Citrix Vulnerability Implicated in Major Healthcare Cyberattack
In February, a high-profile cyberattack on Change Healthcare caused significant disruptions in the operations of US medical facilities. Andrew Witty, CEO of UnitedHealth Group (the parent company of Change Healthcare), revealed that the attack was enabled by an unpatched vulnerability known as Citrix Bleed (CVE-2023-4966, CVSS score: 7.5) in Citrix software. This information emerged during preparations for a hearing before the Subcommittee on Oversight and Investigations, scheduled for May 1st.
The attack, which occurred on February 12th, crippled the accounting and payment systems of UnitedHealth Group, affecting hospitals, insurance services, and pharmacies, and paralyzing their operations for nearly a month. The ALPHV/BlackCat group, which has since ceased operations following an FBI campaign, claimed responsibility for the attack.
In the wake of the attack, a similar vulnerability was actively exploited by another hacker group, LockBit, starting in July 2023. Citrix released a necessary update in October to address the vulnerability, but by that time, many companies, including Boeing and ICBC, had already suffered from cyberattacks.
The director of UnitedHealth Group stated that the attack compromised data used for remote access to the Change Healthcare portal. Upon detecting the attack, the company immediately disconnected from data processing centers to prevent further spread of the virus.
Andrew Witty emphasized that over the past year, the company has thwarted more than 450,000 hacking attempts. At the Congressional hearings, Witty plans to discuss the measures the company is taking to combat cyber threats, including collaboration with the FBI and leading cybersecurity firms.
As a result of the attack, UHG disbursed over $6.8 billion in advance payments and interest-free loans to affected medical institutions. The Change Healthcare division processes records for one-third of US patients, handling about 15 billion transactions annually.
The cyberattack also triggered an investigation by the US Department of Health regarding potential violations of medical data protection regulations, which could lead to fines or lawsuits against UnitedHealth Group.
Change Healthcare continues to feel the effects of the incident. The complexity of the situation is exacerbated by the fact that the ALPHV extortionists deceived the company, disappearing shortly after receiving the ransom. Rumors suggest that the partners who carried out the attack never received their share of the revenue, leading them to collaborate with the RansomHub group and continue to blackmail Change Healthcare using the same stolen data.
