A spate of high-profile identity-based attacks over the past few months have underpinned a harsh truth. Although cybercriminals today are finding increasingly sophisticated ways to breach networks, organizations are still committing the same basic errors, time and again.
When seasoned admins from top cybersecurity companies like MITRE and the Cybersecurity and Infrastructure Security Agency (CISA) are falling foul of their own best practices and exposing credentials, and several leading healthcare leaders are being brought down by a lack of multi-factor authentication (MFA), it’s clear that the identity attack surface needs to be taken more seriously.
In this blog, we’ll look at the attacks that targeted Change Healthcare, Okta, CISA, and MITRE this year to see what happened; why it happened; and how it could have been prevented – ultimately, by drilling down on authentication, trust relations, and visibility across the digital identity infrastructure.
Change Healthcare
| Victim | Change Healthcare (owned by UnitedHealth Group), a prescription and payment software provider |
| Attack method | Stolen credentials Ransomware as a service: BlackCat (aka ALPHV or Noberus) |
| Vulnerability | No MFA |
| Impact | Disrupted cash flow, prescription services, and claims processing across US-based hospitals, clinics, and pharmaciesUnitedHealth Group paid a $22M ransom to restore services Company stock is down 8% year to dateFinancial impact of over $1 billion for the full yearAttackers potentially stole a third of Americans’ data |
What happened?
On February 12, 2024, an attacker used stolen credentials to access one of Change Healthcare’s remote Citrix portals which wasn’t protected by multi-factor authentication. The attacker lay undetected in the system for nine days, stealing patients’ protected health information and personally identifiable information (PII), before deploying ransomware which shut down Change Healthcare’s claims and prescription processes. Andrew Witty, CEO of UnitedHealth Group said in a U.S. Senate hearing that he paid a ransom of $22 million to restore services.
Okta
| Victim | Okta, a provider of identity and access management (IAM) solutions |
| Attack method | Credential stuffing Proxyware |
| Vulnerability | No MFA Weak passwords |
| Impact | Compromised customer accounts |
What happened?
This was not a single breach, but a spike in credential stuffing attacks throughout April 2024 against Okta’s IAM solutions made via residential proxies such as Tor, NSOCKs, Luminati, and Datalmpulse (used to anonymize IP addresses). Okta said that attackers were abusing the networks of mobile devices and browsers belonging to paid subscribers to secretly route malicious traffic, in what may have been a continuation of the brute-force attacks against VPN devices observed by Cisco Talos and Duo Security in March 2024. It’s likely, Okta said, that the devices were hijacked using “stolen credentials and scripting tools” – including proxyware installed when users download apps on their device using compromised software developer kits. Okta has released new features to block requests from anonymizing services and prevent these attacks.
Cybersecurity and Infrastructure Security Agency (CISA)
| Victim | CISA, a US government agency that provides critical infrastructure partners with cybersecurity information and guidance |
| Attack method | Account takeover Living off the land |
| Vulnerability | Lack of MFA Excess privileges Ivanti Connect Secure zero days Authentication bypass (CVE-2023-46805) Command injection vulnerability (CVE-2024-21887) |
| Impact | Not disclosed |
What happened?
In February 2024, attackers exploited CISA admin credentials – unprotected by MFA – which belonged to a former employee and were likely stolen from a previous data breach and exploited two zero-day vulnerabilities in the victim’s Ivanti Connect Secure VPN service (CVE-2023-46805 and CVE-2024-21887) to evade detection.
The attackers (thought to be China state-sponsored) breached CISA’s on-premises network, carried out lightweight directory access protocol (LDAP) queries against a domain controller, and compromised another employee’s admin credentials stored on CISA’s SharePoint server to authenticate on the Active Directory and Azure AD. However, it seems CISA avoided the worst. The attacker did not move laterally from the company’s on-premises network to its Microsoft Azure cloud environment, and according to CISA, did not impact operations.
The Mitre Corporation (MITRE)
| Victim | MITRE provides guidelines and tools for classifying and defending against cyberattacks |
| Attack method | Session hijacking |
| Vulnerability | Ivanti Connect Secure zero days Authentication bypass (CVE-2023-46805) Command injection vulnerability (CVE-2024-21887) Exposed admin account |
| Impact | MITRE host and user information (including metadata) leaked on the dark web |
What happened?
