Not that I am surprised by this, The Wall Street Journal has just released data that the Change Healthcare attackers lurked in the network nine days ahead of them getting pwned:
The attackers, who represented themselves as the ALPHV ransomware gang or one of its affiliates, gained entry into Change’s network on Feb. 12, a person familiar with the cyber investigation said. They used compromised credentials on an application that allows staff to remotely access systems, the person said.
Multifactor authentication protocols are typically used to guard against such breaches, including the use of text-message codes or access tokens keyed to individual users. MFA wasn’t enabled on this particular application, the person said.
Steve Hahn, EVP of Americas, BullWall had this comment:
“That the threat actor used compromised credentials before launching their attack comes as no surprise. This same technique has been used in over 95% of the Ransomware events we analyzed in 2023. Interestingly, this is the same percentage that Sophos independently found.
“Essentially the criminal gets low level credentials. It could be the exploitation of anyone in the company’s credentials. From there they used tools originally used by the good guys in cyber to pentest networks to scrape server admin credentials. These tools are often Cobalt Strike or Mimikatz.
“This is an incredibly simple and incredibly effective process. Once they have the same rights as the most trusted users in the organization, they can essentially do anything they want. These admins can shut off security products, whitelist pathways and applications that the bad guys can use, exfiltrate data and turn off their data loss tools, ultimately launching their Ransomware attack to encrypt every piece of data in the company — from patient records, medications, health history, credit card data and social links to blood types and even genetic testing. They gain access to the most sensitive data that exists.
“Companies believe they are secure because they’ve enabled multi-factor authentication, meaning that the threat actor theoretically needs more than just the credentials, they also need the phone of that admin to receive the MFA code to remotely log in to that server via tools like RDP.
“Most servers, shockingly, are not protected via MFA to every sign on session directly. Even if they are, the threat actor can bypass MFA by simply scheduling tasks on that server that don’t require a remote log-in to the server itself using tools called Schedule Task Managers.
“hey can also use keyboard capture to intercept that MFA token or SIM swapping hacks that route the legitimate server admins phone number to the threat actor. The simple truth is prevention will NOT work against a determined threat actor focused on a single organization. It is a matter of when, not if, they launch their Ransomware attack. Prevention tools that exist today are not enough, as is evidenced by these attacks.
“ALPHV (Blackcat) told the FBI, after the FBI claimed falsely that they “took down” the ALPHV group, that they would now focus all of their efforts on US healthcare organizations. This attack is the first of many we will see, as they seem determined to live up to that promise.
“Organizations can no longer rely solely on prevention. They must have containment and mitigation strategies in place. They can continue to work to try to stop these threat actors, but they must also plan on the inevitable, and work out rapid Ransomware “containment” and mitigation strategies as well as plans for how to rebuild after the event.
Emily Phelps, Director, Cyware follows with this:
“In the face of persistent cyber threats targeting the healthcare sector, the importance of threat intelligence sharing and its operationalization cannot be overstated. Healthcare organizations are attractive targets for cybercriminals, making it essential for these entities to adopt a proactive stance in combating these attacks efficiently and effectively.
“By participating in such intelligence-sharing communities like Health-ISAC, healthcare providers can access a wealth of intelligence that helps them identify and mitigate potential threats more effectively. This collaborative approach not only enhances individual organizations’ defensive capabilities but also strengthens the overall security posture of the healthcare industry.
“Operationalizing this intelligence involves integrating it into security operations to enable real-time responses and preventative strategies. By doing so, healthcare entities can safeguard their critical infrastructure, ensuring the continuity of vital services and protecting sensitive patient data.”
There’s two #fails here. The first is that MFA wasn’t used throughout the environment to mitigate the risk of an attack. But the bigger #fail is that ALPHV was in the environment, and were undetected for days. To be really secure, you have to keep the bad guys out. But at the same time, you have to make sure that if they get in, you can find them. And quickly. These days, there’s simply no other option.
