The UnitedHealth Group has confirmed that the BlackCat/Alphv ransomware group successfully breached Change Healthcare in February by utilizing compromised credentials for a Citrix remote access portal that lacked multi-factor authentication. This information was validated through a prepared statement released by UnitedHealth Group CEO Andrew Witty titled “Examining the Turnaround Healthcare Cyberattack” ahead of a House Energy and Commerce Committee Oversight and Investigations Subcommittee hearing.
The attack on Change Healthcare resulted in network outages impacting patients, healthcare providers, and pharmacists for several months. It was disclosed on February 21 that the attack was orchestrated by the Alphv/BlackCat group, and a ransom was paid by UnitedHealth Group. Sensitive data was also acknowledged to have been accessed by the threat actors.
The method of attack involved the use of compromised credentials to access the Citrix portal at Change Healthcare, which did not have multi-factor authentication enabled. This allowed the threat actors to move laterally within the systems, ultimately leading to the exfiltration of data nine days later. Despite the widespread exploitation of Citrix vulnerabilities by other ransomware groups, the Change Healthcare attack did not involve exploiting Citrix flaws. The attackers simply leveraged compromised credentials to gain initial access to the network.
The decision to pay the ransom was a difficult one for CEO Andrew Witty, who did not disclose the exact amount paid. Reports indicate that a cryptocurrency wallet controlled by Alphv/BlackCat received a $22 million payment, and UnitedHealth Group later confirmed making a payment to the gang. The attack cost the company $872 million, as revealed in its first quarter results.
The investigation into the breach is ongoing, and the full extent of the data breach is still unknown. Change Healthcare, which has numerous locations across the United States and serves over 30,000 pharmacies, continues to analyze the compromised data to identify and notify affected customers and individuals. The company is monitoring the internet and dark web to determine if any compromised data has been published.
UnitedHealth Group enlisted the help of Google, Microsoft, Cisco, and Amazon, along with law enforcement and incident response teams from Mandiant and Palo Alto Networks, upon discovering the attack. Despite attempts to obtain further comment from UnitedHealth Group, the company declined to provide additional information.
As the investigation continues, industry experts and outside parties are working diligently to address the aftermath of the cyberattack and prevent future incidents. The breach serves as a reminder of the importance of implementing robust cybersecurity measures, including multi-factor authentication, to protect sensitive data and prevent unauthorized access.
Article Source
https://www.techtarget.com/searchsecurity/news/366582824/Change-Healthcare-breached-via-Citrix-portal-with-no-MFA
