Updated: May 9
One exposed internet-facing system with poor access controls and one set of compromised credentials - that’s all it took. Since Multi-Factor Authentication (MFA) was not in place to authenticate the identity of the user, a threat actors group affiliated with AlphV (aka Blackcat) was able to gain access to Change Healthcare’s network. Once initial access was obtained, the threat actors were able to explore the Change Healthcare network undetected for 9 days.
This dwell time was key for them to identify sensitive data, exfiltrate it, and identify key systems to install ransomware on to maximize their ransom payout. What was the reason for this oversight? UnitedHealth, who owns Change Healthcare, said they are still trying to understand why the server did not have the additional identity protections in place.
The net result was profound – Change Healthcare’s ability to process insurance medical claims for hundreds of thousands of hospitals, pharmacies and other medical practices was blocked for weeks – leaving many of these practices in financial peril. In addition, Change Healthcare processes sensitive patient data on somewhere between one–third and one-half of Americans of which some part of this was stolen by the threat actors. The data at risk is well beyond social security numbers or credit cards and could include a person’s most sensitive details on individual medical diagnosis, medications prescribed, etc.
While the attack was described as a “ransomware” attack, this is really misleading as it describes the final step in a multi-step kill chain. So while ransomware was leveraged by the threat actor to hold Change Healthcare’s critical systems and ultimately the business hostage to a tune of reportedly $22M in bitcoin, the execution of this ransomware was only possible due to a series of attacks on Change Healthcare’s Identities.
The Kill Chain Explained
While limited information has been disclosed about the Change Healthcare incident, it is enough to help us piece together what likely occurred when combined with tactics that have been used previously by AlphV affiliates. By understanding the likely kill chain, we can not only understand how these attacks came to be, but also what actions are needed to detect and mitigate threats like AlphV in the future to prevent the next Change Healthcare event.
Initial Access: Like many high profile incidents over the past 12 months, initial access by the threat actor was the result of an exposed internet-facing system that was missing a critical security control - Multi Factor Authentication (MFA), combined with the availability of compromised credentials. UHG’s CEO confirmed that in Change Healthcare’s case the targeted server was an exposed Citrix server responsible for hosting user desktops. The compromised credentials could have been either exposed on the dark web – a frequent, if not daily occurrence for large enterprises with tens of thousands of employees, or weak credentials that were targeted as part of a larger spray attack that was conducted against Change Healthcare.
Expand Access: Once initial access has been obtained, the next objective of an AlphV affiliate threat actor is to elevate their access to an admin account (either creating a new admin account or escalating the privileges of the compromised account) to gain access to the domain. There are many techniques that can be leveraged to attack a domain once the threat actor has internal access to the network. These range from simple enumeration and brute force attempts to NTLM relays.
Once Admin access privileges are secured, it is also common to set up additional user level accounts that are essentially disposable and can be used to move laterally without risking the admin account if they are detected as part of the next phase of the attack. If a suspicious user account like “test@2021” accidentally trips on internal monitoring efforts, the security monitoring teams are likely to block the account without fully investigating how the account came to be, i.e. the compromised admin account remains stealthy and can be used to create a new user.
Typically as part of expanding access, a threat actor will also establish an alternative command and control (C2C) channel. This C2C channel can be a reverse tunnel to existing RDP servers via https or other protocols or involve the installation of a remote access software like Anydesk, Splashtop, etc.
Explore via Lateral Movement: Once the threat actor has secured several identities, they can start to leverage these accounts to move across the enterprise to understand what sensitive and/or valuable data they have access to, and what business critical systems they have access to. The key to avoiding detection while they do this is to use existing services, like RDP, to access systems and tools like powershell, instead of using purpose built binaries that may trigger EDR technologies. The key to this “living on the land” approach is all dependent on the use of identities to access systems across the environment and attempt to blend in.
In Change Healthcare’s case, the threat actors spent 9 days exploring systems before deciding which ones to target with Ransomware. During this time, they likely connected via RDP to jump from one system to another, and to understand what services are running, where, and their dependencies - before deciding on the best way to maximize their impact and the ransom payment. They also started to collect sensitive data of value that they could exfiltrate out of the network.
