Medibank is an Australian health insurance provider offering coverage for residents, foreign students studying in Australia, visitors to Australia, and Australian-based corporations. The insurance provider has a wealth of stored personal data, electronic protected health information (ePHI), customer payment data, and extremely sensitive patient data.
In October 2022, Medibank administrators became aware of suspicious activity on the corporate network environment. Investigations took place, and the initial investigation found that the suspicious traffic was from an external threat including ransomware. That initial investigation indicated that no customer data was impacted, but Medibank later revised their statement when ransomware authors threatened to disclose private patient data if Medibank did not pay a $10 million ransom. This analysis covers the anatomy of a ransomware breach, specific effects on Medibank, the aftermath from the incident affecting the corporation and millions of patients, and suggestions for organizations to prevent a similar cybersecurity incident.
Before explaining the Medibank ransomware breach, it’s important to understand ransomware and its author’s goals. Ransomware is a business giving its authors potentially millions of dollars in profits. Most ransomware starts with a malicious phishing email, but it can also start from employees downloading the malware from a malicious website. It can also install when employees run malicious macros embedded into seemingly innocuous Office 365 documents (e.g., Word or Excel documents).
After delivering ransomware to an environment, authors code the malware to encrypt any file it finds on the local workstation and on the network. Ransomware can scan the network and exploit software vulnerabilities (e.g., WannaCry), and it can also replicate itself to store on network drives and stay dormant until an unsuspecting employee executes it on the network.
Most authors code ransomware with their own list of targeted file types, but most ransomware is configured to seek out hundreds of critical business file extensions (e.g., *.docx or *.xlsx) and encrypt them using an irreversible symmetric key. To avoid exposing the symmetric key, ransomware authors generate an asymmetric key and use it to encrypt the symmetric key and send the asymmetric key to a command-and-control server where the attacker can hold it hostage until a payment is made.
For years, ransomware encrypted files only, and authors hoped for a payment from victims in exchange for file recovery. More recently, corporations are aware of the importance of backups, and backup and recovery plans are now necessary for compliance. Backups give corporations a way to recover their files without paying the malware’s ransom, thus forcing ransomware authors to pivot their business strategy and incorporate blackmail.
Now, ransomware exfiltrates at least a portion of unencrypted stolen data and sends it to the command-and-control server. If a targeted corporation refuses to pay the ransom, the author threatens to disclose private data to the public. The threat of exposing private data could anger customers, cause them to go to a competitor, or create potential for more severe litigation including multi-million dollar class action lawsuits.
Not every ransomware attack is successful, as encrypting large amounts of files takes time and some monitoring systems stop it before ransomware can be successful, which means attackers must rely on their plan B: blackmail. The blackmail strategy is especially relevant to Medibank’s incident, and it led to a much more serious data breach than the initial cybersecurity event.
On October 12, 2022, Medibank’s administrators detected suspicious activity inside the company’s network. Because of strict compliance, Medibank announced the breach on October 13, 2022¹ but said that no customer data was compromised. Following the incident, some of Medibank’s systems like customer portals were taken offline for a short period of time. Further investigations from Medibank showed that no customer data was compromised.
Seven days after the event on October 19th, the hackers responsible for the data breach contacted Medibank and provided administrators with a sample of stolen data proving that they had, in fact, stolen customer data. Contact from the ransomware attackers forced Medibank to reverse their statement and make a new one reporting that the perpetrators had provided them with 100 sample records, Medibank officials reviewed them, and it was confirmed that patient data was stolen. Information contained patients’ personal information along with their health and claims records.
By November 2022, cyber-criminals responsible for the data breach demanded a $10 million payment. If payment was not made, they threatened to publish the stolen data within 24 hours. The hackers threatened to continually publish more and more patient data in batches until the ransom was paid.
The threats to expose data are a hallmark of ransomware strategies, and organizations have only one of two options: refuse to pay and recover data using backups, or pay the ransom and hope for decryption keys. Cybersecurity experts urge victims to refuse payment, which is the option Medibank chose.
While refusing to pay a ransom is standard practice, cyber-criminals responsible for the data breach kept to their word and began uploading compressed files on November 9th to a dark web forum with about 800,000 rows from the Medibank production database. Data contained patient information including sensitive healthcare treatment data. Attackers separated some data into a separate “naughty list” that contained a list of patients receiving drug and alcohol treatments. Assumingly, the goal was to expose such sensitive data that Medibank would eventually pay the ransom to stop the disclosure of their patient data.
After the initial data disclosure, attackers continued with even more sensitive data uploads to strongarm Medibank into paying the ransom. The second batch of records identified patients and their abortion records, non-viable pregnancies, ectopic pregnancies and miscarriages. Cyber-criminals continued uploading increasingly more sensitive data from November 2022 and into December 2022.
