The Connectwise ScreenConnect Vulnerability Part 2
The Return
of the ALPHV/Blackcat Ransomware Gang
This post is a follow-up to The Dispatch on the Change Healthcare debacle, dated February 24, 2024.
If you logged on to the website of the Naval Hospital Camp Pendleton any time Friday, February 23, 2024, including up to this date, you saw the image to the right fill your screen. As of the time of this writing, the startling graphic in bold text remained center stage on the homepage of the Naval Hospital website. Stars and Stripes, the independent newspaper of the US Armed Forces, reported February 22, 2024, quoting the the Defense Health Agency, that: "A cyberattack Wednesday on one of America’s largest health care technology companies has left U.S. military pharmacies worldwide unable to fill prescriptions."
That contuses to be the case, six days after the initial attack. The following advisory is posted on the Change Healthcare website, dated February 28, 2024.
Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact.
At first, blame for the cyberattacks exploiting the Change Healthcare vulnerability was laid at the recently disrupted Lockbit ransomware group. It is now believed that the ALPHV/Blackcat criminal gang is the real culprit. Blackcat operates by selling Ransomware As A Service to its "affiliates" and others who might want to dabble in cybercrime. In a Joint Release by the FBI, CISA, and HHS, Uncle Sam said:
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.
ALPHV Blackcat actors have since employed improvised communication methods by creating victim-specific emails to notify of the initial compromise. Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.
According to industry newsletter, Managed Care Executive, dated February 27, 2024, pharmacies across the US are changing their prescription processing to other managed providers. One such processor is PowerLine, operated by RedSail Technologies. In an interview with Managed Care Executive cited above, RedSail CEO, Kraig McEwen said, in describing the increase in volume his firms has experienced, that Powerline is "getting slammed by volume." McEwen also expressed well the overarching themes of The Dispatches. One such sad statement is, "People are dying in this country because of these ---------" [fill in the blank].
McEwen's second observation is more to the point. He says that the root cause of the dire situation is "the consequence of aging healthcare information systems in the U.S. that haven’t been adequately updated in decades." And the fact that, “The healthcare information infrastructure in the U.S. is archaic and hard to protect.” Of course, the CEO follows that with a plug that his company’s technology is an example of "up-to-date counterexample that is cloud-based and with built-in security features."
Of course, Change Healthcare makes essentially the same claim. As the vendor's website describes its technology: "Change Healthcare DSaaS puts data to work in a secure, cloud-based data modeling environment." Change Healthcare proudly proclaims that its product is: "Data Science as a Service." Yada Yada.
Although Change Healthcare released patches for their vulnerable application on February 19, 2024, as explained by security vendor, Census, in its Executive Summary, dated February 27, 2024, "As of Tuesday, 27 February, Censys observed over 3,400 exposed potentially vulnerable ScreenConnect hosts online, most running version 19.1.24566." The patched version is 23.9.8, according to Censys. Although Censys reports a 47% decline "in potentially vulnerable instances exposed on the Internet," one must ask why haven't the still vulnerable entities patched yet? Is it indolence, ignorance, or both?
Lying at the heart of this and other attacks is the way that the Software As A Service model makes mass exploitation of vulnerabilities so easy and effective. Pollute the source upstream, and all those downstream are impacted. Network admins and their corporate masters have to come grips with their own responsibility for these attacks. As Censys concluded and cited above, remote access does not absolve anyone involved in securing his nation's cybersecurity posture:
It’s clear that remote access software like ScreenConnect continues to be a prime target for threat actors. To enhance their security posture, organizations should consider shielding the web interfaces for these tools behind firewalls whenever feasible. Restricting their direct exposure on the public internet reduces your attack surface.
As a Dispatch posted February 4, 2023, stated, Lurie's Children's Hospital has victimized by ransomware attacks that began January 31, 2024. February 27th, 2024, The Register reported, the Rhysida ransomware-as-a-service gang are demanding "$3.4 million after attacking a children’s hospital in Chicago, forcing staff to resort to manual processes to provide care to patients."
Whether Lockbit, Blackcat, or others is now a moot point. Logic tells us that there are most likely several threat actors at work here. As SC Magazine informed us, February 27, 2024:
Regardless of what happened at Change Healthcare, RedSense anticipates more organizations will be compromised as the ScreenConnect exploit is apparently fairly trivial to execute... We would expect to see additional victims in the coming days.
So, again I ask: Are we having fun, yet?
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||