The cyber attack exploiting a vulnerability in ConnectWise ScreenConnect software has led to significant disruptions at UnitedHealth’s Change Healthcare, impacting services across the United States. This incident has revealed critical vulnerabilities, affecting not just Change Healthcare but also indicating broader risks within the healthcare and critical infrastructure sectors. The exploitation of this flaw underscores the need for heightened security measures in an era where digital infrastructures are increasingly targeted by sophisticated cyber threats.
Understanding the Vulnerability
ConnectWise acknowledged a critical flaw in ScreenConnect 23.9.7, addressed through a security fix. This vulnerability, identified as CVE-2024-1709, simplifies authentication bypass, allowing unauthorized administrative access. Another bug, CVE-2024-1708, involves a path traversal issue facilitating remote code execution (RCE). Experts from Huntress have also pinpointed CVE-2024-1709 as particularly egregious, enabling RCE without exploiting the second bug. This discovery prompted an urgent upgrade recommendation for on-premises instances to version 23.9.8, with cloud instances already patched.
The Scale of Risk
ScreenConnect’s wide use by managed service providers (MSPs) for remote access magnifies the risk, with an estimated 93% of detected instances vulnerable. The potential for a significant supply chain attack echoes the MOVEit hack’s impact, highlighting the criticality of this vulnerability. It emphasizes the risk of a ransomware surge, given the software’s prevalence and the exploit’s ease.
How is Change Healthcare Affected?
The cyberattack on Change Healthcare has resulted in extensive disruptions across U.S. pharmacies, with over 100 health-related services affected. UnitedHealth’s rapid response involved disconnecting Change Healthcare’s systems, yet the full recovery timeline remains uncertain. This incident underscores the healthcare sector’s vulnerability, intensified by the sector’s increasing reliance on digital infrastructure.
The cyberattack was facilitated by a strain of LockBit malware, exploiting the ConnectWise vulnerabilities. Although not directly linked to the LockBit gang, the exploit’s timing and method highlight the persistent threat from such vulnerabilities. This outlines the risks associated with the time gap between vulnerability announcement and patch application.
Change Healthcare, in collaboration with law enforcement and cybersecurity firms, is working towards system restoration. Meanwhile, the healthcare sector faces heightened scrutiny over its digital transformation journey, balancing innovation with security.
This incident not only affects Change Healthcare and UnitedHealth but also signals a broader threat to the healthcare sector. With health data increasingly valuable, the sector is a prime target for cyberattacks, emphasizing the need for robust cybersecurity measures.