Skip links

BlackCat claims it is behind Fidelity National Financial ransomware shakedown

Fortune 500 insurance biz Fidelity National Financial (FNF) has confirmed that it has fallen victim to a “cybersecurity incident.”

The announcement came in the form of an 8-K filing with the Securities and Exchange Commission (SEC) on Tuesday, saying it had been forced to shut down a number of systems, disrupting various areas of the business.

“For example, the services we provide related to title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries, have been affected by these measures,” it said.

FNF recorded more than $11 billion in total revenue in 2022 and is one of the largest underwriters of title insurance and providers of transaction services to the real estate and mortgage industries in the US.

Although investigations remain ongoing and the company has not yet disclosed the incident’s material impact on trade, it did say an intruder “accessed certain FNF systems and acquired certain credentials.”

“FNF will continue to assess the impact of the incident and whether the incident may have a material impact on the company. We are working diligently to address the incident and to restore normal operations as quickly and safely as possible.”

The Register has approached FNF for additional comment but did not receive a response.

The filing itself is dated November 19 and was made public two days later, in line with the four-day reporting window allowed by the SEC, indicating that FNF became aware of the event over the weekend.

Ransomware outfit ALPHV/BlackCat claimed responsibility for the attack on November 22, revealing few details about what they allegedly accessed.

After publishing a post to the group’s leak blog, taking aim at incident response specialist Mandiant’s reputation and lack of action regarding the attack, BlackCat said it was giving the company more time to respond before revealing more information about the attack.

“Before disclosing whether or whether we have [not] collected any data, we will allow FNF further time to get in touch,” it said. “Wouldn’t want to disclose every card at this early stage.”

The Register asked Mandiant to comment but it did not reply.

FNF’s difficulties have been felt by some companies and home buyers in the US who are currently unable to close purchases. One broker told Real Estate News that buyers expecting to complete on deals may have to wait until at least Sunday for the closing system to come back online.

Security experts have speculated that the entry point into FNF systems was potentially caused by exploits of a critical vulnerability affecting Citrix Netscaler devices, dubbed “CitrixBleed.”

Researcher Kevin Beaumont ran a Shodan scan of Netscaler boxes tied to FNF’s domain and claimed the company applied the patch two weeks after it was made available on October 10.

The vulnerability, tracked as CVE-2023-4966, has been used extensively by ransomware groups since its disclosure and has led to a large number of serious attacks.

According to a bulletin from the US Cybersecurity and Infrastructure Security Agency (CISA) this week, the LockBit ransomware group has exploited the vulnerability extensively, including on aviation giant Boeing.

Beaumont was the first to suggest the vulnerability led to ransomware attacks at various other organizations, including the US arm of Industrial and Commercial Bank of China (ICBC) Financial Services, magic circle law firm Allen & Overy, and shipping giant DP World.

As of November 13, more than a month since it was patched, upwards of 5,000 organizations were still exposed to the vulnerability, he said.

“CitrixBleed is extremely simple to exploit and the consequences of exploitation make this vulnerability severe,” said Tenable in its analysis. “An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable endpoint on a NetScaler ADC or Gateway instance.

“By exploiting CitrixBleed, an attacker could obtain valid session tokens from the vulnerable device’s memory. With the possession of valid session tokens, an attacker can replay them back in order to bypass authentication.” ®