Malware

Title: A Comprehensive Breakdown: How a Stolen Citrix Account Led to the Change Healthcare Hack

Hey there! I’m going to tell you a story that’s as chilling as it is eye-opening. It’s about a company called Change Healthcare, and how they fell victim to a cyberattack. Now, before you start thinking, “Oh, another hacking story, big deal,” let me assure you, this one’s different. It’s a tale of how a simple oversight in cybersecurity can lead to disastrous consequences. And it’s a cautionary tale that we all need to learn from. So, grab a cup of coffee, sit back, and let’s dive in.

The Scene of the Cybercrime

Change Healthcare is a major player in the healthcare industry, with a presence in all 50 states and serving around 14,000 hospitals, clinics, and other healthcare organizations. That’s a lot of responsibility, right? So when news broke in March 2021 that they had been hacked, it sent shockwaves throughout the industry.

The hackers gained access to Change Healthcare’s systems through a stolen Citrix account. Now, you might be wondering, “What’s Citrix, and what does it have to do with the hack?” Allow me to explain.

Citrix: A Key to the Kingdom

Citrix is a popular software company that offers remote access solutions, among other things. Think of it like a magical key that lets you work on your office computer from home, or anywhere else for that matter. In this case, the hackers got their hands on one such magical key, which happened to belong to a Change Healthcare employee.

Here’s where things get interesting: This particular Citrix account didn’t have multi-factor authentication (MFA) enabled. MFA is like a second layer of security, where you need to verify your identity using something other than your password. For example, a unique code sent to your phone. It’s like having a deadbolt on your door, in addition to the regular lock.

The Dominoes Begin to Fall

Once the hackers had control of the Citrix account, they were able to gain access to other parts of Change Healthcare’s systems. It’s like a domino effect, where one compromised account leads to another, and another, and so on. The result? A major healthcare company, with millions of patients’ data at risk, had been hacked.

The Aftermath: Lessons Learned

So, what can we learn from this story? First and foremost, the importance of multi-factor authentication cannot be overstated. According to Microsoft, MFA can block 99.9% of account hacks. That’s a staggering statistic, and it’s a clear indication that MFA is not just a luxury; it’s a necessity.

Second, it’s crucial to educate employees about the risks of cyberattacks and the importance of strong cybersecurity practices. Change Healthcare’s hack is a prime example of how a single point of failure can lead to disastrous consequences.

Finally, it’s essential to invest in comprehensive cybersecurity solutions. The healthcare industry is a prime target for cybercriminals, with 39% of all data breaches in 2020 occurring in this sector. A strong cybersecurity strategy is not optional; it’s a must-have.

Take Action Today: Don’t Become the Next Change Healthcare

Now that you’ve heard this cautionary tale, it’s time to take action. Whether you’re in the healthcare industry or any other sector, don’t let yourself become the next Change Healthcare. Enable multi-factor authentication, educate your employees, and invest in the right cybersecurity solutions.

And remember, we’re here to help you make sense of it all. So feel free to reach out and contact us anytime. Together, we can work towards a safer, more secure digital world. Keep coming back to learn more, and let’s stay ahead of the hackers!

Protecting Your Business from Cybersecurity Threats: A Personal Guide

Hi there, I’m Peter Zendzian, a cybersecurity expert with a mission to keep your business safe from cyber threats. Today, I’m going to share some insights on how to protect your most valuable asset—your company’s data—from hackers and other cybercriminals.

The Growing Threat of Cyber Attacks

Think about this: every 39 seconds, there’s a hacker attack somewhere in the world. Cybercrime is growing at an alarming rate, and it’s not just big corporations that are targeted. In fact, 43% of all cyber attacks are aimed at small businesses.

Why You Should Care About Cybersecurity

Imagine losing all your customer data, or having your company’s reputation tarnished by a data breach. These are just a few consequences of not taking cybersecurity seriously. A single cyber attack could cost your business millions of dollars and possibly lead to its closure.