Depending on the Enterprise’s backup systems and ability to rapidly restore access to hosts encrypted with ransomware, the Enterprise could restore key business systems without paying the ransom. By ensuring that the most critical systems are impacted, and taking steps to make it harder to recover, like deleting any online back-ups or targeting redundant nodes - threat actors can drive up the likelihood of a ransom payment.
Impact: Once the ransomware is detonated, there is no secret that the enterprise has been breached and incident response activities will (or should) start to occur. No matter how effective the threat actor is during the Explore phase in identifying key systems to target, they are also likely to have a Plan B in the event that the company opts to rebuild and recover instead of paying the ransom. The best plan B in a data rich environment like Change Healthcare is to exfiltrate out sensitive data – reportedly 4-6TB in the case of this incident. While this seems like a lot of data, in reality it isn’t in a modern enterprise. AlphV groups have favored using SaaS based file shares like Mega or Dropbox to exfiltrate the data out – file shares which are rarely monitored. Another option which might have been used is to set up and use cloud infrastructure storage like AWS S3 to make it look like a normal business transfer of data between services.
While we don’t know the number of systems locked by the ransomware, we do know it was sufficient to directly impact Change Healthcare’s ability to sustain operations and solicit a sizable ransom. Per UHGs’ CEO, UnitedHealth quickly disconnected the affected systems to limit additional damage and opportunity for the threat actor to expand access and paid a $22 million ransom in bitcoin to restore access. Despite paying the ransom, in this case the threat actor group did not actually follow through with unlocking the impacted systems. UHG’s CEO, Andrew Witty, reported “We’ve literally built this platform back from scratch so that we can reassure people that there are no elements of the old attacked environment within the new technology,” A secondary threat actor group, RansomHub, has since threatened to release the treasure trove of sensitive, exfiltrated patient data for a second ransom payment.
Identity Programs Implications
Change Healthcare isn’t the first nor last enterprise to be targeted by a threat actor group like this AlphV affiliate. Every ransom payout, especially a large $22M payout, is fresh bait that encourages the next wave of attacks against the next Enterprise. Critical infrastructure, like Healthcare, are even more enticing to threat actor groups due to the large real world impact – which dramatically increases the odds of a large ransom payout.
While this is today’s reality, it is important to recognize that monitoring for Ransomware is simply too late in the attack chain to prevent the business impact of incidents like Change Healthcare. Monitoring identities and protecting those that might be targeted and compromised by the threat actor is the best option to detect these incidents early – which would dramatically reduce, or even prevent, the business impact.
CISA published a set of Cyber Security Performance Goals (CPGs) in late 2022, aimed at providing enterprises supporting critical infrastructure like Change Healthcare with a foundational framework upon which to anchor their security initiatives – essentially a minimum bar. As one would expect, CPGs establish a number of recommended identity and access management (IAM) best practices that should be adopted, including:
- Change default passwords
- Enforce minimum password strength
- Use unique credentials
- Revoke credentials for departing employees
- Separate user and privileged accounts
- Detect unsuccessful (automated) login attempts
- Deploy phishing-resistant multi-factor authentication (MFA)
While these are critical must do’s for any enterprise and many enterprises have already embraced doing this, the really hard part is doing it all the time everywhere. For example, Change Healthcare had a policy to use MFA to protect their identities – and yet the exposed Citrix server that was compromised wasn’t configured to enforce MFA. While this exposure may have been an accepted risk that was known and on the list to be remedied next month, it was far more likely to be an identity blindspot – which are all too common in a modern enterprise. Identity blindspots are exactly the cracks in the defense that attackers are keen to discover and exploit.
Teams responsible for protecting and detecting Identity exposures and exploits during the Initial Access phase should include these tactics:
- Monitor and detect newly added exposed assets - Continuous monitoring for exposed internet-facing systems is a must to reduce the initial access opportunities. Monitoring for newly added internet exposed systems, vulnerabilities to existing systems and for those systems with available logins, ensuring they are secured with MFA is key.
