Cyber Attacks!  Are you paying attention?

Cyber Attacks! Are you paying attention?

A sub system of the Oregon health system was hacked and put under lockout

How was the Oregon health systems infiltrated?

On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfilatrated data. Ransomware was deployed nine days later. 

Could multi-factor authentication have prevented it or could it just have been a rouge employee giving access?

looking at the attack what can be learned?

While the details of the investigation might not be fully disclosed, it’s important to consider several scenarios regarding how the compromised credentials were obtained and used. Here are some possibilities:

Potential Sources of Compromised Credentials:

  1. Phishing Attack: An attacker could have sent a convincing email to a Change Healthcare employee, tricking them into providing their login credentials.
  2. Previous Data Breach: If an employee reused passwords from other services that had been breached, attackers might have obtained their credentials from a database of stolen passwords.
  3. Brute Force Attack: Attackers could have used automated tools to guess passwords if the passwords were weak or the systems lacked strong password policies.
  4. Insider Threat: It’s possible that an active or former employee with legitimate access intentionally provided the credentials to the attackers. This could be motivated by various factors, including financial gain or grievances against the company.
  5. Malware: An employee’s device could have been infected with malware that captured their login credentials.
  6. Credential Stuffing: Attackers could have used a list of previously compromised usernames and passwords to attempt logins, hoping that some users reused credentials across multiple platforms.

Investigation Considerations:

  1. Log Analysis: Reviewing access logs to identify unusual login patterns, such as logins from unfamiliar IP addresses or at odd hours, can help trace the source of the breach.
  2. Employee Interviews: Conducting interviews with employees to understand any unusual activities or if they received suspicious communications.
  3. Forensic Analysis: Employing cybersecurity experts to conduct a thorough forensic analysis of the affected systems to understand how the breach occurred and what vulnerabilities were exploited.
  4. Access Review: Reviewing access permissions and ensuring that only authorized personnel have access to sensitive systems and data.

Preventive Measures:

  1. Multi-Factor Authentication (MFA): Implementing MFA to add an extra layer of security beyond just passwords.
  2. Regular Password Changes: Enforcing policies that require regular password updates and the use of strong, unique passwords.
  3. Employee Training: Regular cybersecurity training to help employees recognize phishing attempts and other social engineering tactics.
  4. Enhanced Monitoring: Implementing advanced monitoring tools to detect and respond to suspicious activities in real-time.
  5. Zero Trust Architecture: Adopting a zero-trust security model where trust is never assumed and verification is required at every access point.

Communication and Transparency:

  • Internal Communication: Keeping employees informed about the breach, the steps being taken, and any changes in security policies.
  • External Communication: Transparent communication with customers, partners, and regulatory bodies about the breach and the measures being taken to mitigate its impact.

Add comment

Sign up to receive the latest
updates and news

167 Maple StOak Hill, FL 32759
Follow our social media
© 2024 Localad