Cyber Threat Intelligence Briefing - May 6, 2024

This week, we explore the lessons learned from the Change Healthcare breach, recent Dropbox breach, and HPE ArubaOS critical vulnerabilities.

Change Healthcare Breach

In late February 2024, news broke of a major cyberattack against Change Healthcare, a payment platform used by healthcare giant UnitedHealth. It was quickly revealed that the BlackCat ransomware gang was responsible for the attack.

UnitedHealth made an attempt to contain the fallout by paying BlackCat a reported $22 million ransom.

Unfortunately, the threat actors behind the BlackCat group used this as an opportunity to pull an exit scam, taking the ransom payment and leaving their affiliate empty-handed and UnitedHealth patient data still at risk of being leaked.

Not only did UnitedHealth lose millions from the large ransom payment, but it is estimated that total financial damages from the incident have reached over $872 million for the quarter, including $593 million in "direct cyberattack response costs", and a total cost of $1.6 billion in 2024. Last week, details were revealed on what allowed the attack to take place.

How It Happened

According to testimony from UnitedHealth CEO Andrew Witty, threat actors were able to gain initial access to Change Healthcare's network by leveraging compromised credentials to authenticate to the Change Healthcare Citrix portal. It is unknown if these credentials were obtained via phishing or infostealer malware.

It should be noted that the Citrix portal did not have multi-factor authentication (MFA) enabled.

Once this initial foothold was established, the threat actor spent 10 days moving laterally throughout the network, stealing data, and deploying the ransomware encryptor.

Lessons Learned

Remote access tools such as Citrix and other VPN gateways are heavily targeted by threat actors. These network "front doors" are generally compromised in one of two ways: through stolen legitimate credentials or remote exploit of a vulnerability.

1. All accounts on all internet-facing devices should have MFA enabled.
   While this is not a silver bullet for defenders, it greatly reduces the risk of threat actors gaining access via stolen credentials.
2. Require strong, complex, and unique passwords on all accounts.
   This will hinder brute-forcing and password-spraying attempts against these devices. Do not assign weak, default passwords to users expecting them to change them.
3. Leverage dark web monitoring to look for signs of compromised accounts.
   These services can identify compromised credentials from 3rd party breaches (which threat actors use for credential stuffing attacks) and compromised accounts found in info stealer logs.
4. Immediately patch remote code execution or authentication bypass vulnerabilities on edge devices.
   Password hygiene means nothing if the threat actor doesn't need a password to gain access.

From the testimony, it was disclosed that the threat actor had full access to the internal network for 10 days before the ransomware was finally detonated.

There are numerous detection and prevention opportunities to thwart threat actor activities before their final objectives are completed:

• Leverage network detection tools such as PacketWatch to detect abnormal and anomalous network behavior.
  A threat actor will always need to communicate to their command and control (C2 servers) while conducting an attack. In many cases these connections are obvious if someone is watching. Additionally, in the case of double-extortion ransomware attacks, the threat actor will need to move large volumes of data off the target network. Using network baselining, these large data transfers can be easily observed allowing defenders to stop the attack.
• Monitor for unusual administrator account activity, particularly new administrator account creations.
  Threat actors commonly create new global administrator accounts for persistence.
• Deploy, properly configure, and maintain EDR across all endpoints.
  Simply having EDR tools deployed is not enough. These tools should be regularly audited to review enforcement policies (audit vs. prevent).

The UnitedHealthcare breach is a shining example of how unsophisticated many of the hacking techniques used by major threat actors are. Most are not using 0-days or sophisticated malware; they are simply abusing poor security practices. Organizations can take simple yet impactful steps to improve their security posture and not be easy targets.

Additional Resources

• https://www.bleepingcomputer.com/news/security/change-healthcare-hacked-using-stolen-citrix-account-with-no-mfa/
  
• https://d1dth6e84htgma.cloudfront.net/Witty_Testimony_OI_Hearing_05_01_24_5ff52a2d11.pdf
  
• https://www.bleepingcomputer.com/news/security/unitedhealth-subsidiary-optum-hack-linked-to-blackcat-ransomware/
  
• https://www.bleepingcomputer.com/news/security/unitedhealth-change-healthcare-cyberattack-caused-872-million-loss/
  
• https://www.wsj.com/articles/change-healthcare-hack-what-you-need-to-know-45efc28c
  

Dropbox Breach Details

Dropbox submitted a Form 8-K to the SEC on April 29, disclosing a breach of their Dropbox Sign platform.

Per the filing, on April 24, Dropbox became aware that an unknown threat actor had gained access to data of all users of Dropbox Sign including usernames and email addresses.

For an undisclosed "subset" of users, threat actors also were able to access phone numbers, hashed passwords, and other authentication information such as API keys, OAuth tokens, and multi-factor authentication.

At the time of the filing, Dropbox has found no evidence that the threat actor accessed actual contents of user accounts or the production environments of other Dropbox products.

Dropbox took the proactive step of resetting all user's passwords, logged out any devices that were connected to the service, and is rotating API keys and OAuth tokens.

Additional Resources

• https://www.sec.gov/Archives/edgar/data/1467623/000146762324000024/dbx-20240429.htm
  
• https://thehackernews.com/2024/05/dropbox-discloses-breach-of-digital.html

HPE ArubaOS Critical RCEs

HPE Aruba Networking recently released a security advisory detailing 10 vulnerabilities impacting multiple versions of their ArubaOS network operating system.

Of these 10 vulnerabilities, 4 are critical severity unathenticated remote code execution (RCEs).

These vulnerabilities are tracked as CVE-2024-26305, CVE-2024-26304, CVE-2024-33511, and CVE-2024-33512, and all are related to flaws in the PAPI (Aruba's access point management) protocol.

The following products are affected:

HPE Aruba Networking

• Mobility Conductor (formerly Mobility Master)
• Mobility Controllers
• WLAN Gateways and SD-WAN Gateways managed by Aruba Central

Affected Software Versions:

• ArubaOS 10.5.x.x: 10.5.1.0 and below
• ArubaOS 10.4.x.x: 10.4.1.0 and below
• ArubaOS 8.11.x.x: 8.11.2.1 and below
• ArubaOS 8.10.x.x: 8.10.0.10 and below

While there are currently no known cases of active exploitation, administrators are urged to enable Enhanced PAPI Security and upgrade devices to the appropriate patched version as soon as possible.

Additional Resources

• https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt
  
• https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-four-critical-rce-flaws-in-arubaos/
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-26305/details
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-26304/details
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-33511/details
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-33512/details

Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.

If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.