Common Cybersecurity Mistakes Businesses Make

Many businesses make the mistake of thinking they’re too small to be targeted or that their current security measures are sufficient. Others may not even be aware of the risks they’re exposed to. Some common cybersecurity mistakes include:

Not updating software and hardware

Using weak or default passwords

Failing to train employees on cybersecurity best practices

Not having a strong firewall or antivirus software in place

How to Protect Your Business from Cyber Attacks

Here are some actionable steps you can take to safeguard your business:

Establish a strong cybersecurity policy: Have a clear plan in place that outlines how your company will handle cybersecurity threats, including regular risk assessments and security audits.

Train your employees: Make sure your employees know the basics of cybersecurity, such as how to spot phishing emails and the importance of strong passwords.

Keep your software and hardware updated: Regularly update your systems to protect against known vulnerabilities.

Implement multi-factor authentication (MFA): MFA adds an extra layer of security by requiring users to provide two or more forms of identification before gaining access to sensitive data.

Don’t Wait Until It’s Too Late

Taking action now can save your business from a devastating cyber attack in the future. Remember, the best defense is a strong offense, and being proactive about your company’s cybersecurity is the key to staying one step ahead of cybercriminals.

I’m here to help you navigate the complex world of cybersecurity and protect your business from threats. Contact me today to learn more about how you can keep your company’s data safe and secure. And don’t forget to keep coming back for more tips and insights on staying cyber-safe!

Published

2 weeks ago

May 6, 2024

zendzipr

**Title: A Comprehensive Breakdown: How a Stolen Citrix Account Led to the Change Healthcare Hack**<br />
<br />
Hey there! I'm going to tell you a story that's as chilling as it is eye-opening. It's about a company called Change Healthcare, and how they fell victim to a cyberattack. Now, before you start thinking, "Oh, another hacking story, big deal," let me assure you, this one's different. It's a tale of how a simple oversight in cybersecurity can lead to disastrous consequences. And it's a cautionary tale that we all need to learn from. So, grab a cup of coffee, sit back, and let's dive in.<br />
<br />
**The Scene of the Cybercrime**<br />
<br />
Change Healthcare is a major player in the healthcare industry, with a presence in all 50 states and serving around 14,000 hospitals, clinics, and other healthcare organizations. That's a lot of responsibility, right? So when news broke in March 2021 that they had been hacked, it sent shockwaves throughout the industry.<br />
<br />
The hackers gained access to Change Healthcare's systems through a stolen Citrix account. Now, you might be wondering, "What's Citrix, and what does it have to do with the hack?" Allow me to explain.<br />
<br />
**Citrix: A Key to the Kingdom**<br />
<br />
Citrix is a popular software company that offers remote access solutions, among other things. Think of it like a magical key that lets you work on your office computer from home, or anywhere else for that matter. In this case, the hackers got their hands on one such magical key, which happened to belong to a Change Healthcare employee.<br />
<br />
Here's where things get interesting: This particular Citrix account didn't have multi-factor authentication (MFA) enabled. MFA is like a second layer of security, where you need to verify your identity using something other than your password. For example, a unique code sent to your phone. It's like having a deadbolt on your door, in addition to the regular lock.<br />
<br />
**The Dominoes Begin to Fall**<br />
<br />
Once the hackers had control of the Citrix account, they were able to gain access to other parts of Change Healthcare's systems. It's like a domino effect, where one compromised account leads to another, and another, and so on. The result? A major healthcare company, with millions of patients' data at risk, had been hacked.<br />
<br />
**The Aftermath: Lessons Learned**<br />
<br />
So, what can we learn from this story? First and foremost, the importance of multi-factor authentication cannot be overstated. According to Microsoft, MFA can block 99.9% of account hacks. That's a staggering statistic, and it's a clear indication that MFA is not just a luxury; it's a necessity.<br />
<br />
Second, it's crucial to educate employees about the risks of cyberattacks and the importance of strong cybersecurity practices. Change Healthcare's hack is a prime example of how a single point of failure can lead to disastrous consequences.<br />
<br />
Finally, it's essential to invest in comprehensive cybersecurity solutions. The healthcare industry is a prime target for cybercriminals, with 39% of all data breaches in 2020 occurring in this sector. A strong cybersecurity strategy is not optional; it's a must-have.<br />
<br />
**Take Action Today: Don't Become the Next Change Healthcare**<br />
<br />
Now that you've heard this cautionary tale, it's time to take action. Whether you're in the healthcare industry or any other sector, don't let yourself become the next Change Healthcare. Enable multi-factor authentication, educate your employees, and invest in the right cybersecurity solutions.<br />
<br />
And remember, we're here to help you make sense of it all. So feel free to reach out and contact us anytime. Together, we can work towards a safer, more secure digital world. Keep coming back to learn more, and let's stay ahead of the hackers! 1

