Lessons from the Change Healthcare Ransomware Attack

The recent ransomware attack on Change Healthcare, a subsidiary owned by UnitedHealth group, was a watershed moment for the healthcare industry and beyond. This devastating attack on a seemingly unknown healthcare organization crippled healthcare delivery organizations, from clinics to hospitals to pharmacies. It also underscored how important robust cybersecurity is for organizations that are part of critical infrastructure sectors, even if those enterprises aren’t the frontlines of the sector (e.g., benefits and billing management versus medical delivery).

While the Change Healthcare attack was publicly disclosed in February 2024, the incident response is still ongoing, with details about the attack, attackers, and subsequent financial impact coming out over the following weeks.

This week (April 30), on the verge of testifying before Congress, UnitedHealth’s CEO finally disclosed how the attack started: attackers leveraging compromised credentials to access Citrix software that enabled them to remotely access Change Healthcare systems.

VPN Vulnerabilities: A Gateway for Threat Actors

Over the past 6 months, there has been increased attacks leveraging VPN vulnerabilities to gain access to organizations. A number of Citrix vulnerabilities were discovered at the end of 2023 and highlighted by CISA and the NSA, with both agencies noting that these vulnerabilities requiring immediate attention.

The start of 2024 brought more vulnerabilities for Ivanti VPNs, with attackers immediately leveraging those vulnerabilities to gain access to a myriad of enterprises, including critical defense organizations and U.S. government agencies.

The Criticality of Patching and Vulnerability Management

The continued exploitation of VPN vulnerabilities emphasizes several key lessons for IT and cybersecurity professionals:

  1. Patching is Essential: Applying patches promptly as they become available is a non-negotiable aspect of defense. Unpatched vulnerabilities leave the door open to exploits.
  2. Vulnerability Awareness: Stay informed about the latest vulnerability disclosures, especially those pertaining to your organization’s critical infrastructure components. Subscribe to alerts from CISA and your software vendors.
  3. Prioritize Critical Vulnerabilities: Risk-based decision-making will help. Not all vulnerabilities are equal. Focus on those deemed severe, known to be actively exploited, are widely seen across your enterprise, or which impact mission-critical assets and internet-facing systems.
  4. Beyond Patching: Employ compensating controls where patches aren’t immediately possible. Examples include network segmentation, access restrictions and multifactor authentication, application whitelisting, and enhanced monitoring for suspicious activity on vulnerable systems.

Best Practices to Reduce Your Attack Surface

In the Change Healthcare attack, attackers used compromised credentials to access the Citrix remote desktop software, which did not have multifactor authentication enabled.

To mitigate the risk of a similar incident, here are foundational best practices to review and implement, if you have not already done so:

  • Inventory Your Assets: You can’t protect what you don’t know you have. Meticulous asset inventory, covering hardware, software, and cloud-based services, is fundamental.
  • Proactive Vulnerability Scanning: Use robust vulnerability scanning tools to proactively identify known vulnerabilities across your environment.
  • Prioritize Patching: Establish a well-defined patching process with prioritization based on criticality and exposure.
  • Practice Defense in Depth: Implement layers of security including endpoint protection, network firewalls, intrusion detection, and data backups to ensure you are protected across your entire system.
  • Employee Training: Raise security awareness among users. Encourage strong passwords and teach employees to spot phishing attempts and other social engineering tactics.

Taking Action

Proactive vulnerability management is complex. Solutions like Syxsense can automate and streamline the process, offering:

  • Centralized Vulnerability Discovery: Detect vulnerabilities in real-time across all your endpoints, spanning operating systems, applications, and devices.
  • Intelligent Prioritization: Get risk-based scoring that takes into account the criticality and breadth of the vulnerability across your enterprise, so you can focus on the most urgent vulnerabilities for remediation.

Automated Patch and Remediation: Simplify patch management across major operating systems and a vast library of third-party software with automated patching. For those vulnerabilities that cannot be patched, implement tested and automated remediations to harden your perimeter and close the attack surface.

Don’t Become the Next Headline

The Change Healthcare/UnitedHealth attack serves as a stark reminder. Organizations must make proactive vulnerability management a top priority. By staying vigilant, utilizing advanced tools, and implementing comprehensive security measures, you can significantly reduce your risk of a devastating cyberattack.

Let Syxsense help you secure your environment. Schedule a demo today to see our automated remediation capabilities in action.

Recent Posts

Topics

Related Posts

Urgent Action Required: Google Chrome Zero-Day Vulnerabilities Exploited in the Wild

Urgent Action Required: Google Chrome Zero-Day Vulnerabilities Exploited in the Wild

May 16, 2024
In the News: Cat-Phishing, Living-Off-The-Land, Fake Invoices Top Q1 Cyberthreats

In the News: Cat-Phishing, Living-Off-The-Land, Fake Invoices Top Q1 Cyberthreats

May 16, 2024
May 2024 Patch Tuesday: Microsoft releases 58 fixes this month including 2 Weaponised Threats.

May 2024 Patch Tuesday: Microsoft releases 58 fixes this month including 2 Weaponised Threats.

May 14, 2024
Beyond Patching: How Automated Endpoint Management Secures Your Devices

Beyond Patching: How Automated Endpoint Management Secures Your Devices

May 13, 2024