Related
This entry was posted on April 23, 2024 at 8:41 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ALPHV Was In Change Healthcare’s Network For Days Before They Attacked
Not that I am surprised by this, The Wall Street Journal has just released data that the Change Healthcare attackers lurked in the network nine days ahead of them getting pwned:
The attackers, who represented themselves as the ALPHV ransomware gang or one of its affiliates, gained entry into Change’s network on Feb. 12, a person familiar with the cyber investigation said. They used compromised credentials on an application that allows staff to remotely access systems, the person said.
Multifactor authentication protocols are typically used to guard against such breaches, including the use of text-message codes or access tokens keyed to individual users. MFA wasn’t enabled on this particular application, the person said.
Steve Hahn, EVP of Americas, BullWall had this comment:
“That the threat actor used compromised credentials before launching their attack comes as no surprise. This same technique has been used in over 95% of the Ransomware events we analyzed in 2023. Interestingly, this is the same percentage that Sophos independently found.
“Essentially the criminal gets low level credentials. It could be the exploitation of anyone in the company’s credentials. From there they used tools originally used by the good guys in cyber to pentest networks to scrape server admin credentials. These tools are often Cobalt Strike or Mimikatz.
“This is an incredibly simple and incredibly effective process. Once they have the same rights as the most trusted users in the organization, they can essentially do anything they want. These admins can shut off security products, whitelist pathways and applications that the bad guys can use, exfiltrate data and turn off their data loss tools, ultimately launching their Ransomware attack to encrypt every piece of data in the company — from patient records, medications, health history, credit card data and social links to blood types and even genetic testing. They gain access to the most sensitive data that exists.
“Companies believe they are secure because they’ve enabled multi-factor authentication, meaning that the threat actor theoretically needs more than just the credentials, they also need the phone of that admin to receive the MFA code to remotely log in to that server via tools like RDP.
“Most servers, shockingly, are not protected via MFA to every sign on session directly. Even if they are, the threat actor can bypass MFA by simply scheduling tasks on that server that don’t require a remote log-in to the server itself using tools called Schedule Task Managers.
“hey can also use keyboard capture to intercept that MFA token or SIM swapping hacks that route the legitimate server admins phone number to the threat actor. The simple truth is prevention will NOT work against a determined threat actor focused on a single organization. It is a matter of when, not if, they launch their Ransomware attack. Prevention tools that exist today are not enough, as is evidenced by these attacks.
“ALPHV (Blackcat) told the FBI, after the FBI claimed falsely that they “took down” the ALPHV group, that they would now focus all of their efforts on US healthcare organizations. This attack is the first of many we will see, as they seem determined to live up to that promise.
“Organizations can no longer rely solely on prevention. They must have containment and mitigation strategies in place. They can continue to work to try to stop these threat actors, but they must also plan on the inevitable, and work out rapid Ransomware “containment” and mitigation strategies as well as plans for how to rebuild after the event.
Emily Phelps, Director, Cyware follows with this:
“In the face of persistent cyber threats targeting the healthcare sector, the importance of threat intelligence sharing and its operationalization cannot be overstated. Healthcare organizations are attractive targets for cybercriminals, making it essential for these entities to adopt a proactive stance in combating these attacks efficiently and effectively.
“By participating in such intelligence-sharing communities like Health-ISAC, healthcare providers can access a wealth of intelligence that helps them identify and mitigate potential threats more effectively. This collaborative approach not only enhances individual organizations’ defensive capabilities but also strengthens the overall security posture of the healthcare industry.
“Operationalizing this intelligence involves integrating it into security operations to enable real-time responses and preventative strategies. By doing so, healthcare entities can safeguard their critical infrastructure, ensuring the continuity of vital services and protecting sensitive patient data.”
There’s two #fails here. The first is that MFA wasn’t used throughout the environment to mitigate the risk of an attack. But the bigger #fail is that ALPHV was in the environment, and were undetected for days. To be really secure, you have to keep the bad guys out. But at the same time, you have to make sure that if they get in, you can find them. And quickly. These days, there’s simply no other option.
Share this:
Like this:
Related
This entry was posted on April 23, 2024 at 8:41 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.