Changelog: Change Healthcare finally bounces back weeks after cyberattack
Towfiqu barbhuiya / Unsplash
Welcome to Changelog for 3/14/2024, published by Synack! README senior editor Nathaniel Mott here from sunny upstate New York with the week’s top security news.
The payload
Change Healthcare’s pharmacy network—which, according to Reuters, “processes about 50% of medical claims in the United States for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories”—was shut down in response to a ransomware attack on Feb. 21. It finally came back online (at least for most organizations) on March 13. But that doesn’t mean everything’s hunky-dory now.
TechCrunch reported on March 9 that “questions remain about the security of millions of people’s highly sensitive medical information handled by Change Healthcare” because the ALPHV / BlackCat cybercriminal group claimed “to have stolen enormous banks containing millions of patients’ private medical data from the health tech giant’s systems.” (Before it stole tens of millions of dollars from the affiliate that popped the company.)
The U.S. Department of Health and Human Services announced on March 13 that its Office for Civil Rights had opened an investigation into Change Healthcare parent company UnitedHealthcare Group in response to the ransomware attack. The office will be looking to determine if sensitive information protected by Health Insurance Portability and Accountability Act (HIPAA) rules was affected by the breach.
“Ransomware and hacking are the primary cyber-threats in health care,” HHS said. “Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.”
The disruption to Change Healthcare’s network could also have lasting ramifications for its customers. CBS News reported on March 12 that healthcare providers “may be losing up to $100 million a day” because of the outage, and Bloomberg reported on March 13 that cancer clinics in particular have faced a serious “cash crunch” since the network was taken down. The disruption also made it difficult for many Americans to fill their prescriptions and forced some to pay full price for them even if they have insurance.
We reported in September 2023 that attacks on healthcare providers could endanger people’s lives. At the time, I didn’t realize that a ransomware attack on a single company would put seemingly every provider in the country at risk, and have serious consequences for people who needed to pick up their prescriptions at some point over the last three weeks. That isn’t just a security problem; it’s a societal one.
Change Healthcare? No. Change healthcare.
The week, compiled
Last week I highlighted a public spat between Rapid7 and JetBrains over the disclosure of two vulnerabilities. This week, we published a more in-depth report on what happened from README contributor Cynthia Brumfield titled “Rapid7 vs JetBrains: A vulnerability disclosure process gone bad.”
I’m still wrapping my head around JetBrains’ decision to publish another blog post about the incident with the headline “Preventing Exploits: JetBrains’ Ethical Approach to Vulnerability Disclosure.” The implication was that Rapid7’s insistence on publicly disclosing information about the TeamCity vulnerabilities was unethical—which is an odd way to portray security researchers looking to inform organizations about the risks posed by these vulnerabilities rather than keeping that information to themselves.
Robina Weermeijer / Unsplash
This obsession with assuming the ethical high ground permeates the tech industry, which insists on calling researchers “ethical hackers” and previously referred to coordinated disclosure as “responsible,” as if they are the ones who determine what could be considered appropriate or not. Yet for some reason I doubt they’d be willing to accept “ethical developers” as a job title or “responsible product launches” as a practice, even though I think society would actually benefit more from that paradigm.
Now for some of the week’s leading security news:
VUSec: A new vulnerability called GhostRace has been found in “any software, e.g., operating system, hypervisor, etc., implementing synchronization primitives through conditional branches without any serializing instruction on that path and running on any microarchitecture (e.g., x86, ARM, RISC-V, etc.), which allows conditional branches to be speculatively executed,” which doesn’t sound great!
Ars Technica: Whoops! Researchers have discovered a way to learn what most chatbots (with the notable exception of Google’s Gemini) are saying to their users via a side channel that can be abused via adversary-in-the-middle attacks. That means the encryption used to secure those responses can be undermined, though I doubt many chatbot users will be targeted in such attacks.
Google: Google announced on March 12 that it had “awarded $10 million to our 600+ researchers based in 68 countries” via its bug bounty program in 2023. Some $3.4 million of that went to Android and Google device hackers, with another $2.1 million going to researchers who discovered vulnerabilities in the Chrome browser and $87,000 reaching those who found security issues in its generative AI offerings.
A message from Synack
Pentesting on a FedRAMP Moderate Authorized Platform. Synack has achieved the Moderate "Authorized" designation from the U.S. Federal Risk and Authorization Management Program (FedRAMP), demonstrating that Synack's premier security testing platform meets the cloud compliance framework's rigorous requirements at the Moderate level. The milestone approval means government agencies can deploy Synack's best-in-class penetration testing and vulnerability management solutions – even for internal data, and in systems that process Controlled Unclassified Information. To learn more about the news and your security testing options, head over to https://hubs.ly/Q02jpBQ30.
Local files
BleepingComputer: Nissan didn’t exactly race to disclose a ransomware attack on Nissan Oceania. BleepingComputer reported that the company acknowledged an incident affecting some 100,000 people in Australia and New Zealand on March 13. Akira took responsibility for the attack in December 2023, though, and it’s not clear why it took Nissan Oceania so long to confirm that it was breached.
CyberScoop: A budget proposal from the Biden administration would see an additional $13 billion “in cybersecurity funding for civilian agencies, including additional investments to the Departments of Justice, Homeland Security and Health and Human Services to bolster digital defenses.” CyberScoop has a breakdown of where that additional funding would go and for what purpose.
The Record: LockBit administrator Mikhail Vasiliev was sentenced to four years in prison and “ordered to pay $860,000 in restitution to his victims” this week. The Record said Vasiliev was arrested in October 2022 and pleaded guilty “to eight charges involving cyber extortion, weapons possession and more” in February. But his legal troubles won’t stop here; Vasiliev is set to be extradited to the U.S.
Off-script
It’s never a good sign when publications collaborate on an investigation. (You don’t usually see The New York Times and The Wall Street Journal team up to cover how awesome everything is.) Reports this week from The Washington Post, Wired, Recorder and Der Spiegel on a group called 764 were no exception.
Alexander Shatov / Unsplash
Each of those reports features some kind of warning to readers about the depiction of what The Post described as “extremely disturbing events that may be upsetting for some people.” Wired was more explicit, saying its report “contains descriptions of abuse, self-harm, murder, and suicide.” Now that you’ve been warned, here are links to each report: The Washington Post, Wired, Recorder, Der Spiegel.
They’re hard reports to read—especially since I know my kids will eventually want to play games like Minecraft and Roblox or participate on platforms like Discord and Telegram, all of which are being used by groups like 764 to groom, harass and traumatize children around the world. I think I have a relatively good understanding of how to help them use the internet securely, but how do I help them do it safely, too?