Lessons learned from the Change Healthcare hack
We just checked the forecast. It calls for spring showers, turbulence in the cyber world, and another newsletter in your inbox. But unlike meteorologists (who can trust ‘em?), we are confident in our predictions for what’s coming next… at least in this newsletter:
- The fallout of the Change Healthcare hack
- ScreenConnect and the importance of vulnerability monitoring
- The latest threat alerts
☔ For a 100% chance of the latest insights on the threat landscape, keep reading...
The attack on Change Healthcare led to unprecedented real-world consequences. Hospitals couldn’t file claims, healthcare practices struggled to pay their staff, and many individuals were left paying out of pocket for their prescriptions. After a month of restoration work, healthcare operations are getting back to normal, but the fallout from the attack will likely continue for much longer.
A (quick) overview of what happened:
- On February 21st, UnitedHealth Group, which acquired Change Healthcare (CHC) in 2022, announced they discovered that threat actors gained access to CHC’s environment and quickly disconnected impacted systems to stop the spread.
- CHC handles one in every three patient records in the United States. Without it, healthcare providers were unable to process a majority of claims.
- As of March 18th, CHC’s pharmacy network services, electronic payments platform, and claims preparation software were mostly back to operational.
Data privacy concerns:
- The attack was perpetrated by BlackCat/ALPHV, who allegedly stole four terabytes of data. It’s believed (but not confirmed) that CHC paid a $22 million ransom (based on a publicly visible Bitcoin transaction).
- This means attackers likely accessed a significant amount of sensitive data (with no guarantee that BlackCat/ALPHV deleted any of it). In fact, the affiliate behind the attack claims to still have a copy.
- The Office of Civil Rights is investigating to determine if a breach of private health information occurred and if UnitedHealth Group was HIPAA compliant. They urged other healthcare entities to be cognizant of their regulatory obligations and responsibilities.
Take preventive measures:
- Third-party risk management: Any organization can suffer if a critical vendor is offline. Third-party risk management helps you assess and identify risks associated with your vendors so there’s a plan in place before a partner is breached. Read our tips for securing vendors here.
- A business continuity and disaster recovery plan (BCDR): A good BCDR strategy ensures that your organization has a plan in place if critical services are down. So, if a critical vendor is offline, you’ll have a contingency plan to resume business operations. Read our BCDR guide here.
For more information, read our full blog here 👀 or watch experts discuss the fallout in our latest webinar 🎥
Last month, threat actors rushed to exploit a major vulnerability in ConnectWise’s ScreenConnect remote access software. ScreenConnect enables organizations to remotely access and manage systems. When exposed, it grants threat actors similar access. On unpatched systems, attackers could create new administrator accounts for ScreenConnect and execute remote commands with full system privileges.
Exploitation activity has been tied to Play, Lockbit, BlackBasta, and Bl00dy Ransomware. Basically, it’s a massive free-for-all for active ransomware-as-a-service groups (and other threat actors looking for an easy win, either by installing crypto mining software or by leaving remote access tools for later). Within 72 hours of the vulnerability being disclosed, several ransomware variants had already hit organizations across the United States.
🔎 For a refresher on remediation tips, read our KnowledgeNest article here.
Ongoing vulnerability monitoring
Corvus’s Threat Intel team is regularly monitoring the dark web to stay up-to-date on new vulnerabilities and associated patches. In the case of vulnerabilities like ScreenConnect — which are fast, easy, and financially rewarding for threat actors to exploit — the faster organizations act, the better. We alerted impacted policyholders within hours of discovering the issue (by email and through the Dashboard).
ScreenConnect highlights a growing trend of vulnerability exploits as initial points of entry for threat actors, which means vigilance around patching has never been more important. But knowing when to patch isn’t always clear, so we’ll always prioritize reaching out when it counts the most. As of March 19th, 88% of our policyholders have patched (versus 73% of the general public). So good job, you! Keep it up.
Are you patched against the latest vulnerabilities? Check your Risk Dashboard to confirm you haven’t missed any Threat Alerts
The Corvus Scan is a powerful asset that enables us to identify which policyholders may be at greater risk for vulnerabilities. In response, we send tailored, time-sensitive notifications with direct guidance for remediation.
We’ve gathered a monthly round-up of our alerts and threat intel updates below:
Backdoor in recent Linux Distribution | March 2024
CVE-2024-3094
On March 29, 2024, researchers identified a backdoor in the XZ Util Linux package. Many standard Linux applications use the XZ utility, and it’s included in many distributions by default. While the malicious code did not make its way into public releases of popular Linux distributions, it may be present in pre-release versions that had XZ Utils version 5.6.0 and 5.6.1. To mitigate, identify hosts running XZ version 5.6.0 or 5.6.1 and downgrade to 5.4.6 or earlier. Find more information here.
JetBrains TeamCity Vulnerability Advisory | March 2024
CVE-2024-27198 & CVE-2024-27199
JetBrains issued a fix for two critical security flaws (CVE-2024-27198 and CVE-2024-27199) in their TeamCity continuous integration and continuous deployment (CI/CD) product. The vulnerability allows an unauthenticated attacker to take over vulnerable instances with admin privileges. Security patches are available and should be applied as soon as possible. The vulnerabilities affect all TeamCity On-Premises versions through 2023.11.3. To mitigate, download and install the latest fixed version (2023.11.4).
QNAP Vulnerability Advisory | March 2024
CVE-2024-21899
QNAP issued a security advisory for critical security flaws (CVE-2024-21899) affecting certain QNAP operating system and application versions, commonly used for network storage. The vulnerability allows an unauthenticated attacker to bypass authentication mechanisms. To mitigate, download and install the latest fixed version. See here for update guidance depending on your specific product.
FortiClient EMS Vulnerability Advisory | March 2024
CVE-2023-48788
A critical security flaw (CVE-2023-48788) has been discovered in FortiClient Enterprise Management Server (EMS) often used to manage endpoints connected to a network. The vulnerability allows an unauthenticated attacker to execute arbitrary code or commands. Security patches have been released and should be applied as soon as possible.
The vulnerability affects FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2). Ensure you are running the latest available fixed version of FortiClient EMS:
- If you are using FortiClientEMS 7.0, upgrade to 7.0.11 or above.
- If you are using FortiClientEMS 7.2, upgrade to 7.2.3 or above.