Getty Images/iStockphoto

Change Healthcare breached via Citrix portal with no MFA

UnitedHealth Group CEO Andrew Witty's opening statement for Wednesday's congressional hearing shed more light on the ransomware attack against Change Healthcare.

UnitedHealth Group confirmed that the BlackCat/Alphv ransomware group breached Change Healthcare in February by using compromised credentials for a Citrix remote access portal that did not have multifactor authentication enabled.

On Monday, a prepared statement from UnitedHealth Group CEO Andrew Witty, titled "Examining the Change Healthcare Cyberattack," was released ahead of Wednesday's House Energy and Commerce Committee Subcommittee on Oversight and Investigations hearing. Witty reconfirmed that Alphv/BlackCat was behind the attack against its tech subsidiary Change Healthcare, which provides a variety of services including financial and administrative management to medical facilities and pharmacies.

On Feb. 21, Change Healthcare disclosed that it was experiencing network disruptions that subsequently affected patients, healthcare providers and pharmacists for months. Since then, UnitedHealth confirmed that Alphv/BlackCat was behind the attack and that the company paid a ransom. UnitedHealth also acknowledged that threat actors had obtained sensitive data.

Witty's opening statement for the hearing shed more light on the attack timeline and vector, though many questions remain.

"On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later," Witty said in the prepared statement.

Vulnerable Citrix products have been popular targets for attackers for some time. In November, CISA and the FBI warned organizations that the LockBit ransomware group was widely exploiting a critical Citrix NetScaler ADC and NetScaler Gateway vulnerability, tracked as CVE-2023-4966 and dubbed "Citrix Bleed," that was disclosed and patched in October.

The advisory connected an October attack against aviation giant Boeing to Citrix Bleed. Boeing confirmed that threat actors had exploited CVE-2023-4966 to gain initial access to its parts and distribution business.

Then, in January, Citrix disclosed that two new zero-day vulnerabilities in the same products were under attack, though attribution was not provided. In addition, insurance provider Coalition published its "Cyber Threat Index 2024" in February that highlighted the substantial fallout Citrix Bleed victims faced.

However, the attack on Change Healthcare apparently did not involve the exploitation of Citrix flaws, as the attackers simply used compromised credentials to gain an initial foothold in the company's network.

MFA is a standard security measure that the industry and government agencies have been pushing for years to mitigate the threat of compromised credentials. Several recent, high-profile attacks have seen threat actors targeting and compromising services and assets that lack MFA protection. For example, an investigation into the Midnight Blizzard attack against Microsoft in July revealed that the compromised cloud tenant did not have MFA enabled.

Change Healthcare paid the ransom

Once Alphv/BlackCat actors accessed the Citrix portal, they moved laterally and deployed ransomware nine days later, Witty confirmed. The ransomware was highly disruptive, but the encryption was contained to the Change Healthcare network only, as the company shut down its data centers to prevent the ransomware from spreading; no other UnitedHealth Group entities were affected. Witty stressed that the ransomware prevented access to Change systems and IT environments.

"As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I've ever had to make," the testimony read. "And I wouldn't wish it on anyone."

Witty did not reveal the amount his company paid. Wired first reported in March that a cryptocurrency wallet controlled by Alphv/BlackCat received a $22 million payment; UnitedHealth Group earlier this month confirmed that it made a payment to the gang. While the company has not specified the ransom amount, UnitedHealth Group disclosed in its first-quarter earnings that the attack cost the company $872 million.

In the testimony, Witty revealed that the investigation is ongoing and the extent of the data breach remains unknown. Change Healthcare has more than 89 locations throughout the U.S. and serves more than 30,000 pharmacies.

"Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals, partly because the files containing that data were compromised in the cyberattack. Our teams, along with leading external industry experts, continue to monitor the internet and dark web to determine if data has been published," Witty's testimony read.

In addition to law enforcement and incident response teams from Mandiant and Palo Alto Networks, Witty said, UnitedHealth Group engaged the services of Google, Microsoft, Cisco and Amazon on Feb. 21 when it discovered the attack.

TechTarget Editorial contacted UnitedHealth Group for comment, but the company declined to comment further.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing