What Happened?
On February 12th, 2024, the ALPHV (also known as BlackCat) ransomware gang breached Change Healthcare, an organization within UnitedHealth Group, a major healthcare provider, exposing a third of United States citizens’ private data and personally identifiable information (PII). As IT systems went down, the incident also prevented Change Healthcare and associated organizations from processing patient claims.
On May 4th, 2024, Andrew Witty, the CEO of UnitedHealth, testified before the United States Senate about how BlackCat successfully compromised Change Healthcare’s environment and exfiltrated data from UnitedHealth’s systems, and the impact this incident has had on the American healthcare system. After all, Change Healthcare processes approximately 50% of medical claims in the United States.
Key Takeaways
According to Witty’s prepared testimony, ALPHV threat actors used compromised credentials to log into a Citrix portal that was not secured by multi-factor authentication (MFA) on February 12th.
Once they successfully achieved remote access to Change Healthcare’s environment, the threat actors used lateral movement techniques to exfiltrate data, eventually deploying BlackCat ransomware on February 21st, nine days later. At this point, UnitedHealth disclosed the incident to the SEC, quarantined Change Healthcare’s data centers, and worked with Mandiant, Palo Alto Networks, Google, Microsoft, Cisco, and Amazon (among others) to remediate and respond to this incident.
Beyond failing to implement MFA, a report from Reuters confirmed that Change Healthcare had also failed to implement security measures prescribed by the US government to healthcare organizations regarding targeted ALPHV cybercrime. According to reports from security researchers (as covered by CRN), UnitedHealth paid a $22 million USD ransom in Bitcoin.
According to the CEO of UnitedHealth Group, after the healthcare provider acquired Change Healthcare in 2022, an “extensive amount of modernization [was] required,” including the addition of MFA to Change’s Citrix servers. However, despite the CEO’s claims that UnitedHealth was unaware of the missing security measures, it appears lawmakers are prepared to hold UnitedHealth accountable for failing to properly secure patient and provider information. (Previous reporting also confirms that the U.S. government has launched an investigation into whether UnitedHealth had violated HIPAA due to this incident.)
Before they began targeting healthcare organizations, the ALPHV ransomware group achieved notoriety as the threat actors behind the MGM Grand breach that made headlines in 2023.
Why This Matters to MSPs
This incident, and subsequent testimony have shown that lawmakers and cyber insurance providers are taking notice of major data breaches, and that ignorance is no longer an excuse for not implementing necessary security measures, especially in crucial fields like the healthcare sector.
This is demonstrated by security controls like CIS (CIS Control 5, Safeguard 6.4, and Safeguard 6.5) and compliance frameworks like CMMC requiring MFA to secure privileged accounts, such as those used to achieve remote access.
Action Steps
CyberQP’s security experts recommend that MSPs take the following actions to proactively prepare for the threats described in this briefing:
- Ensure your MSP has implemented MFA across their privileged accounts and critical solutions. (CyberQP has recently enforced MFA across all tenants to ensure our partners are secure.)
- To address critical Citrix vulnerabilities, MSPs can refer to the following resources:
- Remove any active or persistent sessions to address risks from the Citrix Bleed zero-day vulnerability from November 2023.
- Use the following YARA signatures to detect malware deployed when threat actors abuse Citrix’s Application Delivery Controller.
- Follow the mitigation steps for ALPHV/BlackCat activity outlined in CISA, the FBI, and the Department of Health and Human Services’ joint Cybersecurity Advisory, including:
- Implement application controls, and follow best practices by allowlisting remote access programs.
- Implement phishing-resistant MFA that is not vulnerable to SIM-swapping attacks, as outlined by CISA.
- Use the Indicators of Compromise outlined in this advisory to proactively hunt for malicious or suspicious activity.