UnitedHealth Congressional Testimony Reveals Rampant Security Fails

  /     /     /  
Publicated : 23/11/2024   Category : security


UnitedHealth Congressional Testimony Reveals Rampant Security Fails


The breach was carried out with stolen Citrix credentials for an account that lacked multifactor authentication. Attackers went undetected for days, and Change Healthcares backup strategy failed.



UnitedHealths Change Healthcare subsidiary paid $22 million in ransom to the attackers who
broke into its systems
in February, according to Congressional testimony today. And it revealed that the scope of the breach could be much larger than anyone imagined — even as it remains unclear whether the ransom payment secured the data from being used in follow-on attacks.
UnitedHealths CEO Andrew Witty testified before the US House Energy and Commerce Committee today after weeks of disruption at the nations largest health insurer, during which a series of concerning revelations about the breach came to light.
For instance, the BlackCat/ALPHV ransomware affiliate hackers who broke into Change in February didnt have to work very hard to achieve success. According to the testimony, they were able to use previously compromised credentials to log in to Changes Citrix platform, possibly obtained via an initial access broker — and that account wasnt protected with multifactor authentication (MFA).
Also, the attack was discovered when BlackCat deployed ransomware on Feb. 23, but the attackers actually had unfettered access to the environment for more than a week before that, indicating a woefully lacking intrusion detection apparatus, security analysts noted.
“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops, according to Wittys
prepared testimony
, released ahead of the hearing. The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.
In his oral testimony, Witty also spilled additional details that, when added to the unchanged Citrix credentials (a best practice is to search for and track compromised credentials that may be part of prior breaches) and lack of MFA, point to an overall lack of security maturity. For instance, the company has had to perform a complete rebuild on its systems, even after decrypting files; and its backups werent sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack.
This attack exemplifies ... why it is important to have controls in place to regularly review access entitlements. Compromised credentials or not, the attackers were able to leverage an account that gave them access to carry out their attack, said Piyush Pandey, CEO at Pathlock, in an emailed statement. In this case, MFA could have been an effective gate to the proliferation of this attack. The additional layers of security would make the breach more challenging ... in a broader view, this is a great example of the importance of layering technologies and processes, such as MFA, combined with strong application access controls and data security technologies, such as data masking, which can help mitigate widespread data breaches.
Also in the oral testimony today, Witty confirmed that the adversaries made off with a
large amount of personally identifiable information
(PII) and personal health information (PHI). While Witty didnt talk hard numbers, the data in question could cover a substantial proportion of people in America, he said. He did not address whether the data is still at risk.
To put that comment into perspective, Change Healthcare processes roughly 15 billion healthcare transactions annually, and a third of Americans patient records pass through its digital doors, Sen. Ron Wyden (D-Ore.) noted in
a statement
ahead of the hearing.
The senator added, Change specializes in moving patient data from doctors office to doctors office, or to and from your insurance company. That means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. Military personnel are included in this data.
Wyden also warned that the breach could end up being a clear national security threat.
I dont think its a stretch [that] the impact here rivals the 2015 hack of government personnel data from the
Office of Personnel Management
, which the FBI called a treasure trove of counterintelligence information for foreign intelligence services, he said.
UnitedHealth is the nations largest insurer and the fifth largest company in the US, with $324 billion in revenue and housing data on 152 million individuals. The breach is easily the largest cyber incident to ever affect the healthcare landscape.
For now, its unclear whats next for Change and UnitedHealth; Wyden pointed out that existing regulations, such as they are, carry only slap on the wrist enforcement actions, should the companies be found to be liable for exposing sensitive data.
The companies also havent detailed how or when they plan to improve their cyber defense postures (UnitedHealth has no cybersecurity executive on its board, Wyden pointed out, which would be an easy step to implement).
Meanwhile, this is an ongoing story: in the weeks since the breach was made public, the company has seen
copycat activity from the RansomHub
cybercrime outfit, and because the incident wreaked havoc across the
healthcare supply chain
, the Department of Health & Human Services responded with a
policy game plan to address cyber-risk at insurers
(though it still does not require healthcare orgs to meet minimum cybersecurity standards).
It is almost certain that there will be additional developments in the saga going forward.
UnitedHealth has not yet responded to a request for comment by Dark Reading.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
UnitedHealth Congressional Testimony Reveals Rampant Security Fails