Absence of ample distant entry authentication has emerged because the possible explanation for the notorious Change Healthcare ransomware assault.
Attackers “compromised credentials on an utility that enables employees to remotely entry techniques” earlier than infiltrating Change Healthcare’s networks on or round February 12, an unnamed individual “accustomed to the continuing investigation” instructed the Wall Road Journal.
Multi-factor authentication controls had been absent on this utility — opposite to trade finest follow — leaving the susceptible utility uncovered.
Cybercriminals subsequently loitered on the US well being supplier’s techniques for 9 days earlier than stealing information and launching a ransomware assault, in accordance with the identical supply.
Change Healthcare didn’t reply to a request for touch upon this sequence of occasions.
Root trigger evaluation
Azeem Aleem, MD for UK and EMEA at incident response and ransomware negotiation consultancy Sygnia instructed CSOonline that an assault on a poorly secured distant entry system presents a greater than believable clarification for the Change Healthcare ransomware assault.
“It’s extremely doubtless that the absence of multi-factor authentication allowed attackers to avoid the security measures of UnitedHealth Group’s [Change] Healthcare unit,” Aleem stated. “Preliminary reviews recommend that the attackers remained undetected within the setting for over every week and carried out lateral motion.”
Aleem added: “It’s possible that the attackers left some traces, or ‘breadcrumbs’, which went unnoticed by the UnitedHealth IT security crew, thereby extending the breach publicity time.”
In accordance with the most recent version of Verizon’s annual Data Breach Incident Report (DBIR), 74% of all breaches embody a human aspect, with credential theft enjoying a giant function.
“Each organisation must domesticate a sturdy cybersecurity setting, and that begins with a fundamental zero-trust technique at its core,” he stated. “Deploying MFA is non-negotiable. It’s the entrance line in guaranteeing that customers are who they declare to be.”
Whereas MFA is a advisable device for stopping cyberattacks, it’s not the one defensive device able to mitigating ransomware assaults. MFA in itself is way from “bullet-proof” as a result of it may be bypassed in man-in-the-middle (MitM) assaults, Sygnia’s Aleem warned.
“Risk actors proceed to plan progressive methods to bypass MFA, together with SIM-swapping, social engineering, and MitM phishing kits,” Aleem defined. “Whereas MFA stays a worthwhile device in mitigating cyberattacks and safeguarding organizational identities, it shouldn’t be solely relied upon for security.”
Anatomy of an assault
Change Healthcare, a subsidiary of UnitedHealth Group’s Optum division, is the US’s greatest clearing home for medical claims.
The February ransomware assault on Change Healthcare — blamed on the BlackCat/ALPHV ransomware group — prompted disruption for hospitals, clinics, and pharmacies throughout the US. Money move, pharmacy companies, prior authorisation of prescriptions, and claims processing had been all hit.
Proof from transactions on the blockchain and chats in darkish net boards provide proof that UnitedHealth Group paid a $22m ransom to cybercriminals with a purpose to restore entry to affected techniques.
The RansomHub group, an affiliate of the BlackCat/ALPHV ransomware group, final week threatened to leak information stolen from the Change Healthcare breach except it was paid off.
In its newest replace on the assault, revealed on Monday, UnitedHealth Group admitted that recordsdata containing protected well being data or personally identifiable data had been uncovered by the assault.
Political strain
The US Division of Well being and Human Providers (HHS) is working an investigation into the breach, centered on whether or not both Change Healthcare and UHG violated healthcare sector privateness laws.
Throughout a Congressional listening to final week there have been calls to mandate baseline security requirements for the healthcare sector. Politicians and a few within the trade have expressed considerations that consolidation within the healthcare sector is making the important sector extra susceptible to breaches. Different specialists cautioned towards blaming well being sector mergers for breaches.
Matt Aldridge, principal options advisor at Opentext Cybersecurity, commented: “Acquisitions could be executed properly and might present a checkpoint for security course of validation if executed accurately, nonetheless, if they’re executed on too tight a price range or too tight a timescale, issues could be encountered.”
Business consolidation is way from the one consider play.
Healthcare got here out because the most-breached trade sector in 2022 and the second most-breached in 2023, in accordance with Kroll’s Data Breach Outlook.
Greater than 1 / 4 (28 per cent) of healthcare organizations surveyed by Kroll solely make use of essentially the most fundamental security capabilities, resembling cybersecurity monitoring.
George Glass, affiliate managing director, Kroll Cyber Threat, stated, “Except the organisation is utilizing a large crew of security professionals, this may depart important gaps in a healthcare organisation’s functionality to detect and reply to risk actor intrusions.”
Glass continued: “When coping with ransomware actors, time to reply and remediate could make all of the distinction between a malware occasion to ransomware, encryption for influence and information exfiltration, which might happen in a matter of hours.”
Legacy applied sciences in hospital environments may additionally be a consider growing danger.
“The usage of operational applied sciences in healthcare environments can imply out-of-date working techniques and protocols to assist them. This could allow risk actors to make lateral actions extra simply,” he stated.
UHG boss Andrew Witty is because of testify in regards to the breach in a Congressional listening to on Might 1.
Cyberattacks, Ransomware
