Normal view
- Cybersecurity News and Magazine
- UnitedHealth’s Leadership Criticized by Senator Wyden for Appointment of Underqualified CISO
Cencora Data Breach Far More Widespread than Earlier Thought
- AbbVie Inc.
- Acadia Pharmaceuticals Inc.
- Bayer Corporation
- Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
- Dendreon Pharmaceuticals LLC
- Endo Pharmaceuticals Inc.
- Genentech, Inc.
- GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
- Incyte Corporation
- Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
- Novartis Pharmaceuticals Corporation
- Pharming Healthcare, Inc.
- Regeneron Pharmaceuticals, Inc.
- Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
- Tolmar
Cyber Forensic Findings from the Cencora Data Breach
Cencora detected the cyberattack on February 21, and took immediate action to contain and prevent further unauthorized access. Based on the investigation that likely concluded in April, Cencora said personal information including first name, last name, address, date of birth, health diagnosis, and medications and prescriptions was compromised in the attack. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said Friday the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. Further details on how the supply program was exploited remain unclear. U.S. has been rocked by a host of cybersecurity breaches linked to the healthcare industry in recent days. While Change Healthcare cyberattack was one of the most notable ones, the Medstar and Ascension breaches have displayed the vulnerability of the healthcare sector to cyberattacks. The latest in the list of healthcare data breaches is the Sav-Rx data breach that compromised the health data of more than 2.8 million people. Cencora’s investigation, however, found no connection with other major healthcare cyberattacks and, in its notifications, said they were unaware of any actual or attempted misuse of the stolen data. The company said it has not seen any public disclosure of the stolen data, till date. The affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost and steps have also been taken to harden defenses to prevent such security breaches in the future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.MedStar Health Reports Data Breach Impacting 183,000 Patients
Earlier MedStar Health Data Breach
The digital woes of the healthcare provider are not new. In fact, this is the second time in a decade that MedStar Health is facing a massive data breach scare. In 2016, a virus, likely a ransomware malware infected the computer network of MedStar Health. This prompted a complete shutdown of services for the healthcare giant, which resulted in diversion of new patients to other hospitals and the care givers had to resort to pen and paper to continue regular operations. The impact was such that the FBI was called in to investigate the MedStar Health data breach, which followed similar cyberattacks on at least three other medical institutions in California and Kentucky.Healthcare Breaches on the Rise
This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv – ransomware gang claimed responsibility for it. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid. The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients' personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach. The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack. Blackcat in September 2023 claimed a similar data breach on McLaren Healthcare, where nearly 6 terabytes worth of data was siphoned. Owing to such large scale healthcare data breaches, the U.S. Cybersecurity and Infrastructure Security Agency in March unveiled a cybersecurity toolkit for healthcare sector that would help them implement advanced tools, that fortify their defenses against evolving threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- SecurityWeek
- Change Healthcare Cyberattack Was Due to a Lack of Multifactor Authentication, UnitedHealth CEO says
Change Healthcare Cyberattack Was Due to a Lack of Multifactor Authentication, UnitedHealth CEO says
UnitedHealth CEO Andrew Witty said in a U.S. Senate hearing that his company is still trying to understand why the server did not have the additional protection.
The post Change Healthcare Cyberattack Was Due to a Lack of Multifactor Authentication, UnitedHealth CEO says appeared first on SecurityWeek.
A week in security (April 8 – April 14)
Last week on Malwarebytes Labs:
- How to change your Social Security Number
- Apple warns people of mercenary attacks via threat notification system
- How to check if your data was exposed in the AT&T breach
- Microsoft’s April 2024 Patch Tuesday includes two actively exploited zero-day vulnerabilities
- How to protect yourself from online harassment
- Introducing the Digital Footprint Portal
- New ransomware group demands Change Healthcare ransom
- Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla
- 35-year long identity theft leads to imprisonment for victim
- Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08
Stay safe!
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
- Krebs on Security
- BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare
BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare
There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.
Image: Varonis.
In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.
On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.
The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.
“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”
Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.
Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.
On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.
BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.
However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.
The seizure notice now displayed on the BlackCat darknet website.
“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”
BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.
Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.
“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”
Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.
“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”
BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.
LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.
But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled around, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.
Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Experts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.
Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.
“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.
Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.
A week in security (February 26 – March 3)
Last week on Malwarebytes Labs:
- PikaBot malware on the rise: What organizations need to know
- Malicious meeting invite fix targets Mac users
- Pig butchering scams, how they work and how to avoid them
- Airbnb scam sends you to a fake Tripadvisor site, takes your money
- Facebook bug could have allowed attacker to take over accounts
- Stopping a targeted attack on a Managed Service Provider (MSP) with ThreatDown MDR
- ALPHV is singling out healthcare sector, say FBI and CISA
- One year later, Rhadamanthys is still dropped via malvertising
- Change Healthcare outages reportedly caused by ransomware
- Android banking trojans: How they steal passwords and drain bank accounts
- Identity theft is number one threat for consumers, says report
- How to make a fake ID online, with Joseph Cox: Lock and Code S05E05
Stay safe!
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
Change Healthcare outages reportedly caused by ransomware
On Wednesday February 21, 2024, Change Healthcare—a subsidiary of UnitedHealth Group—experienced serious system outages due to a cyberattack.
In a Form 8-K filing the company said it:
“identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”
Change Healthcare is one of the largest healthcare technology companies in the United States. Its subsidiary, Optum Solutions, operates the Change Healthcare platform. This platform is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system.
The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States.
According to Reuters, the group behind the attack is the ALPHV/BlackCat ransomware group. ALPHV is currently one of the most active groups, and generally associated with Russia. They are certainly no strangers to attacking healthcare providers. In our monthly ransomware reviews you will typically find them in the top five of ransomware groups. Even after a disruption in December 2023 they returned and maintained a high level of activity.
BleepingComputer confirmed Reuters assertion, saying it had received information from forensic experts involved in the incident response that linked the attack to the ALPHV ransomware gang.
It would certainly make more sense to us that the attacker was a ransomware group than a nation-state associated group, but both ALPHV and UnitedHealth have not commented on this. That’s no surprise since the investigation is probably still ongoing and solving the security issue is a higher priority.
What the ramifications of any stolen data are, remains to be seen, but they could be very serious given the size of the company and the nationwide application of their electronic health record (EHR) systems, payment processing, care coordination, and data analytics.
In a February 26 update the company says it took immediate action to disconnect Change Healthcare’s systems in order to prevent further impact. You can follow updates about the issue on the dedicated incident report site.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.