UPDATE
Editor's Note: This story was updated to reflect comments from ConnectWise at 10:46 p.m.
There are significant updates to SC Media’s report on Feb. 23 that a recent breach of Change Healthcare that disrupted pharmacies nationwide was the result of an exploit of two ConnectWise vulnerabilities affecting the remote access app ScreenConnect widely reported on in the security trade press.
Yelisey Bohuslavskiy, co-founder of RedSense and Advintel, posted on LinkedIn that RedSense was able to identify, map and structure exfiltration-related telemetry for the timeline associated with the Change Healthcare attack, as well as the timeline prior to it. The RedSense findings correlate with the hypothesis put forward by First Health Advisory that the initial access was achieved via a ConnectWise vulnerability.
However, Bohuslavskiy, said the telemetry analysis did not identify adversarial activity associated with LockBit’s infrastructure, be it the ransomware gang's core C2s, proxies or affiliate C2s.
While RedSense said it does not contradict the alleged deployment of LockBit's locker against Change Healthcare, which has been widely speculated, the exfiltration pattern contradicted typical recent LockBit exfiltration tactics, techniques, and procedures (TTPs), suggesting that the actor was most likely not a LockBit affiliate.
Indeed, it was widely reported over the last 24 hours that the ALPHV/BlackCat ransomware group was responsible for the Change Healthcare cyberattack.
The Health-ISAC noted the RedSense research in a recent bulletin, but said it's not possible to confirm attack details because the incident is still under investigation.
“Regardless of what happened at Change Healthcare, RedSense anticipates more organizations will be compromised as the ScreenConnect exploit is apparently fairly trivial to execute,” said the Health-ISCA. “We would expect to see additional victims in the coming days.”
Toby Gouker, chief security officer at First Health Advisory, explained that during the early phases of an attack, these ransomware cases all lookalike. It’s only as the forensics process unfolds, and researchers discover their method of deployment and their specific payloads, that Gouker said it’s possible to paint a picture of their signature moves and to begin telling them apart.
“While the current speculation is that ALPHV/BlackCat is indeed the actor, it could take weeks to actually confirm,” said Gouker. “In some cases, attribution is never able to be confirmed. Malicious actors share toolsets and methodologies and practice the art of obfuscation. In defense of ConnectWise, I believe they did everything humanly possible to foster an expeditious close out of their vulnerability, however, malicious actors excel at delivering payloads in hours and minutes, where firms can take days and weeks to correct a situation.”
In terms of greater security industry perspective, Sarah Jones, cyber threat intelligence research analyst at Critical Start, said while ConnectWise has denied any involvement, there are multiple credible sources that have accredited the attack to a ConnectWise vulnerability. Additionally, Jones said the tactics and techniques observed in the breach align with known methods used by threat actors exploiting ConnectWise vulnerabilities.
“While we cannot definitively confirm the link at this time, Optum's engagement of Mandiant, a leading incident response firm renowned for investigating sophisticated cyberattacks, suggests the severity and complexity of the breach,” said Jones. "It's worth noting that while the exact ransomware strain remains uncertain (LockBit vs.ALPHV/BlackCat), this ambiguity is typical in the early stages of incident response. Until Optum/Change Healthcare or ConnectWise issue an official statement, we cannot definitively confirm the ConnectWise connection. Nonetheless, the mounting evidence from reputable sources makes it increasingly plausible.”
Optum response to Change Healthcare cyber incident
For its part, Optum which heads up the UnitedHealth division that includes Change Healthcare, wrote in a Feb. 27 email to SC Media that since identifying the cyber incident, it has worked closely with customers and clients to ensure people have access to the medications and the care they need. Optum also said it continues to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on the attack against Change Healthcare’s systems.
“We appreciate the partnership and hard work of all of our relevant stakeholders to ensure providers and pharmacists have effective workarounds to serve their patients as systems are restored to normal,” Optum told SC Media. “As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds.”
Here are some highlights Optum wanted to point out to readers, mostly messages to pharmacy customers that are not security-related:
- The company estimates more than 90% of the nation’s 70,000-plus pharmacies have modified electronic claim processing to mitigate impacts from the Change Healthcare cybersecurity issue; the remainder have offline processing workarounds.
- Optum Rx and UnitedHealthcare are seeing minimal reports, including less than 100 out of more than 65 million Pharmacy Benefit Manager (PBM) members not being able to get their prescriptions. Those patients have been immediately escalated and we have no reports of continuity of care issues.
- Optum understands the impact this issue has had on claims for payers and providers. Any delays to claims processing have yet to impact provider cash flows as payers typically pay one to two weeks after processing. As Optum works on bringing systems back online, we are also developing solutions to that challenge if needed.
- Hospitals, health systems and providers have connections to multiple clearinghouses and access to manual workarounds.
SC Media reached out to Mandiant, which said it could not comment on the matter since the Change Healthcare case was still under investigation.
As First Advisory Health’s Gouker indicated, ConnectWise has taken proactive steps to remedy the situation and has received some positive stories about how proactive it has been rolling out patches to ScreenConnect. As of the early afternoon Feb. 27, the company still maintained there’s no connection between ConnectWise and the cybersecurity incident at Change Healthcare.
Timeline events by ConnectWise:
In a statement sent late Tuesday night, ConnectWise emphasized that the company is unaware of any confirmed connection between the ScreenConnect vulnerability disclosed on February 19th, 2024, and the incident at Change Healthcare.
ConnectWise said the company continuously collaborates with the IT community, especially during challenging periods like this. “We welcome the opportunity to collaborate with any cyber researcher who claims to know this situation. Security remains a top priority for ConnectWise, and our prompt response showcases our commitment to mitigating the ScreenConnect vulnerability.
Here's a summary of the timeline of events:
- On February 13th, an independent researcher reported the potential ScreenConnect vulnerability using the ConnectWise vulnerability disclosure process.
- ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours.
- On February 19th, ConnectWise released an official patch for all on-prem partners, posted a security bulletin to the ConnectWise Trust Center, and sent partner comms urging all partners to patch.
- On February 19th, ConnectWise initiated contact with CISA.
- On February 21st, because cybersecurity is essential to ConnectWise and our partners, as an interim step, on-prem partners not on maintenance can update to patched ScreenConnect 22.4.20001.8817 at no additional cost.
- On February 22nd, for precautionary measures, ConnectWise paused functionality for unpatched versions of on-prem ScreenConnect until customers update to a patched version.
- ConnectWise strongly recommends all on-prem partners be on maintenance and upgrade to 23.9.8 or later.
