In recent weeks, Fidelity Investments Life Insurance has come under scrutiny following a significant data breach affecting thousands of customers. Here’s what you need to know about the incident:
1. Data Breach Details:
The breach, which occurred between October 29 and November 2, 2023, stemmed from an unauthorised party accessing sensitive consumer data held by Fidelity Investments Life Insurance.
Approximately 28,000 customers were impacted by the breach, with their personal information compromised.
The breached data includes names, social security numbers, dates of birth, states of residence, and financial information, particularly bank account and routing numbers used for premium payments on life insurance policies.
This data can contribute to an increase in phishing attacks, and uplift the risk of identity theft or financial fraud for the customers.
2. Third-Party Involvement:
The breach was traced back to Infosys McCamish Systems, a third-party service provider utilised by Fidelity Investments Life Insurance.
Infosys McCamish notified Fidelity Investments of the breach in early November, prompting an investigation into the incident.
3. Ongoing Investigation:
Infosys McCamish has engaged external experts to conduct a thorough investigation into the breach.
While the investigation is ongoing, Fidelity Investments Life Insurance officials believe that a range of sensitive customer data was compromised during the breach.
4. Customer Notifications:
Fidelity Investments Life Insurance has begun notifying affected customers about the breach and the potential exposure of their personal information.
The company emphasises its commitment to protecting customer data and pledges to take appropriate actions in collaboration with Infosys McCamish.
5. Prior Incidents:
This isn’t the first time Infosys McCamish has caused security breaches.
In a separate incident, Infosys McCamish notified Bank of America about a breach affecting over 57,000 customers enrolled in deferred compensation plans.
6. Response and Assurance:
Fidelity Investments Life Insurance reassures customers that they have not impacted their systems by the breach and that they have detected no related activity within Fidelity’s environment.
7. Legal Investigation:
The law firm of Federman & Sherwood has initiated an investigation into the data breach at Fidelity Investments Life Insurance, aiming to assess the impact on affected individuals.
8. Call for Action: Implementing Zero Trust Measures
To mitigate the risk of data breaches like this in the future, companies can adopt a zero trust approach.
By implementing strict access controls, continuous monitoring, and least privilege access policies, organizations can significantly reduce the likelihood of unauthorised access to sensitive data, hence lowering the risk of data and reputation loss because of a third party vendor breach.
As the investigation unfolds and affected customers are notified, Fidelity Investments Life Insurance remains focused on addressing the breach, safeguarding customer data, and ensuring transparency throughout the process.
Stay tuned for further updates as the situation develops.
In late October, Okta, reported a cybersecurity breach that initially appeared to affect less than 1% of its customers. However, recent revelations indicate a far-reaching impact, affecting 99.6% of users in the customer support system. This blog post delves into the broader implications of this
The True Scope Revealed
Contrary to initial estimates downplaying, it has now been disclosed that hackers successfully ran a report on September 28, 2023. It contained sensitive information about all Okta customer support system users. The compromised data had names, email addresses, company names, contact phone numbers, and other details, Impacting 100% of Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers. The only exception being those in highly sensitive environments such as the government.
Despite the significant dip in Okta’s stock prices when the breach was first reported in October, resulting in a temporary loss of approximately $2 billion in market capitalisation, the financial fallout seems to be hovering in the single digits. Okta’s latest quarterly financial report indicates a more than 20% increase in revenues for the quarter ending October 31, demonstrating a robust financial performance despite the security incident.
Customer Trust at Stake
The discrepancy between the initially reported 1% impact and the actual 99.6% of affected users reveals a concerning lapse in transparency. Okta customers are now grappling with the realization that threat actors may have access to their names and email addresses, exposing them to the risk of phishing and social engineering attacks. While Okta assures that there is no direct evidence of exploitation, they urge customers to remain vigilant. This stolen information could be weaponized for targeted cyber scams.
Phishing and Social Engineering Threat
With 99.6% of users having their names and email addresses exposed. These stolen data poses a heightened risk of phishing and social engineering attacks.
Cyber security experts emphasise the need for Okta customers, especially administrators, to enforce multi-factor authentication (MFA) and consider the use of phishing-resistant authentication. The potential for threat actors to exploit this information for targeted attacks underscores the importance of proactive security measures on the customer’s end.
Conclusion
In the aftermath of the Okta breach, customer trust in identity management systems faces a critical test. As emphasised by the mantra “The ‘S’ in IAM stands for Security”, the true scale of the incident challenges the reliance on auto-saved passwords, demonstrating the vulnerability of conventional systems. We urgently advocate for the adoption of passwordless authentication. For those catching up, our previous post details the Okta breach, highlighting the imperative to #gopasswordless . This approach not only addresses current vulnerabilities but also aligns with the evolving demands of a secure digital landscape.
SolarWinds is an American company that provides IT management and administration software that can be used by the Sysadmins and IT administrators in their organization. The reach of the SolarWinds Products is quite high and their products are used by many fortune-500 companies, spreading across the globe.
What is Supply Chain Attack:
Supply Chain Attack is a type of attack in which adversaries can modify the product provided by third-party associates in various ways to compromise multiple targets. The below image provides a visualization of the definition of the supply chain attack.
