Change Healthcare hackers took advantage of Citrix vulnerability to break in, CEO says

Lock on Laptop Screen
(Image credit: Shutterstock.com) (Image credit: Future)

To break into Change Healthcare’s IT systems, hackers abused a vulnerability in a Citrix remote desktop access product. This is according to Andrew Witty, Chief Executive Officer (CEO) of UnitedHealth, Change Healthcare’s parent company.

Later this week, Witty is due to give his testimony regarding the Change Healthcare data breach in front of the House Energy and Commerce Committee, Reuters reports. His testimony was published on the UnitedHealth website ahead of the discussion. 

In late February this year, news broke of a major cyberattack at Change Healthcare, which forced the company to shut parts of its infrastructure down, and which affected local pharmacies and adjacent businesses. It was later reported that the company fell victim to a ransomware attack.

Unknown point of entry

"Not knowing the entry point of the attack at the time, we immediately severed connectivity with Change’s data centers to eliminate the potential for further infection," Witty will say in the testimony.

Apparently, the attackers used a compromised username/password combination to access the company’s Citrix portal. There was no multi-factor authentication (MFA) set up at the time. Currently it is still unknown which specific Citrix flaw was abused during the attack. Reuters points out that U.S. officials issued “multiple warnings about security loopholes in Citrix tools late last year”.

In the weeks following the attack, it was reported that an affiliate of ALPHV (BlackCat), a notorious ransomware-as-a-service vendor, breached Change Healthcare and stole 4TB of sensitive customer data. The group allegedly demanded $22 million in cryptocurrency in exchange for the decryption key and for keeping the data private. A blockchain transaction was later spotted with that exact amount, triggering speculation that the company tried to pay the ransom demand.

Soon after, ALPHV shut the entire operation down and disappeared. The affiliate later claimed the group took all the money for itself and that it was stuck with the data.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.