UnitedHealth Group Ransomware Attack : Hackers Stolen Patients Data
[[{“value”:”
The global American health insurance and services corporation UnitedHealth Group has announced that its health IT subsidiary Change Healthcare was the target of a malicious cyberattack.
Based on its initial targeted data sampling, the company has discovered files containing personally identifiable information (PII) or protected health information (PHI), which may include a significant proportion of the US population.
The business has not yet discovered any indications that materials like complete medical histories or doctor’s files were leaked among the data.
“A malicious threat actor posted 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, on the dark web for about a week. No further publication of PHI or PII has occurred at this time”, UnitedHealth Group said.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Change Healthcare Paid Ransom To A Cybercriminal Group
According to the information shared with Cyber Security News, Change Healthcare has paid a ransom to AlphV, also known as BlackCat. This hacking gang had been extorting the company since February.
“A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” the company said.
According to cybersecurity and cryptocurrency experts, Change Healthcare paid the ransom on March 1.
This is indicated by a transaction in which 350 bitcoins, or about $22 million, were put into a cryptocurrency wallet connected to the AlphV hackers.
The transaction was originally revealed in a post on the RAMP site, a Russian cybercrime forum, where a purportedly betrayed partner of AlphV expressed dissatisfaction over not having received their share of Change Healthcare’s payment.
But Change Healthcare consistently refused to acknowledge that it had paid the ransom.
To make matters worse, a second ransomware gang has emerged from a dispute among hackers. It claims to have Change Healthcare’s stolen data and threatens to sell it to the highest bidder on the dark web.
The second gang to demand a ransom from Change Healthcare was identified as RansomHub.
According to reports, they claim to possess patient details and a contract with another healthcare provider among the stolen data from Change Healthcare’s network.
While acknowledging that some files had been published, UnitedHealth refrained from asserting that the documents were its own. UnitedHealth stated, “This is not an official breach notification.”
Change Healthcare is still making great strides toward resuming the services that were interrupted by the incident.
With 99% of pharmacies operating as they did before the event, pharmacy services are now almost back to normal.
As more providers transition to alternative submission methods or systems come back online, medical claims are moving through the U.S. health system at almost normal levels.
Change Healthcare is gradually restoring other services, such as eligibility software and analytical tools, with the active reconnection of the clients currently taking precedence.
“While this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulators and will provide appropriate notifications when the company can confirm the information involved,” the company said.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
Microsoft Disabled App Installer that Abused by Hackers to Install Malware
Threat actors, particularly those with financial motivations, have been observed spreading malware via the ms-appinstaller URI scheme (App Installer). As a result of this activity, Microsoft has disabled the ms-appinstaller protocol handler by default.
“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” the Microsoft Threat Intelligence team said.
The ms-appinstaller protocol handler vector is probably the one that threat actors have selected since it can bypass security measures like Microsoft Defender SmartScreen and built-in browser alerts for downloading executable file types, which are intended to protect users from malware.
Microsoft Threat Intelligence has identified App Installer as a point of entry for human-operated ransomware activities by several actors, including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Spoofing legitimate applications, tricking users into installing malicious MSIX packages that look like legitimate applications, and avoiding detections on the initial installation files are some of the activities that have been noticed.
Microsoft discovered that Storm-0569 was using search engine optimization (SEO) poisoning to spread BATLOADER by impersonating websites that offered legitimate downloads, including AnyDesk, Zoom, Tableau, and TeamViewer.
When a user searches on Bing or Google for a legitimate software application, they could see links to malicious installers using the ms-app installer protocol on a landing page that mimics the landing pages of the actual software provider. A prominent social engineering technique involves spoofing and imitating well-known, legitimate software.
A malicious landing page spoofing Zoom accessed via malicious search engine advertisement for Zoom downloads
Microsoft noticed that Storm-1113’s EugenLoader was distributed using search ads that looked like the Zoom application. A malicious MSIX installer called EugenLoader is downloaded onto a device by the user upon accessing a compromised website, and it is then utilized to distribute other payloads.
These payloads might contain malware installs that have already been seen, like Lumma stealer, Sectop RAT, Gozi, Redline stealer, IcedID, Smoke Loader, and NetSupport Manager (also known as NetSupport RAT).
EugenLoader from Storm-1113, distributed via malicious MSIX package installations, is used by Sangria Tempest. Next, Sangria Tempest distributes Carbanak, a backdoor that the actor has been using since 2014 and which subsequently spreads the Gracewire malware implant.
Financially driven cybercriminals Sangria Tempest (formerly ELBRUS, sometimes tracked as Carbon Spider, FIN7) mostly concentrate on ransomware deployments, such as Clop, or targeted extortion after executing intrusions that frequently result in data theft.
Storm-1674 used Teams to send messages with fake landing pages. The landing pages mimic many businesses as well as Microsoft services like SharePoint and OneDrive. Using the meeting’s chat feature, tenants that the threat actor creates can arrange meetings and communicate with possible victims.
Malicious landing page pretending to be a networking security tool
Recommendation
Develop and implement phishing-resistant user authentication techniques.
Implement Conditional Access authentication strength to require phishing-resistant authentication.
Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen.
Configure Microsoft Defender for Office 365 to recheck links on click.
Turn on attack surface reduction rules to prevent common attack techniques.
ControlLogix RCE exploit. Japan’s largest port disrupted by ransomware. Cl0p breaches Schneider Electric and Siemens Energy. Solar panel vulnerabilities.
Threats and risks to electric vehicle charging stations. Massachusetts man charged with remotely sabotaging a Californian water treatment plant. RedEnergy ransomware and information stealer targets industrial sectors. Read More