To break into Change Healthcare’s IT systems, hackers exploited a vulnerability in a Citrix remote desktop access product. This is according to Andrew Witty, Chief Executive Officer (CEO) of UnitedHealth, the parent company of Change Healthcare.
Later this week, Witty will testify on the Change Healthcare data breach before the House Energy and Commerce Committee, Reuters reports. His testimony was published on UnitedHealth’s website prior to the discussion.
In late February this year, news emerged of a major cyberattack at Change Healthcare, which forced the company to shut down parts of its infrastructure and impacted local pharmacies and neighboring businesses. It was later reported that the company fell victim to a ransomware attack.
Unknown point of entry
“Because we did not know at the time where the attack came from, we immediately disconnected connectivity to Change’s data centers to eliminate the chance of further infection,” Witty will say in the testimony.
Apparently, the attackers used a compromised username and password combination to gain access to the company’s Citrix portal. At the time, multi-factor authentication (MFA) had not yet been set up. It is currently unknown which specific Citrix vulnerability was exploited during the attack. Reuters points out that U.S. officials issued “several warnings about security vulnerabilities in Citrix tools” late last year.
In the weeks following the attack, it was reported that a subsidiary of ALPHV (BlackCat), a notorious provider of ransomware-as-a-service, breached Change Healthcare and stole 4 TB of sensitive customer data. The group reportedly demanded $22 million in cryptocurrency in exchange for the decryption key and for keeping the data private. A blockchain transaction involving that exact amount was later spotted, prompting speculation that the company was attempting to pay the ransom.
Shortly afterwards, ALPHV shut down the entire operation and disappeared. The affiliate later claimed that the group had taken all the money for themselves and that they were tied to the data.