Change Healthcare Ransomware Key Cybersecurity Takeaways, TinyProxy Flaw Exposed, and LockBit Law Enforcement Site Prank

The Daily Decrypt

00:00 /

In today’s episode, UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee about the ransomware attack on Change Healthcare, revealing that legacy tech at Change amplified the attack’s impact. Stolen credentials and lack of multifactor authentication allowed attackers to move within Change’s systems, leading to the deployment of ransomware. UnitedHealth’s response included bringing in multiple incident response firms and cybersecurity experts to aid in recovery efforts. Original URLs: https://www.cybersecuritydive.com/news/unitedhealth-change-attack-tech-takeaways/715200/, https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html, https://www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-alive-to-tease-new-police-announcements/#google_vignette

Tags: UnitedHealth, ransomware, Change Healthcare, technology infrastructure, Tinyproxy, Remote code execution, Security flaw, Cyberattacks, LockBit, Law enforcement, Data leak site

Search phrases:

Preventing data breaches in healthcare systems
Upgrade technology infrastructure in healthcare
Protecting against ransomware attacks
Tinyproxy security flaw solutions
Remote code execution prevention
Cybersecurity measures for critical security flaws
LockBit ransomware impact on operations
Law enforcement actions against ransomware gangs
Data leak site revelations
Identifying ransomware operators

More than 50, 000 hosts are at risk of remote code execution due to a critical unpatched flaw in the TinyProxy service.

How can users protect their devices from this critical tiny proxy flaw?

Law enforcement has revived a seized LockBit ransomware data leak site, teasing new announcements to come including potential revelations about the identity of LockBit’s operator.

Is law enforcement bluffing or do they actually have this information?

And finally, we’ve got the five key security takeaways from the Change Healthcare Ransomware Attack, as summarized by Cybersecurity Dive, to include outdated technology, stolen credentials, multifactor and more. You’re listening to The Daily Decrypt.

A critical unpatched security flaw in the TinyProxy service is leaving over 50, 000 hosts exposed to remote code execution threats. The vulnerability has a high CVSS score of 9. 8 out of 10 and affects versions 1. 10 and 1. 11.

This vulnerability in the TinyProxy service allows attackers to execute malicious code through specially crafted HTTP

an unauthenticated threat actor could exploit this flaw by sending a specific HTTP connection header, triggering memory corruption that could lead to remote code execution on vulnerable systems.

Data from Census shows that approximately 57 percent of the 90, 000 publicly accessible hosts are running vulnerable versions, with a significant number of these hosts located in the United States, South Korea, China, France, and Germany.

In order to mitigate this risk, it’s recommended to upgrade to the most recent version of Tinyproxy. And, if at all possible, don’t expose your tiny proxy service to the public facing internet.

Law enforcement agencies, including the NCA, FBI, and Europol, have resurrected a previously seized lockbit ransomware data leak site, hinting at potential new revelations set to be disclosed today.

During Operation Kronos on February 19th, authorities dismantled LockBit’s infrastructure, taking down 34 servers hosting the DataLeak website, cryptocurrency addresses, decryption keys, and the affiliate panel. In a response to the disruption, the police repurposed one of the DataLeak sites into a platform for sharing insights gained during the operation, including details on affiliates, as well as LockBit’s deceptive practices regarding stolen data deletion post ransom payment.

One of the blog posts is titled, Who is LockBit Sup?, which is a reference to the individual or group of individuals who are running this ransomware organization.

And this blog post posted by law enforcement left many people anticipating significant revelations about the ransomware operator, but they only received a cryptic message stating that law enforcement knows who he is, who they are, knows where they live, how much he is worth, and claiming that this individual has engaged with law enforcement.

Which insinuates that this individual

was discovered by law enforcement and then convinced to give them information about his affiliates.

Now that post was after the law enforcement originally took over the site in late February, early March, and has since been taken down with no information. But the crux of this piece of news is that law enforcement has revived the site yet again with similar posts.

including what have we learnt, more lockbit hackers exposed, what have we been doing, and the coup de gras titled who is lockbit sup yet again. All of this is anticipated to be released later today

and if it turns out law enforcement doesn’t actually have any information this is going to be quite the blunder for them

and really show their hand that this is just a tactic to try to get people to turn against their affiliates.

And finally, Change Healthcare, which is a subsidiary of United Healthcare Group, fell victim to a ransomware attack which compromised a significant amount of patient data and disrupted operations. And just recently, the CEO submitted a written testimony

which fell short of lawmakers expectations but it did provide a lot of insight as to what went wrong, which is very interesting for us technical folks.

And the purpose of this segment is just to cover

five of the key technical takeaways from that testimony.

The first key takeaway is that legacy technology at Change amplified the attack’s impact. Stating that even though the company was founded in 2007, Some of the technology systems are over 40 years old, including payment systems

and medical claims systems.

UnitedHealthcare as a whole was undergoing an upgrade of all of their technologies before they acquired Change Healthcare,

but the attack had the effect that it locked up the backups that were stored on premises at Change Healthcare’s headquarters. which is one of the main causes for the delay in service. They weren’t able to get their backups back up and running. They claim that in the rebuild after the attack, they’re moving a lot of their backups to the cloud,

which will hopefully be more secure, but the cloud isn’t

a fix all answer. It’s going to take a lot of work, whether it’s on premise or in the cloud, to make sure that you continually have access to those backups and establish redundancy, etc.

Number two, stolen credentials unlocked the access, right?

That’s key in most attacks. It starts with stolen credentials. Don’t allow password reuse. Implement a tool that checks the dark web for all passwords.

And there really is no excuse for that because I get emails when my email is leaked on the dark web. And if you’re a corporation, you can just scan the dark web for anything in any of your domains. You should get an email. You should immediately revoke the password to that account. This is a pretty quick section because yeah, that’s pretty obvious.

The third key takeaway is that UnitedHealth brought in at least seven incident response firms to help them recover from the attack and some of them will remain in place as full time response.

UnitedHealth has even asked Mandiant to join its board as a permanent advisor to strengthen the company’s cybersecurity oversight and strategy.

The fourth key takeaway is the response,

which is a positive one. UnitedHealthcare immediately disconnected Change Healthcare from all other systems when it became aware of the ransomware attack,

Which is critical

to preventing this ransomware from spreading to other subsidiaries of United Healthcare. And many months after the attack, we can see how well this worked because, to our knowledge, as of yet, no other subsidiaries have been hit like Change Healthcare was. So,

even though the recovery took a lot longer, which was because of the backups failing and having to rebuild it from scratch, It could have been a lot worse had they not contained the blast radius just surrounding Change Healthcare.

And finally, multi factor authentication wasn’t turned on. Now, the CEO claims that it is company policy to have multi factor authentication turned on for every external facing service. And in his testimony, the CEO was very frustrated and does not know how they got away with not having this enabled.

And it assures lawmakers and patrons of Change Healthcare that every external facing system has multi factor authentication turned on now. And it’s impossible to say if having multi factor authentication turned on would have prevented this attack because even with multi factor authentication it is possible to bypass it.

People are always the weakest link clicking except when they receive the ping.

But it would have definitely slowed down the attackers.