Ransomware, API security

Exclusive: Cyberattack on Change Healthcare was an exploit of the ConnectWise flaw

Cyberattack on Change Healthcare was an exploit of the ConnectWise flaw


Security experts have warned for the past couple of days that the two flaws recently uncovered in ConnectWise’s ScreenConnect app could become the major cybersecurity story of 2024 – and that the healthcare and critical infrastructure sectors were especially vulnerable.

Today, we’re inching closer to that reality as SC Media has learned that the recent cybersecurity incident at UnitedHealth's Change Healthcare that led to slowdowns at pharmacies was caused by a strain of LockBit malware that was used to exploit the vulnerabilities in ConnectWise ScreenConnect.

Toby Gouker, chief security officer at First Health Advisory, stressed that while it was a LockBit strain of malware, it doesn’t mean that the recently taken down LockBit gang was responsible. Gouker said the two flaws were discovered as part of a crowdsourced team for the ConnectWise bugs on Feb. 15 and that the vulnerability notifications went out on Feb. 19.

And that’s where the problems started.

“As many of you know, malicious actors watch for these announcements to come out,” said Gouker. “They prey on the timeframe between the announcement and when an organization is able to apply the patch. So from the get-go, these actors are working to figure out a way to exploit the disclosed vulnerability and capitalize on it.”

While Goucker stands by his comments, ConnectWise remained somewhat defensive, yet cautious, issuing this statement late Friday night:

“At this time, we cannot confirm that there is a connection between the Change Healthcare incident and the ScreenConnect vulnerability. Our initial review indicates that Change Healthcare appears not to be a ConnectWise direct customer, and our managed service provider partners have yet to come forward, stating Change Healthcare is a customer of theirs. We remain committed to sharing information related to the ScreenConnect vulnerability and collaborating with the cybersecurity community and welcome additional information from the cybersecurity researchers sourced for this article.”

Goucker, the former Provost for the SANS Technology Institute with more than 40 years in the medical IT and security field, said his conclusions are based on ongoing industry discussions, the timing of the vulnerability disclosure, and the known fact that the unpatched ScreenConnect iterations are carrying LockBit.

“It's possible that ConnectWise is not 'patient zero,' but not probable,’” said Goucker.

News of a cyberattack on the healthcare company broke on Feb. 21 when United Healthcare, the parent company of Change Healthcare, reported the incident in an 8-K filing. In the filing, United Healthcare said they “identified a suspected nation-state associated cyber threat actor” had gained access to some of Change Healthcare’s IT systems. This was reportedly the second subsidiary of Optum -- a division of UnitedHealth -- to disclose a suspected cybersecurity attack in the past four months.

Change Healthcare delivers software systems to clinical services used by medical professionals. It also runs a membership platform for patient services where it has access to tens of millions of patient records.

Efforts to ask Change Healthcare to comment on Goucker’s claims and ConnectWise’s rebuttal were unsuccessful.

First Health Advisory’s Gouker said while Optum has a strong security team, they only officially acquired Change Healthcare this past October. They in essence inherited this vulnerability as part of the acquisition, said Gouker, pointing out that why a cybersecurity audit has become an important part of the M&A process in healthcare – to avoid purchasing ‘zero’days’.

“This incident has nothing to do with Optum having shoddy services,” said Gouker. “In fact, they discovered the anomaly quick and did exactly what they were supposed to do according to their clearly practiced playbook: Disconnect to stop the spread because after the vulnerability opened the door, the actors deployed LockBit ransomware. Even though the government or whoever says they took it down, there’s still at least one active version of LockBit ransomware out there.”

Ritu Gupta, senior product manager at Menlo Security, added that the cyberattack on Change Healthcare, coupled with its connection to UnitedHealth, raises concerns about the vast amount of patient data potentially at risk. Gupta said the impact has already been felt with prescription processing outages in Michigan, pointing to the substantial operational disruptions such an attack can cause across the nation.

“The probability of this becoming a much bigger deal hinges on several factors, including the duration of the system outages, the effectiveness of the response measures, and the sensitivity of the compromised data,” explained Gupta. “Given the suspected nation-state involvement and the exploitation of a flaw in the ConnectWise ScreenConnect app, there’s potential for significant escalation, especially considering the critical nature of the services provided by Change Healthcare. The involvement of LockBit ransomware, albeit indirectly, underscores the sophistication and potential severity of the attack.”

Editor's Note: This story was updated at 5:41 p.m. Eastern and again at 9:47 p.m. Eastern Friday, February 23.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.