4/30/24: Update added below about Change Healthcare Citrix credentials previously stolen by information-stealing malware.

UnitedHealth has confirmed that Change Healthcare’s network was breached by the BlackCat ransomware gang. The attackers used stolen credentials to log into the company’s Citrix remote access service, which did not have multi-factor authentication enabled.

UnitedHealth CEO Andrew Witty shared this information in written testimony published ahead of a House Energy and Commerce subcommittee hearing scheduled for tomorrow.

The ransomware attack on Change Healthcare occurred in late February 2024, leading to severe operational disruptions on Optum’s Change Healthcare platform.

This impacted a wide range of critical services used by healthcare providers across the U.S., including payment processing, prescription writing, and insurance claims, and caused financial damages estimated at $872 million.

Previously, the BlackCat ransomware gang claimed they had received a $22 million ransom payment from UnitedHealth. However, the payment was stolen from the affiliate who conducted the attack in an exit scam. Shortly after, the affiliate claimed to still have the data and partnered with RansomHub to initiate an additional extortion demand by leaking stolen data.

The healthcare organization recently admitted that it paid a ransom to protect people’s data post-compromise, but no details about the attack or who carried it out were officially disclosed.

RansomHub has since removed the Change Healthcare entry from its site, indicating that an additional ransom was paid.

An easy break-in

In testimony by Andrew Witty, the CEO confirmed that the attack occurred on the morning of February 21 when the threat actors began encrypting systems and rendering them inaccessible to the organization’s employees.

For the first time, the company also officially confirmed that the ALPHV/BlackCat ransomware operation was behind the attack.

While the actual public-facing attack occurred on February 21, Witty revealed that the attacker had access to the company’s network for approximately ten days before deploying their encryptors. During this time, the threat actors spread through the network and stole corporate and patient data that would be used in their extortion attempts.

The investigations, which are still ongoing, revealed that the attackers first gained access to Change Healthcare’s Citrix portal on February 12, 2024, using stolen employee credentials. It is unknown whether those credentials were initially stolen via a phishing attack or information-stealing malware.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” explained Witty.

“The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”

The CEO also shared a personal moment, stating that the choice to pay a ransom was entirely his and one of the hardest decisions he had to make.

“As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone,” Witty wrote in his testimony.

Remediation efforts

Witty further outlined UnitedHealth’s immediate actions to secure their systems following the attack, characterizing them as “swift and forceful.” He noted that the threat was successfully contained by taking everything down despite knowing the impact this would have on people.

Following the attack, the organization’s IT team replaced thousands of laptops, rotated credentials, and completely rebuilt Change Healthcare’s data center network and core services in just a few weeks. Witty states such a task would usually have taken several months.

Although data samples that leaked online contained protected health information (PHI) and personally identifiable information (PII), Witty notes that, so far, they have seen no evidence of exfiltration of materials such as doctors’ charts or complete medical histories.

Concerning the status of the impacted services, pharmacy networks operate at a fraction of a percent below normal, medical claims flow nearly at normal levels, and payment processing at approximately 86% of pre-incident levels.

Update 4/30/24: After publishing our story, Hudson Rock CTO Alon Gal told us that on February 8, the company’s threat intelligence platform detected a Change Healthcare employee’s Citrix credentials stolen through information-stealing malware.

**Stolen Change Healthcare Citrix Credentials**
*Source: Hudson Rock*

The stolen credentials are associated with the URL remoteapps[.]changehealthcare[.]com/vpn/index.htm, and while that site is no longer accessible, we have confirmed it to be the URL for Change Healthcare’s Citrix Gateway login page.

It is unknown if these are the credentials used to gain access to Change Healthcare’s networks and conduct the ransomware attack.

As we continue to see the devastating impact of ransomware attacks, it is crucial for organizations to take cybersecurity seriously. Ensuring multi-factor authentication is enabled, conducting regular security audits, and providing employee training are just a few ways to help protect your business. But, the responsibility to stay informed and take action doesn’t end here. We encourage you to reach out to our IT Services team and keep coming back to learn more about emerging threats and best practices in cybersecurity.

Related Topics:Cybersecurity Ransomware Security

Up Next

Shocking Cyber Heist: Over 25,000 People’s Data Stolen in 2023 Breach

Hey there, I’m Peter Zendzian, and today I want to talk to you about a cybersecurity nightmare that happened in 2023. In this jaw-dropping cyber heist, data of over 25,000 people was stolen, putting their personal information at risk. This is a wake-up call for all of us, and in this article, I’ll break down the incident and share some tips on how to keep your data safe. So, buckle up, and let’s dive right in.

Unmasking the 2023 Breach

Imagine waking up one day to find out that your personal information, like your name, address, and even social security number, has been stolen. That’s exactly what happened to over 25,000 innocent people in the U.S. when cybercriminals breached a major company’s database. This breach exposed sensitive data, making these individuals vulnerable to identity theft, scams, and other cybercrimes.

But, how did this happen? The answer is simple: vulnerabilities in the company’s cybersecurity measures. Despite using firewalls and other security tools, the company still fell victim to cybercriminals, proving that no one is truly safe from cyber threats.

Alarming Cybersecurity Stats You Should Know

This breach is just the tip of the iceberg. Here are some shocking statistics that highlight the growing cyber threat:

There’s a cyberattack every 39 seconds on average, affecting one in three Americans each year.

95% of cybersecurity breaches are caused by human error.

Since COVID-19, the FBI has reported a 300% increase in reported cybercrimes.

By 2025, cybercrime damages are expected to cost the world $10.5 trillion annually.

These stats are a sobering reminder that cybersecurity is not something to take lightly. It’s time to act and protect ourselves and our data from cybercriminals.

How to Safeguard Your Data and Stay Cybersecure

Now that you know the risks, let’s discuss some simple yet effective steps to keep your data safe:

Use strong passwords: Create complex, unique passwords for each account and change them regularly.

Enable multi-factor authentication (MFA): MFA adds an extra layer of security by requiring a second form of verification, like a fingerprint or a text message code, in addition to your password.

Install antivirus software: Keep your devices protected with trusted antivirus software that detects and removes malware.

Update software regularly: Outdated software often has security vulnerabilities, so always keep your software up to date.

Stay informed: Keep yourself updated on the latest cybersecurity threats and best practices through trusted sources.

By following these steps, you can reduce your chances of falling victim to cyberattacks.

It’s Time to Take Action

Remember, the best defense against cyber threats is knowledge and awareness. Don’t wait until it’s too late. Start implementing these cybersecurity measures today and protect your data from cybercriminals.

If you found this article helpful and want to learn more about cybersecurity, don’t hesitate to contact us. We’re here to help you stay informed and keep your data safe. So, keep coming back for more insights and advice on how to stay cybersecure.

Don't Miss

FBCS Collection Agency Alert: Data Breach Impacts 1.9 Million Individuals – Protect Yourself Now

Click to comment

Malware

Massive Ohio Lottery Ransomware Attack: Shocking Impact on Over 538,000 Individuals

The Ohio Lottery experienced a ransomware attack, compromising the personal information of over 538,000 individuals. The cybercriminals behind the attack demanded a ransom of 50 bitcoin, which the Lottery refused to pay. The affected data includes names, addresses, social security numbers, and birth dates of past winners and employees.

