Breach Notification , Cybercrime , Fraud Management & Cybercrime

Australian Regulators Detail Medibank Hack: VPN Lacked MFA

Court Filing: Threat Actor Stole Admin Credentials From IT Service Desk Contractor
Australian Regulators Detail Medibank Hack: VPN Lacked MFA
Image: Medibank

Medibank's lack of multifactor authentication on its global VPN allowed a threat actor to use credentials stolen from an IT services desk contractor to access the private health insurer's IT systems in 2022, leading to a data exfiltration breach affecting nearly 10 million individuals, Australian regulators alleged.

See Also: Supporting Malware Analysis at Scale

Medibank data stolen in the incident and published on the dark web included information of 9.7 million individuals, including name, birthdate, gender, Australian Medicare number, residential address, email address, phone number, visa details for international worker and visitor customers, and health claims data - such as patient names, provider names, provider location and contact details, diagnosis numbers and procedure numbers and dates of treatment.

The hacker behind the Medibank attack managed to authenticate and log onto Medibank's Global Protect VPN using only the Medibank credentials the hacker stole from a contracted IT services desk operations because "during the relevant period, access to Medibank's Global Protect VPN did not require two or more proofs of identity or multi-factor authentication," Australia's information commissioner said in a federal court filing on Friday.

The information commissioner alleged that from March 12, 2021, to Oct. 13, 2022, "Medibank seriously, further or alternatively repeatedly, interfered with the privacy of approximately 9.7 million individuals - comprising current and former Medibank customers - whose personal information it held, by failing to take reasonable steps to protect that personal information from misuse, and/or from unauthorized access or disclosure, in breach of Australian Privacy Principle 11.1."

That principle requires an organization to take active measures to ensure the security of personal information it holds and to actively consider whether it is permitted to retain personal information.

The regulator is seeking multimillion-dollar financial penalties from Medibank for the incident, alleging that the insurer was aware of "serious deficiencies in its cybersecurity and information security framework" during the "relevant time" of the 2022 hack.

Medibank generated $7.1 billion in revenue in 2022 and employed nearly 3,300 workers. Its core IT security function comprised a team of 13 full-time IT security professionals, and its fiscal 2022 information technology budget was approximately $4 million to 5 million, of which $1 million was allocated for cybersecurity, the court papers said.

Although the court filing does not name the threat actor implicated in the hack, earlier this year, the Australian government - along with the U.S. and the U.K - sanctioned a Russian national accused of being behind the Medibank attack.

In January, Australia imposed a "cyber sanction" under the nation's Autonomous Sanctions Act 2011 on Russian national Aleksandr Ermakov for his role in the Medibank hack - the first time a sanction was imposed under the act (see: Australia, US, UK Sanction Russian Over 2022 Medibank Breach).

Also in January, Ermakov was among three men Russian police arrested on charges of violating Article 273 of Russia's criminal code, which prohibits creating, using or disseminating harmful computer code, said Russian cybersecurity firm F.A.C.C.T. (see: Russia Announces Arrest of Medibank Hacker Tied to Revil).

Breach Details

The information commissioner's court filing details how the hacker accessed Medibank systems.

Prior to Aug. 7, 2022, an employee of a third-party Medibank contractor, who worked as an IT service desk operator, saved his Medibank username and password for a number of Medibank accounts to his personal internet browser profile on the work computer he used to provide IT services to Medibank, the court documents said.

"When the IT Service Desk operator subsequently signed into his internet browser profile on his personal computer, the Medibank systems were accessed by credentials that were synced across to his personal computer. During the period of his employment, he had access to Medibank accounts using his Medibank Credentials including a standard access account and an elevated access account 'admin account,'" the information commissioner said in the court filing.

"During the Relevant Period, the admin account had access to most - if not all - of Medibank's systems, including network drives, management consoles and remote desktop access to jump box servers used to access certain Medibank directories and databases," the court document says.

