[EDITOR'S NOTE: A reference in a previous version of this article citing undisclosed and unconfirmed research that implicated a technology firm as an attack vector for the Change Healthcare incident has been removed. SC Media strives for accuracy and reporting transparency and regrets when it fall short of that goal.] 5/13/2024
Security experts have warned for the past couple of days that flaws in Remote Desktop Protocol (RDP) apps could become the major cybersecurity story of 2024 – and that the healthcare and critical infrastructure sectors were especially vulnerable.
Today, we’re inching closer to that reality as SC Media has learned that the recent cybersecurity incident at UnitedHealth's Change Healthcare that led to slowdowns at pharmacies was allegedly caused by a strain of LockBit malware that may have been used to exploit a RDP vulnerability.
Toby Gouker, chief security officer at First Health Advisory, stressed that while it was a LockBit strain of malware, it doesn’t mean that the recently taken down LockBit gang was responsible. Gouker said research that was not disclosed to SC Media indicated a possible RDP attack vector.
UPDATE [Editor's Note: Months after this initial report (on April 30, 2024) UnitedHealth Group CEO Andrew Witty released a statement to Congress stating that threat actors used compromised credentials to remotely access a Change Healthcare Citrix portal — a portal that lacked multifactor authentication (MFA), a basic tenet of cybersecurity. Read statement here (PDF).]
And that’s where the problems started.
Gouker, the former Provost for the SANS Technology Institute with more than 40 years in the medical IT and security field, said his conclusions are based on ongoing industry discussions, the timing of the vulnerability disclosure, and the known fact that unpatched RDP iterations have been impacted by LockBit.
News of a cyberattack on the healthcare company broke on Feb. 21 when United Healthcare, the parent company of Change Healthcare, reported the incident in an 8-K filing. In the filing, United Healthcare said they “identified a suspected nation-state associated cyber threat actor” had gained access to some of Change Healthcare’s IT systems. This was reportedly the second subsidiary of Optum -- a division of UnitedHealth -- to disclose a suspected cybersecurity attack in the past four months.
Change Healthcare delivers software systems to clinical services used by medical professionals. It also runs a membership platform for patient services where it has access to tens of millions of patient records.
Efforts to ask Change Healthcare to comment on Gouker’s claims were unsuccessful.
First Health Advisory’s Gouker said while Optum has a strong security team, they only officially acquired Change Healthcare this past October. They, in essence, inherited this vulnerability as part of the acquisition, said Gouker, pointing out that why a cybersecurity audit has become an important part of the M&A process in healthcare – to avoid purchasing ‘zero-days’.
“This incident has nothing to do with Optum having shoddy services,” said Gouker. “In fact, they discovered the anomaly quick and did exactly what they were supposed to do according to their clearly practiced playbook: Disconnect to stop the spread because after the vulnerability opened the door, the actors deployed LockBit ransomware. Even though the government or whoever says they took it down, there’s still at least one active version of LockBit ransomware out there.”
Ritu Gupta, senior product manager at Menlo Security, added that the cyberattack on Change Healthcare, coupled with its connection to UnitedHealth, raises concerns about the vast amount of patient data potentially at risk. Gupta said the impact has already been felt with prescription processing outages in Michigan, pointing to the substantial operational disruptions such an attack can cause across the nation.
“The probability of this becoming a much bigger deal hinges on several factors, including the duration of the system outages, the effectiveness of the response measures, and the sensitivity of the compromised data,” explained Gupta.
[EDITOR'S NOTE: A reference in a previous version of this article citing undisclosed and unconfirmed research that implicated a technology firm as an attack vector for the Change Healthcare incident has been removed. SC Media strives for accuracy and reporting transparency and regrets when it fall short of that goal.] 5/13/2024