Published

3 hours ago

May 18, 2024

zendzipr

Massive Ohio Lottery Ransomware Attack: Shocking Impact on Over 538,000 Individuals 15

Imagine waking up on Christmas Eve to find out that your personal information has been compromised in a cyberattack. That’s precisely what happened to over 538,000 individuals when the Ohio Lottery experienced a data breach on December 24, 2023.

In a filing with the Office of Maine’s Attorney General, it was revealed that the attackers gained access to names, Social Security numbers, and other personal identifiers. Thankfully, the Ohio Lottery assured that the gaming network was not affected by the incident.

Even though no evidence of fraud using the stolen information was found, the Ohio Lottery provided free credit monitoring and identity theft protection services to all potentially impacted individuals, just to be on the safe side.

DragonForce Ransomware Gang Claims Responsibility

While the Ohio Lottery didn’t disclose the nature of the incident, the DragonForce ransomware gang claimed responsibility for the attack a few days later. The group stated that they encrypted devices and stole documents belonging to both customers and employees of the Ohio Lottery.

On December 27, the ransomware group mentioned on their dark web leak site that they had stolen over 3 million records. After negotiations failed, the gang leaked four .bak archives and multiple CSV files on January 22, allegedly taken from the Ohio Lottery’s systems.

According to DragonForce, the 94 GB of leaked data contains 1.5 million records with Ohio Lottery clients’ names, Social Security numbers, and dates of birth.

DragonForce ransomware seems to be a relatively new operation, having exposed its first victim in December 2023. However, their tactics, negotiation style, and data leak site suggest that they are an experienced extortion group. With nearly four dozen victims listed on their leak site and law enforcement disrupting many ransomware operations recently, it’s possible that this group is a rebrand of a previously known gang.

DragonForce ransomware also claimed responsibility for a cyberattack that impacted Japanese probiotic beverage manufacturer Yakult’s IT systems in Australia and New Zealand in mid-December. Yakult disclosed the attack after the ransomware gang leaked what it claimed to be 95 GB of data stolen from the company’s compromised servers.

Don’t Let This Happen to You

Cyberattacks are becoming more and more sophisticated, and the stakes are higher than ever. With personal information at risk, it’s crucial to stay informed and take proactive steps to protect yourself and your data.

We’re here to help. Our IT Services can assist you in staying up-to-date with the latest cybersecurity threats, providing guidance on how to safeguard your information and helping you navigate the ever-changing digital landscape.

Contact us today to learn more about how we can help you stay secure in this increasingly interconnected world. And don’t forget to keep coming back for the latest cybersecurity news and updates.

Malware

Dell Sounds Alarm on Massive Data Breach: 49 Million Customers Potentially Impacted

Dell has warned 49 million customers of a potential data breach as unauthorized individuals attempted to extract customer data from its network. The company has reset all affected users’ passwords and is urging them to stay vigilant for any suspicious activity.

Published

16 hours ago

May 17, 2024

zendzipr

Dell Sounds Alarm on Massive Data Breach: 49 Million Customers Potentially Impacted 16

Did you know that Dell recently experienced a data breach? A threat actor claimed to have stolen information for approximately 49 million customers. As a result, Dell started sending out data breach notifications to customers, informing them that a Dell portal containing customer information related to purchases was breached.

Now, you might be wondering, what kind of information was accessed during this breach? Well, according to Dell, the following information was compromised:

Name

Physical address

Dell hardware and order information, including service tag, item description, date of order, and related warranty information

Fortunately, the stolen information does not include financial or payment information, email addresses, or telephone numbers. Dell is currently working with law enforcement and a third-party forensics firm to investigate the incident.

How did this happen?

As reported by Daily Dark Web, a threat actor named Menelik tried to sell a Dell database on the Breach Forums hacking forum on April 28th. The threat actor claimed to have stolen data from Dell for “49 million customers and other information systems purchased from Dell between 2017-2024.” While we haven’t been able to confirm if this is the same data that Dell disclosed, it matches the information listed in the data breach notification.

The post on Breach Forums has since been deleted, which could indicate that another threat actor purchased the database.

What does this mean for Dell customers?

