Absence of adequate remote access authentication has emerged as the probable cause of the infamous Change Healthcare ransomware attack.
Attackers “compromised credentials on an application that allows staff to remotely access systems” before infiltrating Change Healthcare’s networks on or around February 12, an unnamed person “familiar with the ongoing investigation” told the Wall Street Journal.
Multi-factor authentication controls were absent on this application — contrary to industry best practice — leaving the vulnerable application exposed.
Cybercriminals subsequently loitered on the US health provider’s systems for nine days before stealing data and launching a ransomware attack, according to the same source.
Change Healthcare did not respond to a request for comment on this sequence of events.
Root cause analysis
Azeem Aleem, MD for UK and EMEA at incident response and ransomware negotiation consultancy Sygnia told CSOonline that an attack on a poorly secured remote access system offers a more than plausible explanation for the Change Healthcare ransomware attack.
“It’s highly likely that the absence of multi-factor authentication allowed attackers to circumvent the security measures of UnitedHealth Group’s [Change] Healthcare unit,” Aleem said. “Initial reports suggest that the attackers remained undetected in the environment for over a week and conducted lateral movement.”
Aleem added: “It’s probable that the attackers left some traces, or ‘breadcrumbs’, which went unnoticed by the UnitedHealth IT security team, thereby extending the breach exposure time.”
According to the latest edition of Verizon’s annual Data Breach Incident Report (DBIR), 74% of all breaches include a human element, with credential theft playing a big role.
Mark Allen, head of cybersecurity at CloudCoCo, said, it was entirely plausible that MFA not being enabled played a role in hackers being able to remotely access the systems at Change Healthcare.
“Every organisation needs to cultivate a robust cybersecurity environment, and that starts with a basic zero-trust strategy at its core,” he said. “Deploying MFA is non-negotiable. It’s the front line in ensuring that users are who they claim to be.”
While MFA is a recommended tool for preventing cyberattacks, it’s not the only defensive tool capable of mitigating ransomware attacks. MFA in itself is far from “bullet-proof” because it can be bypassed in man-in-the-middle (MitM) attacks, Sygnia’s Aleem warned.
“Threat actors continue to devise innovative ways to bypass MFA, including SIM-swapping, social engineering, and MitM phishing kits,” Aleem explained. “While MFA remains a valuable tool in mitigating cyberattacks and safeguarding organizational identities, it should not be solely relied upon for security.”
Anatomy of an attack
Change Healthcare, a subsidiary of UnitedHealth Group’s Optum division, is the US’s biggest clearing house for medical claims.
The February ransomware attack on Change Healthcare — blamed on the BlackCat/ALPHV ransomware group — caused disruption for hospitals, clinics, and pharmacies across the US. Cash flow, pharmacy services, prior authorisation of prescriptions, and claims processing were all hit.
Evidence from transactions on the blockchain and chats in dark web forums offer evidence that UnitedHealth Group paid a $22m ransom to cybercriminals in order to restore access to affected systems.
The RansomHub group, an affiliate of the BlackCat/ALPHV ransomware group, last week threatened to leak data stolen from the Change Healthcare breach unless it was paid off.
In its latest update on the attack, published on Monday, UnitedHealth Group admitted that files containing protected health information or personally identifiable information were exposed by the attack.
Political pressure
The US Department of Health and Human Services (HHS) is running an investigation into the breach, focused on whether either Change Healthcare and UHG violated healthcare sector privacy regulations.
During a Congressional hearing last week there were calls to mandate baseline security standards for the healthcare sector. Politicians and some in the industry have expressed concerns that consolidation in the healthcare sector is making the vital sector more vulnerable to breaches. Other experts cautioned against blaming health sector mergers for breaches.
Matt Aldridge, principal solutions consultant at Opentext Cybersecurity, commented: “Acquisitions can be done well and can provide a checkpoint for security process validation if done correctly, however, if they are done on too tight a budget or too tight a timescale, problems can be encountered.”
Industry consolidation is far from the only factor in play.
Healthcare came out as the most-breached industry sector in 2022 and the second most-breached in 2023, according to Kroll’s Data Breach Outlook.
More than a quarter (28 per cent) of healthcare organizations surveyed by Kroll only employ the most basic security capabilities, such as cybersecurity monitoring.
George Glass, associate managing director, Kroll Cyber Risk, said, “Unless the organisation is using a sizable team of security professionals, this can leave significant gaps in a healthcare organisation’s capability to detect and respond to threat actor intrusions.”
Glass continued: “When dealing with ransomware actors, time to respond and remediate can make all the difference between a malware event to ransomware, encryption for impact and data exfiltration, which can take place in a matter of hours.”
Legacy technologies in hospital environments may also be a factor in increasing risk.
“The use of operational technologies in healthcare environments can mean out-of-date operating systems and protocols to support them. This can enable threat actors to make lateral movements more easily,” he said.
UHG boss Andrew Witty is due to testify about the breach in a Congressional hearing on May 1.