Change Healthcare Hackers Broke In Using Stolen Credentials, No MFA

An anonymous reader quotes a report from TechCrunch: The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company's systems that weren't protected by multifactor authentication (MFA), according to the chief executive of its parent company, UnitedHealth Group (UHG). UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system. This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare's systems, during which massive amounts of health data were exfiltrated from its systems. UnitedHealth said last week that the hackers stole health data on a "substantial proportion of people in America."

According to Witty's testimony, the criminal hackers "used compromised credentials to remotely access a Change Healthcare Citrix portal." Organizations like Change use Citrix software to let employees access their work computers remotely on their internal networks. Witty did not elaborate on how the credentials were stolen. However, Witty did say the portal "did not have multifactor authentication," which is a basic security feature that prevents the misuse of stolen passwords by requiring a second code sent to an employee's trusted device, such as their phone. It's not known why Change did not set up multifactor authentication on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer's systems. "Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data," said Witty. Witty said the hackers deployed ransomware nine days later on February 21, prompting the health giant to shut down its network to contain the breach. Last week, the medical firm admitted that it paid the ransomware hackers roughly $22 million via bitcoin.

Meanwhile, UnitedHealth said the total costs associated with the ransomware attack amounted to $872 million. "The remediation efforts spent on the attack are ongoing, so the total costs related to business disruption and repairs are likely to exceed $1 billion over time, potentially including the reported $22 million payment made [to the hackers]," notes The Register.

Not the true cost

[gtall]

The true cost includes all that + the damage the criminal will now cause with their $22 million, and the example of how crime pays to the other criminal organizations and what price they can expect from their new exploits.

Re:

[timeOday]

It's a horrible outcome all around - the crooks got paid so they'll come back stronger; the company lost $1B (largely in destroyed value that is not recirculating in the economy) and finally the patients, millions of whose records were exposed, or even delayed care.

Re:

[cascadingstylesheet]

the company lost $1B (largely in destroyed value that is not recirculating in the economy

Er, crime's not good, but I'm pretty sure that criminals do spend money.

Re:

[timeOday]

But the crooks only got $22M out of the $1B in damage they caused, thus destroying $978M in value. It's like when somebody smashes your car window to steal $2 from the coin tray.

It's not just MFA

[Murdoch5]

Why wasn't the session doing geolocation and IP lookup? Even if someone got the credentials, they shouldn't have worked from the wrong location(s). Tie that in with address verification, and hardware based MFA (not SMS based), and you have a semi-decent login system. You could extend it by additional layers, and really for Health Care you want TFA or Three Factor, which would be something like Password + Yubi + Fingerprint. Geolocation and address verification would bring it up to FFA or Four Factor, possibly Five Factor.

When will it sink in that doing the minimum is never good enough? How many executives and managers said (to paraphrase): “Least viable effort”, when discussing the requirements, or cut funding, or went with the populate option because they heard of it before. This has all the hallmarks of bad design, through intentional bad design.

Re:It's not just MFA

[CaptainDork]

It has all the signs of risk assessment by lay managers. We in the industry of IT have argued for best practices but when we reveal the cost of implementation, management has a major cow.

Shortly after I retired, my firm was hit and their response was to buy ransomware insurance. I talked with my replacement and his standard security protocols were rejected as costing too much.

Re:It's not just MFA

[timeOday]

The ransomware insurers will probably force them to do some things like 2FA.

Re:

[CaptainDork]

I don't know if they ever did, but probably. Now the variables are 1.) IT salary, 2.) insurance premiums, and 3.) the cost of best practice.

Re:

[Murdoch5]

I absolutely believe that!

Re:

[Bongo]

It does cost too much when the penalties are so small.

Re:

[CaptainDork]

This is another excellent point. All this lack of security and best practices will stop only when customers sue entities. Then the risk assessment formula changes significantly.

Re:It's not just MFA

[EvilSS]

Using IP location as a login risk metric is great, and there are systems today that do it. You can geofence logins directly with a Citrix Netscaler if you want. However VPNs and compromised devices acting as traffic proxies to make it look like you are coming from the correct country or even the correct ISP are both a thing. At best you catch the very low hanging fruit. Which doesn't mean you should not do it, you should, but understand it's not as big of a fix as it might look at first.

As for address verification, if you mean physical address, how? IP geolocation databases are garbage, and especially so if you are dealing with a ISP that uses CGNAT (like TMHI, ATT Air, Verizon 5G home which are all quickly building subscriber bases). If you mean tying a IP address to a user, or at least their ISP, again, that's tricky as you need to deal with users traveling for business (even in the same country tying them to an ISP will cause issues) and it just means the hackers need to get something they can proxy traffic through on that same ISP. For big ISPs, that won't be that hard for them to do, especially when you are talking about the potential for a 8 figure payday.

Re:

[Murdoch5]

VPNs and IP Spoofing can mitigate geofencing, which is why IP locking is also important, either by using direct whitelists or some form of IPSec. Now, I know those aren't magical castle level protections, but, if you pair them with TFA, such as a fingerprint + Yubi, then you have some pretty decent front end protection. That's why I didn't throw those suggestions in the MFA group initially, since they're not really MFA.

Another significant aspect of this, session timeouts. How long do the sessions stay

House subcomittee

[bugs2squash]

How come it's the house subcommittee's business now but it wasn't before the breach. Either they have oversight and should be actively auditing these companies that hold so much of the public's PII or they have no business swooping in now.

Re:

[cmseagle]

This is like complaining that the firefighters "swooped in" once your house was on fire. That's their job. How else would you propose Congress identify cases for new legislation if not by asking questions in those scenarios where things went horribly wrong? Maybe this'll be the basis for legislating minimum cybersecurity standards and an enforcement mechanism for those found non-compliant.

Cyber Insurance

[EvilSS]

"OK, well, you're on your own. Thanks, we'll see ourselves out" - Change Healthcare's Cyber Insurance company hopefully.

These companies made a big push a couple of years ago to make MFA mandatory for renewals. Not having MFA on an external facing Citrix login portal is just inexcusable these days. It's been supported by Citrix for literally decades in one form or another.

So they basically asked for it

[gweihir]

Cheap fucks. This should result in prison sentences for the decision makers. 2FA is pretty much the minimum these days for data that is worth something.

Re:

[Opportunist]

I'm fairly sure the reason for the lack of 2FA is the usual "I'm too important to be inconvenienced" screwup. Where C-Levels demand that they have full reign, full access and maximum privileges, but also can't be assed to agree on bare minimum security features because it's "too complicated" for them.

Let the users jump through all sorts of ridiculous hoops to access their locked down accounts, but I'm far, far too important to be in any way inconvenienced (hell, remembering that 8 letter password that doesn

Citrix multifactor authentication already hacked

[Mirnotoriety]

“A vulnerability that allows attackers to bypass multifactor authentication [arstechnica.com] and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.”

remediation

[groobly]

I presume the "remediation costs" include the cost of doing what they should have done long ago.