Exclusive: Cyberattack on Change Healthcare was an exploit of the ConnectWise flaw | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Security experts have warned for the past couple of days that the two flaws recently uncovered in ConnectWise’s ScreenConnect app could become the major cybersecurity story of 2024 – and that the healthcare and critical infrastructure sectors were especially vulnerable.

Today, we’re inching closer to that reality as SC Media has learned that the recent cybersecurity incident at UnitedHealth’s Change Healthcare that led to slowdowns at pharmacies was caused by a strain of LockBit malware that was used to exploit the vulnerabilities in ConnectWise ScreenConnect.

Toby Gouker, chief security officer at First Health Advisory, stressed that while it was a LockBit strain of malware, it doesn’t mean that the recently taken down LockBit gang was responsible. Gouker said the two flaws were discovered as part of a crowdsourced team for the ConnectWise bugs on Feb. 15 and that the vulnerability notifications went out on Feb. 19.

And that’s where the problems started.

“As many of you know, malicious actors watch for these announcements to come out,” said Gouker. “They prey on the timeframe between the announcement and when an organization is able to apply the patch. So from the get-go, these actors are working to figure out a way to exploit the disclosed vulnerability and capitalize on it.”

News of a cyberattack on the healthcare company broke on Feb. 21 when United Healthcare, the parent company of Change Healthcare, reported the incident in an 8-K filing. In the filing, United Healthcare said they “identified a suspected nation-state associated cyber threat actor” had gained access to some of Change Healthcare’s IT systems. This was reportedly the second subsidiary of Optum — a division of UnitedHealth — to disclose a suspected cybersecurity attack in the past four months. Change Healthcare delivers software systems to clinical services used by medical professionals. It also runs a membership platform for patient services where it has access to tens of millions of patient records.

First Health Advisory’s Gouker said while Optum has a strong security team, they only officially acquired Change Healthcare this past October. They in essence inherited this vulnerability as part of the acquisition, said Gouker, pointing out that why a cybersecurity audit has become an important part of the M&A process in healthcare – to avoid purchasing ‘zero’days’.

“This incident has nothing to do with Optum having shoddy services,” said Gouker. “In fact, they discovered the anomaly quick and did exactly what they were supposed to do according to their clearly practiced playbook: Disconnect to stop the spread because after the vulnerability opened the door, the actors deployed LockBit ransomware. Even though the government or whoever says they took it down, there’s still at least one active version of LockBit ransomware out there.”

Ritu Gupta, senior product manager at Menlo Security, added that the cyberattack on Change Healthcare, coupled with its connection to UnitedHealth, raises concerns about the vast amount of patient data potentially at risk. Gupta said the impact has already been felt with prescription processing outages in Michigan, pointing to the substantial operational disruptions such an attack can cause across the nation.

“The probability of this becoming a much bigger deal hinges on several factors, including the duration of the system outages, the effectiveness of the response measures, and the sensitivity of the compromised data,” explained Gupta. “Given the suspected nation-state involvement and the exploitation of a flaw in the ConnectWise ScreenConnect app, there’s potential for significant escalation, especially considering the critical nature of the services provided by Change Healthcare. The involvement of LockBit ransomware, albeit indirectly, underscores the sophistication and potential severity of the attack.”


Click Here For The Original Source.


National Cyber Security