On or around Aug. 7, 2022, the Medibank credentials were stolen from the IT service desk contractor's personal computer by a threat actor using a malware variant.

Using the stolen Medibank credentials, a threat actor, for the first time, on Aug. 12, 2022, logged onto Medibank's Microsoft Exchange server and tested the Medibank credentials for the admin account. On around Aug. 23, 2022, the hacker authenticated and logged onto Medibank's Global Protect Virtual Private Network, which controlled remote access to the Medibank corporate network, the filing says.

From around Aug. 25, 2022, until around Oct. 23, 2022, the threat actor used the Medibank credentials to access numerous Medibank IT systems, including a database containing sensitive personal and health information of Medibank's customers. The threat actor exfiltrated 520 gigabytes of data from that Medibank database and other systems, the court filing said.

"The threat actor was able to authenticate and log onto Medibank's Global Protect VPN using only the Medibank credentials because, during the relevant period, access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multifactor authentication," the information commissioner said in the court documents.

"Rather, Medibank's Global Protect VPN was configured so that only a device certificate, or a username and password was required."

On or around August 24, 2022, Medibank's endpoint detection and response software generated various alerts in relation to the threat actor's activity that were sent to a Medibank IT security operations email address, the court document said. "These alerts were not appropriately triaged or escalated by either Medibank or its service provider."

Medibank declined Information Security Media Group's request for comment on the information commissioner's court filing.

Common Weakness

The lack of multifactor authentication has played a pivotal role in many other healthcare sector breaches, large and small, including the massive February cyberattack on UnitedHealth Group's Change Healthcare unit.

In testimony before two congressional committees last month, UHG CEO Andrew Witty said attackers accessed an externa- facing Change Healthcare server that lacked MFA, despite UHG's cybersecurity standards, which includes requiring MFA on external-facing systems (see: Lawmakers Grill UnitedHealth Group CEO on Change Healthcare Attack).

UHG acquired Change Healthcare in late 2022 and was in the process of updating Change Healthcare's IT systems when the attack occurred, Witty testified.

Unfortunately, MFA lapses at healthcare sector entities are not uncommon, some experts said.

"During M&A diligence, security controls and compliance are generally assessed, but not in great detail. An internet-facing system that accepts logins can be overlooked in the process," said Mike Hamilton, founder and CISO of security firm Critical Insight.

"Large healthcare entities often fail to effectively implement MFA across their IT environments due to their complex IT infrastructures, which include numerous legacy systems and devices," said Jon Moore, chief risk officer at privacy and security consultancy Clearwater.

"Integrating MFA across all these systems can be challenging because of compatibility issues, high implementation costs and potential disruptions to operations," he said. Also, these entities may lack a comprehensive system inventory and risk analysis at the system or component level, leading to a lack of awareness by of the absence of MFA and its potential implications for the organization, Moore said.

When it comes to healthcare delivery organizations - including hospitals, clinics and physician practices, "doctors resist controls like multifactor authentication," Hamilton said. When doctors are the 'product' and drive the bulk of the organization's revenue, their concerns must be addressed, and this has been known to cause projects like MFA implementation to slip or be shelved," he said.

But regulators in the U.S. are trying to raise the bar on cybersecurity practices across the healthcare sector, including the use of multifactor authentication.

MFA is included among the "essential" cybersecurity performance goals released in January by the U.S. Department of Health and Human Services for the healthcare sector. The CPGs include 10 essential and enhanced practices that are "voluntary" right now, but HHS is expected to issue new regulations this year that would require certain healthcare entities, such as hospitals participating in Medicare programs, to implement those measures (see: HHS Details New Cyber Performance Goals for Health Sector).

"If and when MFA becomes a CPG requirement, it is likely there will be attestation required by one or more of the organization's executives," Hamilton said. "As claims of executive negligence are starting to appear more frequently, this should serve as a motivator to ensure that claims of compliance are accurate."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.