The Swiss insurance giant, which handles over 55M clients, left a treasure trove of sensitive data exposed. If it fell into the wrong hands, it could’ve led to a multitude of attacks on the company and its clients.
- The company has over 55 million clients
- It employs 55,000 people
- As per Forbes' Global 2000s ranking, the group was the 112th largest public corporation in the world in 2021
- It ranks in 179th position in the Fortune 500 list
- Revenue was nearly $70 billion in 2021
Zurich Insurance Group is a key corporate player, with influence that spreads far beyond the insurance market. That’s why everything it does, matters. At the beginning of the war in Ukraine, it found itself in quite a pickle. Not only because it had to sell its Russian business, but it was also forced to lose its Z logo from social media, since it had become a symbol of support for the Russian invasion of Ukraine.
Our own good-faith security researchers discovered another serious issue that could’ve had enormous repercussions for Zurich and its clients. As always, we immediately reported our findings to the company to make sure the security issue was fixed. Now, being sure it was mitigated and necessary precautions to prevent incidents in the future taken, we can publicly discuss our findings.
Zurich data leak
On May 5th, 2023, the Cybernews research team discovered a publicly hosted environment file (.env) that they managed to attribute to the insurance giant.
Environment files are commonly used in software development to manage environment-specific settings or sensitive information such as API keys and database credentials. Therefore, it’s vital to keep them secure. Exposing this information could lead to security vulnerabilities or unauthorized access to systems or services.
Zurich accidentally failed to secure the file in question and leaked the following information:
- Multiple production database credentials: A production database typically contains data stored and used by professionals to conduct business operations.
- Active directory admin credentials: Active Directory is a collection of services and a database that enables users to access the network resources necessary for their tasks. It serves as a bridge connecting users to the tools and information required to accomplish their work. These particular credentials are a goldmine for ransomware operators.
- Git directory: This is where all the metadata about a certain project is stored. It is sensitive because exposing the project’s source code could lead to the discovery and exploitation of its flaws.
- MOVEit credentials:MOVEit Transfer, a managed file transfer software, has been all over the news recently since Russia-linked threat actors began a massive exploitation of a zero-day bug they’ve likely been sitting on for two years.
- MobileIron credentials: This enables access to employee mobile phones and computers.
- Sunrise Business Account credentials: Since Sunrise provides business mobile services, leaked credentials could give threat actors access to employee personal data.
- Ansible credentials: This could lead to threat actors perpetrating remote access, including remotely deploying malware or spyware.
- SAP credentials: SAP is one of the world’s leading software providers, managing every aspect of business operations from logistics and finance to HR.
And that’s not all. Our research team also discovered that Zurich’s website – https://www.zurich.com/ – runs on an outdated version of the Apache HTTP server. It contains a large number of vulnerabilities.
However, most of them aren’t critical, suggesting they aren’t being exploited. However, the possibility of a threat actor exploiting any given flaw, is always there, and the software should be updated to be on the safe side.
Why it matters
The environment file has been secured. However, skilled attackers can discover leaks in a blink of an eye. Therefore, Cybernews researchers advise the company to take the following steps:
- Reset IDs, tokens, passwords, and credentials
- Create secure, unique passwords that are preferably generated randomly
- Implement source code security policy, access control, and protect endpoints or entry points of user devices against malicious attacks
“The potential for this leak to completely take over the application instance makes it significant. All the exposed credentials disclosed above, could enable threat actors to launch a multitude of attacks on Zurich and its clients. In particular, malware and ransomware attacks,” researchers said.
We've reached out to the company multiple times for an on-the-record comment, and will update the article as soon as we get one.
Your email address will not be published. Required fields are markedmarked