In recent news, UnitedHealth has confirmed that Change Healthcare’s network was breached by the BlackCat ransomware gang, who used stolen credentials to log into the company’s Citrix remote access service. The attack caused severe disruptions to critical healthcare services, with estimated financial damage totaling $872 million.
The ransomware gang initially claimed to have received a ransom payment of $22 million from UnitedHealth, but the payment was reportedly stolen by an affiliate in what is known as an exit scam. Following this, RansomHub was brought in to add an additional demand for extortion through the leak of stolen data.
UnitedHealth admitted to paying a ransom to protect people’s data after the attack but did not disclose details about the attack or the attackers involved. The initial attack occurred on February 21, with threat actors gaining access to Change Healthcare’s network ten days earlier.
Investigations revealed that the attackers first accessed Change Healthcare’s Citrix portal on February 12 using stolen employee credentials. However, it is unclear how these credentials were initially obtained, whether through phishing or data-stealing malware. The portal did not have multi-factor authentication, allowing the threat actors to move laterally across systems before deploying the ransomware.
UnitedHealth’s CEO, Andrew Witty, made the difficult decision to pay the ransom to protect the organization’s data. Following the attack, the company took swift actions to contain the threat, including replacing laptops, rotating credentials, and rebuilding the data center network and core services within a few weeks.
Despite leaked data containing protected health information and personally identifiable information, there has been no evidence of the exfiltration of complete medical records or histories. Medical claims, payment processing, and pharmacy networks are operating at near-normal levels following the incident.
In an update, Hudson Rock’s CTO disclosed that ransomware malware had stolen Change Healthcare employee’s Citrix credentials on February 8. The stolen credentials were associated with the remote application URL for Change Healthcare’s Citrix Gateway login page, though it is unclear if these credentials were used in the ransomware attack.
Overall, the ransomware attack on Change Healthcare highlights the vulnerabilities in healthcare networks and the importance of robust cybersecurity measures to protect sensitive data and critical services. The incident serves as a reminder of the ongoing threat posed by cybercriminals and the need for constant vigilance in safeguarding digital infrastructure.
Article Source
https://www.bleepingcomputer.com/news/security/change-healthcare-hacked-using-stolen-citrix-account-with-no-mfa/amp/