On April 19, 2024, MITRE disclosed that it spotted suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), which transpired to be an attack by a foreign nation-state actor dating back to January. The attacker exploited the same Ivanti zero-day vulnerabilities as the CISA breach and used session hijacking to bypass the organization’s MFA, then moved laterally to MITRE’s VMware infrastructure by compromising an admin account before using backdoors and web shells to maintain persistence and collect credentials. MITRE’s security team took NERVE offline to stop the breach and launched an investigation (which is still ongoing) to find out whether the attacker managed to move beyond NERVE.
Lessons Learned
Sometimes a giant must fall before we look up. 2024 has shown that no organization – whether a monolithic healthcare company or cybersecurity juggernaut – is immune to attack. If you have a blind spot, you’re a target. At Rezonate, we believe this year’s breaches offer four key lessons for improving your identity security posture.
#1 Protect credentials and secrets
Credentials and secrets form an important layer of security, which makes them a top target for attackers. Any identity can be exploited to gain initial access, from legacy accounts and third parties to high-level admins. To prevent these breaches from evolving, implement identity security posture management (ISPM) and identity threat detection and prevention (ITDR) tools. These can provide visibility into the behaviors, privileges, and risk profiles of your identities, helping you shut down threats before they escalate.
How Rezonate can help: Our platform makes it easy to discover, correct, and prevent weak points in your identity infrastructure, such as excess privileges, dormant accounts, misconfigured access, elevated risk profiles, and more, helping you protect against identity-based attacks and compliance issues.
#2 Stop attackers at the login box
Enforce strong MFA. Don’t user This advice is given time and again, for good reason. Change Healthcare’s Citrix portal, Okta’s user accounts, and CISA’s admin credentials were all exposed to attack because they lacked MFA. Clamp down on weak passwords too by implementing passwordless authentication where possible, rotating passwords regularly, and training users (especially nonchalant admins) to avoid setting default passwords or reusing them across multiple systems.
How Rezonate can help: Optimize your password hygiene and uncover any accounts not protected by MFA with our free risk assessment.
#3 Proactively monitor access, security controls, and session activity
Hope is not lost if attackers gain access. Be proactive and implement an identity protection platform that provides end-to-end visibility into the activity, privileges, and security controls of all human and machine identities across your post-authentication environment. This will help you continuously monitor for suspicious or abnormal behavior, such as identities logging in from an unknown device or location, changing privileges, using the wrong permissions, or accessing unfamiliar network resources. When threats or risks arise, identity protection platforms like Rezonate will provide you with real-time and context-based alerts and automate remediations where possible.
Continuous monitoring could have revealed attackers exfiltrating files from Change Healthcare’s system and helped MITRE prevent lateral movement into its VMware infrastructure – something the company admitted it failed to detect at the time.
How Rezonate can help: Rezonate delivers unified visibility and proactive control over the human and machine identities across all your cloud, SaaS, and identity providers. Our platform also offers a unique blend of identity security posture management (ISPM), real-time identity threat detection and response (ITDR), and risk-driven security automation for unprecedented identity protection.
#4 Never trust, always verify
Zero trust is crucial given the scale and complexity of cloud networks. Organizations should not take identities or requests for granted. Look at Okta – legitimate users can be impersonated using residential proxies. The CISA breach, meanwhile, shows how quickly identity threats can escalate once they gain initial access. CISA was lucky that attackers didn’t move laterally to its Azure cloud network and access its most sensitive resources.
Identity breaches don’t always start with you – third parties like Ivanti can be compromised first, as we saw with the CISA and MITRE breaches – but they should stop with you. The key here is restricting freedom of movement. Apply least privilege to all identities and segment networks to help prevent attackers from traversing your network and escalating their privileges. And to avoid CISA’s mistake of leaving a legacy admin account unprotected, de-provision identities and privileges when they’re no longer needed, as quickly as possible.
How Rezonate can help: Zero trust should be earned, not assumed; and this means taking proactive measures to enforce it. Our identity protection platform offers comprehensive identity monitoring and posture management capabilities for continuous risk reduction and protection to help you implement zero trust. With Rezonate, you’re not only prepared for identity threats but proactively discovering and mitigating them, too.
Eliminate Blind Spots with Rezonate
Rezonate provides identity protection across multiple cloud, SaaS, and identity provider platforms to eliminate the blind spots that impact the organizations discussed in this blog.
Our platform helps you prevent, detect, and mitigate identity threats by providing end-to-end visibility across all your identities – including their privileges and security controls – as well as comprehensive MFA integration, automated identity threat detection and response, identity security posture management, and fast remediation capabilities to fend off even the most determined attackers. Take a quick self-guided product tour.
