A scathing report by Australia’s Info Commissioner particulars how misconfigurations and missed alerts allowed a hacker to breach Medibank and steal information from over 9 million individuals.
In October 2022, Australian medical health insurance supplier Medibank disclosed that it had suffered a cyberattack that disrupted the corporate’s operations.
Per week later, the corporate confirmed that the menace actors stole all of its buyer’s private information and a lot of well being claims information, inflicting a knowledge breach that impacted 9.7 million individuals.
The info from the assault was later leaked by a ransomware gang often called BlogXX, which was believed to be an offshoot of the shutdown REvil ransomware gang.
The assault was in the end linked to a Russian nationwide named Aleksandr Gennadievich Ermakov, who was sanctioned by Australia, the UK, and the USA.
OAIC’s findings
In a brand new report launched by the Workplace of the Australian Info Commissioner (OAIC), the company’s investigation decided that vital operational failures allowed the hacker to breach Medibank’s community.
“The Commissioner alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988,” reads an OAIC press assertion.
In accordance with the report, it began with a Medibank contractor (IT Service Desk Operator) utilizing his private browser profile on his work laptop and saving his Medibank credentials within the browser.
These credentials had been then synced to his residence laptop, which turned contaminated with information-stealing malware, permitting the menace actors to steal all of the saved passwords in his browser on August 7, 2022. These credentials supplied entry to each an ordinary and an elevated entry (admin) account at Medibank.
“During the Relevant Period, the Admin Account had access to most (if not all) of Medibank’s systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases),” reads the OAIC report.
It’s unclear if the attacker behind the Medibank breach bought the stolen credentials from a web based darkish net cybercrime market or carried out the information-stealing malware marketing campaign.
Nonetheless, the menace actor started utilizing these credentials on August 12 to first breach the corporate’s Microsoft Change server after which later to log into Medibank’s Palo Alto Networks World Defend Digital Non-public Community (VPN) implementation, offering inside entry to the company community.
The report states that Medibank failed to guard customers’ information because it had not enforced multi-factor authentication on VPN credentials and allowed anybody with entry to the credentials to log into the gadget.
“The threat actor was able to authenticate and log onto Medibank’s Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required,” continued the report.
Utilizing this entry to the interior community, the menace actor started spreading by way of the methods, stealing 520 GB of information from the corporate’s MARS Database and MPLFiler methods between August 25 and October 13, 2022.
This information included prospects’ names, dates of delivery, addresses, telephone numbers, e-mail addresses, Medicare numbers, passport numbers, health-related data, and claims information (similar to affected person names, supplier names, major/secondary analysis and process codes, and therapy dates.
To make issues worse, the report alleges that the corporate’s EDR software program raised alerts about suspicious habits on August 24 and 25, which weren’t correctly triaged.
It wasn’t till mid-October, when Medibank introduced in a menace intelligence agency to analyze a Microsoft Change ProxyNotShell incident, that they found information was beforehand stolen within the cyberattack.
Defending credentials with MFA
With billions of credentials having been stolen by information-stealing malware and information breaches, it creates an enormous assault floor that’s arduous to defend towards with out extra defenses, similar to multi-factor authentication.
All organizations should function underneath the belief that their company credentials have been uncovered in some method, and thus, utilizing MFA provides an extra protection that makes it far tougher for menace actors to breach a community.
That is very true for VPN gateways, that are designed to be publicly uncovered on the web to permit distant workers to log in to the company networks.
Nonetheless, this additionally gives an assault floor generally focused by ransomware gangs and different menace actors to breach networks and thus should be protected with extra defenses, similar to MFA.