Although Dell doesn’t believe there is significant risk to its customers given the type of information involved, the stolen information could potentially be used in targeted attacks against Dell customers. Without email addresses, threat actors might resort to targeting specific people with physical mailings containing phishing links or media (DVDs/thumb drives) to install malware on targets’ devices.

Think this sounds far-fetched? Well, similar attacks have happened in the past. For instance, tampered Ledger hardware wallets were physically mailed, which then stole cryptocurrency, or gifts with USB drives were sent that installed malware.

Since the database is no longer being sold, there’s a good chance a threat actor is trying to monetize it in some way through attacks. So, what can you do to protect yourself?

Stay vigilant and be cautious

Be wary of any physical mailings or emails you receive that claim to be from Dell, asking you to install software, change passwords, or perform some other potentially risky action. If you receive any suspicious communication, contact Dell directly to confirm its legitimacy.

Remember, knowledge is power, and staying informed about cybersecurity threats is essential to protecting yourself and your information. Don’t hesitate to contact us for more information and resources on cybersecurity, and keep coming back to learn more.

Malware

800K Users Compromised: The Alarming 2023 MOVEit Cyberattack Unleashed

Learn how the University System of Georgia suffered a massive data breach in 2023, exposing the personal information of over 800,000 individuals. Discover the role of the Moveit attack and its impact on cybersecurity in the education sector. Stay informed on the latest data protection measures to keep your information safe.

Published

20 hours ago

May 17, 2024

zendzipr

800K Users Compromised: The Alarming 2023 MOVEit Cyberattack Unleashed 17

Image: Georgia Institute of Technology Tech Tower (RobRainer)

Imagine waking up one day to find out your personal information, including your Social Security number and bank account details, has been stolen by cybercriminals. This is what happened to 800,000 individuals when the University System of Georgia (USG) fell victim to the notorious Clop ransomware gang in 2023.

USG, a state government agency responsible for operating 26 public colleges and universities in Georgia, was among the first to be compromised in a massive worldwide data theft campaign conducted by the Clop gang. They exploited a zero-day vulnerability in the Progress Software MOVEit Secure File Transfer solution, impacting thousands of organizations around the globe.

How the breach unfolded

With the help of the FBI and CISA, USG eventually determined that sensitive files had been stolen from its systems. Almost a year later, they began notifying the impacted individuals, revealing that the cybercriminals accessed the following information:

Full or partial (last four digits) of Social Security Number

Date of Birth

Bank account number(s)

Federal income tax documents with Tax ID number

Considering the type of information exposed and the fact that the number of impacted individuals is larger than the number of students under USG, it’s likely that prior students, academic staff, contractors, and other personnel were also affected.

USG submitted a sample of the data breach notice to the Office of the Maine Attorney General, stating that the data breach impacts 800,000 people. Interestingly, the entry on Maine’s portal also lists driver’s license numbers or identification card numbers as exposed data types, although these are not mentioned in the notice.

What’s being done to help the victims?

To help those affected, USG is now offering 12 months of identity protection and fraud detection services through Experian. Impacted individuals have until July 31, 2024, to enroll in these services.

Unfortunately, the MOVEit attacks by Clop were one of the most successful and prolific extortion operations in recent history. Over a year after the attacks took place, organizations are still discovering, confirming, and disclosing breaches, extending the aftermath of the cyber-attacks.

Emsisoft’s dedicated counter of MOVEit victims lists 2,771 impacted organizations and nearly 95 million individuals whose personal data now resides in Clop’s servers. Some of that data was published on Clop’s extortion portal on the dark web, some were sold to other cybercrime groups, and some remain to be monetized in the future.

What can you do to protect yourself?

This data breach serves as a stark reminder of the importance of cybersecurity and vigilance in our increasingly digital world. Organizations and individuals must prioritize cybersecurity measures, such as using strong, unique passwords, enabling multi-factor authentication, and regularly updating software and systems.

For more information on how to protect yourself and your organization from cyber threats, don’t hesitate to contact us. Our team at IT Services is dedicated to helping you stay safe in this ever-evolving digital landscape. Keep checking back for more insights and advice on cybersecurity!