SolarWinds supply chain attack first came into the radar of the information security communities when Fireeye was found affected by this supply chain attack. Fireeye was very open & transparent about getting breached in this supply chain attack. Fireeye has been tracking the threat actors behind this global intrusion campaign as UNC2452. There was not much damage done to the organization as only their Red Assessment Tools were leaked in the whole scenario. Fireeye Reported that the tools which were stolen by the attackers did not contain zero-day exploits. Many other big organizations like Microsoft, VMware as well as US Government agencies like the US Department of State, Department of Homeland Security, and many more were found breached by this supply chain attack.
Technical Analysis of the SoloriGate Attack:
SolarWinds was reportedly breached first and the reason was most likely the weak password they were using for one of their access/update servers. The threat actors involved in this global intrusion campaign targeted multiple victims using infected SolarWinds Orion IT management & monitoring software updates. Note that most of the analysis that has been demonstrated in this blog is based on Microsoft’s and Fireeye’s Blog.
Note that most of the analysis that has been demonstrated in this blog is based on Microsoft’s and Fireeye’s Blog.
The infectious update was delivered as a Microsoft standard Windows Installer Patch file (SolarWinds-Core-v2019.4.5220-Hotfix5) which included the malicious DLL (Dynamic Link Library) named as SolarWinds.Orion.Core.BusinessLayer.dll which acts like a backdoor on the Attack Surface. The infected SolarWinds Orion IT management & monitoring software update and DLL was digitally signed and due to which it was highly evasive on the attack surface.
Figure: Digital Signature Details of Patch File
Figure: Digital Signature Details of SolarWinds.Orion.Core.BusinessLayer.dll
In order to know the internal working of the Sunburst/SolariGate Malware let’s decompile the malicious SolarWinds.Orion.Core.BusinessLayer.dll. The Malware samples related to the Sunburst attack can be found here.
In order to analyze the dll, open the file named under the directory APT_Backdoor_SUNBURST “32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77” (Which is basically named after the SHA256 hash of the SolarWinds.Orion.Core.BusinessLayer.dll) in the dnSpy. The infected code was found under the namespace “SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory” and more specifically in the “InventoryManager” class.
Image: Decompilation of Malicious DLL.(Identifying the BackgroundInventory Namespace)
Image: Decompilation of Malicious DLL (Going through the InventoryManager Class under the Namespace)
Now this class has a “RefershInternal()” method that creates a new thread which calls the Malicious OrionImprovementBusinessLayer class where all the backdoor magic happens.
Image: Analyzing the RefreshInternal Method
The image below sums up the flow of the infected SolarWinds.Orion.BusinessLayer.dll.
Image: Malicious DLL process flow diagram
To be more evasive on the attack surface the malware code in the DLL runs various checks to make sure that it is not being analyzed using some programs. That is why, hash of the processes, services and drivers on windows is calculated and checked with the blacklisted hashes of the same, and if none of the blacklisted hashes are found on the system then only backdoor code gets activated.
Adversaries in this case used DGA (Domain Generation Algorithms) to dynamically build and resolve the subdomain of avsvmcloud.com. The C2 domain consist of two static and two variable parts which is illustrated in the image below.
Image Source: Microsoft
After the malware has made a successful connection to the C2 server the SoloriGate malware performs the primitive lateral movement, credential abuse, and privilege escalation techniques for further infrastructure exploration.
The image below from Microsoft illustrates the whole process of SoloriGate Malware infection.
Image Source: Microsoft
According to Microsoft the threat actors are targeting to steal the SAML token signing certificates, using which attackers can easily forge the SAML tokens and access the resources.
Here is the elaborated descriptive blog post about the SolariGate identity IOC’s.
Defense against SUNBURST/SoloriGate:
Fireeye Team uploaded a List of IOC’s and signatures which can be used by organizations for identifying the backdoor. The GitHub repository of Fireeye countermeasures can be found here.
It is also recommended by SolarWinds to go through this advisory page and also upgrade their Orion platform to Orion Platform release 2020.2.1 HF 1.
MITRE ATT&CK Techniques related to SolariGate/SUNBURST:
ID
Description
T1012
Query Registry
T1027
Obfuscated Files or Information
T1057
Process Discovery
T1070.004
File Deletion
T1071.001
Web Protocols
T1071.004
Application Layer Protocol: DNS
T1083
File and Directory Discovery
T1105
Ingress Tool Transfer
T1132.001
Standard Encoding
T1195.002
Compromise Software Supply Chain
T1518
Software Discovery
T1518.001
Security Software Discovery
T1543.003
Windows Service
T1553.002
Code Signing
T1568.002
Domain Generation Algorithms
T1569.002
Service Execution
T1584
Compromise Infrastructure
Table: MITRE ATT&CK Techniques
Conclusion:
This SolarWinds Supply Chain Attack is surely raising the eyebrows of people in the IT industry and also outside the IT industry. Right from STUXNET to NotPetya we have seen many supply chain attacks that were found devastating. In 2017-18 NotPetya was found to have cost 10 Billion Dollars in damages. The evasive Behaviour of the attack made it so hard to be identified in the wild. Currently, SolarWinds Orion Platform is used by 300,000 customers and out of which 18,000 have downloaded the malicious update.
I hope this blog provided you with a better view of the SoloriGate and SUNBURST attack.
Figure: Digital Signature Details of Patch File
Image: Malicious DLL process flow diagram