- Monitor and detect MFA Gaps - As MFA has become more prolific, attackers are getting more adept at tactics to work around MFA. Social engineering techniques to set up new authenticators with the help desk (as seen in the MGM incident) as well as MFA bombing are becoming increasing common so monitoring for unusual MFA request patterns is increasingly important.
- Monitor and detect for compromised passwords in use - Actively monitoring the dark web for possible compromised credentials so they can be addressed before they can be leveraged by a threat actor.
- Monitoring for suspicious logins from unusual locations – especially those that involve impossible travel by the owner.
To identify threat actors in the Expand Access stage a number of tactics are required to protect and monitor Identities:
- Validate all new admin accounts created are actually authorized
- Validate all accounts (new or old) that have been recently add to an admin group are authorized
- Monitor internal attempts to enumerate or brute force accounts
- Monitor Domain Controllers for suspicious accesses. For example, a first time RDP access by an identity may reveal an attacker exploring.
- Commonly during this stage, the threat actors are also establishing an alternative C2C communication channel to enable their access to the environment. There are a wide variety of techniques and tools that can tunnel RDP, SSH and other access protocols over https, icmp, dns and other protocols to evade detection. Monitoring identities and assets with sustained outbound communications on any port to external assets over a period of time can reveal these newly established tunnels.
Detecting threat actors at the Explore & Lateral Movement is all about monitoring for unauthorized or unexpected identity accesses. Key tactics include:
- Establishing access policies for key systems and then monitoring for exceptions – essentially trip wires to alert you of someone exploring. Closely monitoring PAM accesses and attempts to bypass these controls are key.
- Monitoring for unusual patterns of accesses like connecting for the first time to multiple servers via RDP in a short period of time can be a great way to identify potential threat actors in the explore phase.
- Monitoring for new and unusual SaaS accesses – especially file share services is key to identity potential exfiltration attempts.
- Monitoring for typical lateral movement methods attackers leverage, like using weak SMB file shares, or exploit telnet and similar weak authentication protocols.
Unfortunately once the intruder has entered the impact phase, the tactics move from protecting and mitigating to response and containment. CPGs guidance around logging and Incident Planning and Preparedness are clearly essential starting points. The next major incident could be literally next week so ensuring teams are ready to respond and get help from 3rd party response teams can be essential in containing and reducing the breach’s impact to the business. Often teams aren’t ready and are left with the hard choice to disconnect major parts of the network and/or data centers which can at times result in more impact than the actual breach.
A common challenge that teams face when trying to understand the full scope of the breach is that even with good logging, investigating identity-specific activity can still be difficult and slow. Understanding everywhere a suspected compromised Identity went across the Enterprise to include hops between networks and to cloud environments, accesses that didn’t include authentications to the local domain and SaaS accesses are frequently missed in SIEM queries. To fully understand the breadth of access may involve stitching together logs from hosts, gateways, and identity systems – which can take weeks to months in some cases. Without this full understanding of everywhere a particular identity can limit the full understanding of the threat actors activities and thus dramatically slow down initial efforts to isolate and expel the threat actor so business recovery can start.
How AuthMind Can Help
The AuthMind Identity Security Platform provides security teams end-to-end real-time identity security posture management and threat detection and response. By continuously observing and analyzing identities access paths , it provides critical visibility into the activities of human and non-human identities across the integrated enterprise landscape, enabling Security professionals to deal with the three enablers of identity-based attacks: identity and access blind spots, security gaps in Identity infrastructure, and non-compliance & misconfigurations.
Since AuthMind maps all access flows across the integrated application landscape, and provides detailed visibility into all types of access, with the context needed - it can uniquely detect identity security gaps, including identification of access to servers that lack MFA. Such gaps can't be properly addressed by current identity infrastructure or existing security controls because they know only what they can control and protect. They don’t know what is left outside of their scope.
So in the case of the Change Healthcare Incident, AuthMind would have alerted on the initial security gap that enabled the attack - the lack of MFA, on an exposed asset. AuthMind’s continuous observability would have also identified the follow-on suspicious identity access activity - the privilege escalation, the account creation and the abnormal lateral movement activities - and alert the identity team and the security team about these activities, providing the context needed for mitigating these risks.