In today’s episode, UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee about the ransomware attack on Change Healthcare, revealing that legacy tech at Change amplified the attack’s impact. Stolen credentials and lack of multifactor authentication allowed attackers to move within Change’s systems, leading to the deployment of ransomware. UnitedHealth’s response included bringing in multiple incident response firms and cybersecurity experts to aid in recovery efforts. Original URLs: https://www.cybersecuritydive.com/news/unitedhealth-change-attack-tech-takeaways/715200/, https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html, https://www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-alive-to-tease-new-police-announcements/#google_vignette
Tags: UnitedHealth, ransomware, Change Healthcare, technology infrastructure, Tinyproxy, Remote code execution, Security flaw, Cyberattacks, LockBit, Law enforcement, Data leak site
Search phrases:
- Preventing data breaches in healthcare systems
- Upgrade technology infrastructure in healthcare
- Protecting against ransomware attacks
- Tinyproxy security flaw solutions
- Remote code execution prevention
- Cybersecurity measures for critical security flaws
- LockBit ransomware impact on operations
- Law enforcement actions against ransomware gangs
- Data leak site revelations
- Identifying ransomware operators
More than 50, 000 hosts are at risk of remote code execution due to a critical unpatched flaw in the TinyProxy service.
How can users protect their devices from this critical tiny proxy flaw?
Law enforcement has revived a seized LockBit ransomware data leak site, teasing new announcements to come including potential revelations about the identity of LockBit’s operator.
Is law enforcement bluffing or do they actually have this information?
And finally, we’ve got the five key security takeaways from the Change Healthcare Ransomware Attack, as summarized by Cybersecurity Dive, to include outdated technology, stolen credentials, multifactor and more. You’re listening to The Daily Decrypt.
A critical unpatched security flaw in the TinyProxy service is leaving over 50, 000 hosts exposed to remote code execution threats. The vulnerability has a high CVSS score of 9. 8 out of 10 and affects versions 1. 10 and 1. 11.
This vulnerability in the TinyProxy service allows attackers to execute malicious code through specially crafted HTTP
an unauthenticated threat actor could exploit this flaw by sending a specific HTTP connection header, triggering memory corruption that could lead to remote code execution on vulnerable systems.
Data from Census shows that approximately 57 percent of the 90, 000 publicly accessible hosts are running vulnerable versions, with a significant number of these hosts located in the United States, South Korea, China, France, and Germany.
In order to mitigate this risk, it’s recommended to upgrade to the most recent version of Tinyproxy. And, if at all possible, don’t expose your tiny proxy service to the public facing internet.
Law enforcement agencies, including the NCA, FBI, and Europol, have resurrected a previously seized lockbit ransomware data leak site, hinting at potential new revelations set to be disclosed today.
During Operation Kronos on February 19th, authorities dismantled LockBit’s infrastructure, taking down 34 servers hosting the DataLeak website, cryptocurrency addresses, decryption keys, and the affiliate panel. In a response to the disruption, the police repurposed one of the DataLeak sites into a platform for sharing insights gained during the operation, including details on affiliates, as well as LockBit’s deceptive practices regarding stolen data deletion post ransom payment.
One of the blog posts is titled, Who is LockBit Sup?, which is a reference to the individual or group of individuals who are running this ransomware organization.
And this blog post posted by law enforcement left many people anticipating significant revelations about the ransomware operator, but they only received a cryptic message stating that law enforcement knows who he is, who they are, knows where they live, how much he is worth, and claiming that this individual has engaged with law enforcement.
Which insinuates that this individual
was discovered by law enforcement and then convinced to give them information about his affiliates.
Now that post was after the law enforcement originally took over the site in late February, early March, and has since been taken down with no information. But the crux of this piece of news is that law enforcement has revived the site yet again with similar posts.
including what have we learnt, more lockbit hackers exposed, what have we been doing, and the coup de gras titled who is lockbit sup yet again. All of this is anticipated to be released later today
and if it turns out law enforcement doesn’t actually have any information this is going to be quite the blunder for them
and really show their hand that this is just a tactic to try to get people to turn against their affiliates.
And finally, Change Healthcare, which is a subsidiary of United Healthcare Group, fell victim to a ransomware attack which compromised a significant amount of patient data and disrupted operations. And just recently, the CEO submitted a written testimony
which fell short of lawmakers expectations but it did provide a lot of insight as to what went wrong, which is very interesting for us technical folks.
And the purpose of this segment is just to cover
five of the key technical takeaways from that testimony.
The first key takeaway is that legacy technology at Change amplified the attack’s impact. Stating that even though the company was founded in 2007, Some of the technology systems are over 40 years old, including payment systems
and medical claims systems.
UnitedHealthcare as a whole was undergoing an upgrade of all of their technologies before they acquired Change Healthcare,
but the attack had the effect that it locked up the backups that were stored on premises at Change Healthcare’s headquarters. which is one of the main causes for the delay in service. They weren’t able to get their backups back up and running. They claim that in the rebuild after the attack, they’re moving a lot of their backups to the cloud,
which will hopefully be more secure, but the cloud isn’t
a fix all answer. It’s going to take a lot of work, whether it’s on premise or in the cloud, to make sure that you continually have access to those backups and establish redundancy, etc.
Number two, stolen credentials unlocked the access, right?
That’s key in most attacks. It starts with stolen credentials. Don’t allow password reuse. Implement a tool that checks the dark web for all passwords.
And there really is no excuse for that because I get emails when my email is leaked on the dark web. And if you’re a corporation, you can just scan the dark web for anything in any of your domains. You should get an email. You should immediately revoke the password to that account. This is a pretty quick section because yeah, that’s pretty obvious.
The third key takeaway is that UnitedHealth brought in at least seven incident response firms to help them recover from the attack and some of them will remain in place as full time response.
UnitedHealth has even asked Mandiant to join its board as a permanent advisor to strengthen the company’s cybersecurity oversight and strategy.
The fourth key takeaway is the response,
which is a positive one. UnitedHealthcare immediately disconnected Change Healthcare from all other systems when it became aware of the ransomware attack,
Which is critical
to preventing this ransomware from spreading to other subsidiaries of United Healthcare. And many months after the attack, we can see how well this worked because, to our knowledge, as of yet, no other subsidiaries have been hit like Change Healthcare was. So,
even though the recovery took a lot longer, which was because of the backups failing and having to rebuild it from scratch, It could have been a lot worse had they not contained the blast radius just surrounding Change Healthcare.
And finally, multi factor authentication wasn’t turned on. Now, the CEO claims that it is company policy to have multi factor authentication turned on for every external facing service. And in his testimony, the CEO was very frustrated and does not know how they got away with not having this enabled.
And it assures lawmakers and patrons of Change Healthcare that every external facing system has multi factor authentication turned on now. And it’s impossible to say if having multi factor authentication turned on would have prevented this attack because even with multi factor authentication it is possible to bypass it.
People are always the weakest link clicking except when they receive the ping.
But it would have definitely slowed down the attackers.