The IT Nerd

Not that I am surprised by this, The Wall Street Journal has just released data that the Change Healthcare attackers lurked in the network nine days ahead of them getting pwned:

The attackers, who represented themselves as the ALPHV ransomware gang or one of its affiliates, gained entry into Change’s network on Feb. 12, a person familiar with the cyber investigation said. They used compromised credentials on an application that allows staff to remotely access systems, the person said.

Multifactor authentication protocols are typically used to guard against such breaches, including the use of text-message codes or access tokens keyed to individual users. MFA wasn’t enabled on this particular application, the person said.

Steve Hahn, EVP of Americas, BullWall had this comment:

“That the threat actor used compromised credentials before launching their attack comes as no surprise. This same technique has been used in over 95% of the Ransomware events we analyzed in 2023. Interestingly, this is the same percentage that Sophos independently found. 

“Essentially the criminal gets low level credentials. It could be the exploitation of anyone in the company’s credentials.  From there they used tools originally used by the good guys in cyber to pentest networks to scrape server admin credentials. These tools are often Cobalt Strike or Mimikatz. 

“This is an incredibly simple and incredibly effective process. Once they have the same rights as the most trusted users in the organization, they can essentially do anything they want. These admins can shut off security products, whitelist pathways and applications that the bad guys can use, exfiltrate data and turn off their data loss tools, ultimately launching their Ransomware attack to encrypt every piece of data in the company — from patient records, medications, health history, credit card data and social links to blood types and even genetic testing. They gain access to the most sensitive data that exists. 

“Companies believe they are secure because they’ve enabled multi-factor authentication, meaning that the threat actor theoretically needs more than just the credentials, they also need the phone of that admin to receive the MFA code to remotely log in to that server via tools like RDP. 

“Most servers, shockingly, are not protected via MFA to every sign on session directly. Even if they are, the threat actor can bypass MFA by simply scheduling tasks on that server that don’t require a remote log-in to the server itself using tools called Schedule Task Managers. 

“hey can also use keyboard capture to intercept that MFA token or SIM swapping hacks that route the legitimate server admins phone number to the threat actor. The simple truth is prevention will NOT work against a determined threat actor focused on a single organization. It is a matter of when, not if, they launch their Ransomware attack. Prevention tools that exist today are not enough, as is evidenced by these attacks. 

“ALPHV (Blackcat) told the FBI, after the FBI claimed falsely that they “took down” the ALPHV group, that they would now focus all of their efforts on US healthcare organizations. This attack is the first of many we will see, as they seem determined to live up to that promise. 

“Organizations can no longer rely solely on prevention. They must have containment and mitigation strategies in place. They can continue to work to try to stop these threat actors, but they must also plan on the inevitable, and work out rapid Ransomware “containment” and mitigation strategies as well as plans for how to rebuild after the event. 

Emily Phelps, Director, Cyware follows with this:

“In the face of persistent cyber threats targeting the healthcare sector, the importance of threat intelligence sharing and its operationalization cannot be overstated. Healthcare organizations are attractive targets for cybercriminals, making it essential for these entities to adopt a proactive stance in combating these attacks efficiently and effectively.

“By participating in such intelligence-sharing communities like Health-ISAC, healthcare providers can access a wealth of intelligence that helps them identify and mitigate potential threats more effectively. This collaborative approach not only enhances individual organizations’ defensive capabilities but also strengthens the overall security posture of the healthcare industry.

“Operationalizing this intelligence involves integrating it into security operations to enable real-time responses and preventative strategies. By doing so, healthcare entities can safeguard their critical infrastructure, ensuring the continuity of vital services and protecting sensitive patient data.”

There’s two #fails here. The first is that MFA wasn’t used throughout the environment to mitigate the risk of an attack. But the bigger #fail is that ALPHV was in the environment, and were undetected for days. To be really secure, you have to keep the bad guys out. But at the same time, you have to make sure that if they get in, you can find them. And quickly. These days, there’s simply no other option.

In a statement late last week, the D.C. Department of Insurance, Securities and Banking (DISB) confirmed it was notified by third-party software provider Tyler Technologies that it “has experienced a data breach related to securities data”  a week after the LockBit claimed it attacked the regulatory agency and stolen 800GB of data.

The Washington, D.C., government agency, designed to protect consumers from abuses by financial institutions, confirmed that data stolen and leaked by the LockBit ransomware gang was taken from a third-party technology provider, Tyler Technologies, a public company that serves government agencies and schools around the world.

“Tyler Technologies discovered unauthorized access to their cloud that stores DISB’s STAR system client data,” DISB said, directing people to an alert from Tyler Technologies.

On April 13, the LockBit ransomware gang claimed it attacked DISB and stole 800GB of data. Then on Thursday evening Lockbit said that negotiations had broken down and it planned to leak 1GB of data in order to further push the organization into paying a ransom.

Tyler Technologies says it is currently “working to identify which individuals’ personally identifiable information (PII) may have been acquired by the threat actor.”

Emily Phelps, Director, Cyware had this to say:

   “Third-party security attacks are common and represent a real cybersecurity risk. Organizations must not only protect their own environments but must also ensure their technology partners and agencies have effective security programs in place. By leveraging advanced threat intelligence and security orchestration, entities can improve their resilience against these ubiquitous cyber threats. This situation also highlights the importance of thorough due diligence and continuous monitoring of third-party vendors, particularly those handling sensitive data.”

Ted Miracco, CEO, Approov Mobile Security adds this comment:

   “Tyler Technologies’ engagement with law enforcement and a cybersecurity firm is a step in the right direction, given that personal identifiable information (PII) was likely stolen. However, this situation exemplifies the risks associated with third-party vendors, as Tyler Technologies experienced unauthorized access that compromised DISB’s data. Any delays in public acknowledgment and response from either the DISB or Tyler Technologies reflect upon shortcomings in their incident response strategies. The fact that Tyler Technologies had immutable backups and was able to focus on recovery is commendable, as having robust data backup and recovery processes is vital in ransomware mitigation strategies. The bottom-line is that there are many problems with this breach and a few encouraging elements in the response.”

Another day, another supply chain attack. Sigh. At this point, you have to wonder when the madness will end, and organizations get serious about securing themselves and their partners.