no later than 30 days after discovery.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” FTC Bureau of Consumer Protection Director Samuel Levine said. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”

The financial services industry will remain a high value target, due to the opportunity for monetary gain. It bears the unique challenge of handling sensitive infrastructure and customer data while managing regulation, which can bog down the effectiveness of cybersecurity programs. Financial services are vital to keeping the global economy running. This week’s attacks spotlight the fragility of unpatched systems at large organizations and the need for swifter and more responsive action.