Overall, 9.7 million patient records were disclosed to dark web forums where hackers post their ransomware activities and data for sale. Although Medibank followed standard procedures and didn’t pay the ransom, the consequences fell entirely on patients and Medibank customers. Any customers of Medibank were urged to beware of phishing and social engineering scams from other cyber-criminals purchasing and using their data for additional attacks.
After working with Australian law enforcement, Medibank was able to confirm that the compromise was a ransomware attack, fortunately mitigated before the malware could encrypt files. Cyber-criminals could still, however, run queries against the production database, export the data to CSV, and exfiltrate it to attacker-controlled servers.
The root cause of the data breach was stolen credentials via a phishing email targeting a Medibank third-party vendor. An employee of a third-party IT managed service provider fell victim to a sophisticated phishing campaign used to steal user credentials. The original phishing attacker collected stolen network credentials from the third-party IT service provider and sold them on a Russian forum. Investigators believe that the Russian cyber-criminal gang REvil purchased the stolen credentials and later used them to compromise Medibank. REvil is a notorious ransomware gang active from 2019 to early 2022, but experts believe they’ve regrouped and become active again.
When cyber-criminals steal credentials, they use them to access a corporate network, explore various corporate resources for any interesting data, and determine if credentials have high-level privileges. If credentials are low-privilege, cyber-criminals began scanning the network for any potential high-privilege credentials so that they can escalate their permissions to gain access to sensitive resources such as databases, firewalls, shared directories, email, and files.
In the Medibank compromise, privilege escalation during the initial compromise was not necessary. The stolen third-party credentials had high-privilege permissions on the network including firewalls. A security flaw on Medibank’s network allowed firewall administration access without any secondary verification factor. Failure to require digital signatures for firewall access was the initial security failure that gave attackers the ability to search the network for additional high-privilege credentials. Additional high-privilege credentials then allowed attackers to traverse network segments including those hosting production databases.
With additional credentials in-hand, attackers ran several queries against Medibank’s Redshift databases. Attackers indicated that they pinpointed sensitive data locations using Medibank source code and documentation, likely found during exploration of the network using stolen credentials. One of the first email messages attackers sent to Medibank indicated that they exfiltrated 200GB of data from Redshift servers and provided a sample of 100 customers to prove their claims.
Conversations with attackers continued for days, but Medibank soon realized that 9.7 million customers had been impacted. Although they refused to pay the ransom, Medibank officials reported² that they expect the data breach to cost almost $450 million in revenue loss, litigation, remediation of the incident, and fees for compliance violations. Part of that figure comes from the high possibility of a class action lawsuit already in the works.
Two fatal flaws caused the Medibank data breach: phishing vulnerabilities and a misconfigured firewall that allowed access without any secondary identity validation. It should be said that not every security strategy is 100% risk-free, but a single flaw could land an organization in a situation that costs close to a half billion dollars just like Medibank. Both flaws were critical oversights, but the start of the data breach was the phishing campaign, and the initial vulnerability was human error.
A cyber-criminal group assumes that a large organization like Medibank has a robust security infrastructure, so the best way to penetrate a walled environment is to go after its weakest link, which is often third-party vendors. Humans are every organization’s weakest link, and it’s true for IT service providers even if they believe their staff are highly trained individuals with cybersecurity knowledge. Even hackers get hacked, and IT staff can still be a risk to the security of an organization’s environment.
Although the misconfigured firewall was also a flaw, the crux of the matter was the successful phishing email. After the credential theft, a series of events led to the compromise and exfiltration of data. Reports about the data breach don’t specify if the firewall misconfiguration was the fault of the IT managed service provider or Medibank network administrators, but their internal monitoring systems were the failsafe that stopped ransomware from delivering its payload.
A managed service provider (MSP) is often necessary to bring in additional network administrative and security services where local administrators lack the knowledge. MSPs also cost less than having a team of full-time staff, so they are common in large and small environments for businesses that want to offload costs and responsibility to a trusted third party. The downside is that IT service providers have elevated privileges on the corporate network, so organizations must choose carefully when searching for a provider that takes security seriously and has procedures in place to stop phishing attacks.
Traditionally, organizations simply trusted that an MSP had the right security in place, but it’s not sufficient when MSPs are a primary target for cyber-criminals. Instead, organizations should perform third-party risk management by assessing MSPs using security questionnaires that every MSP must answer. Questions ask MSPs to share their security policies, procedures, and the methods used to protect data. The MSP’s answers are then given a score, and based on that score, allows organizations to quantify risk and choose the right provider.
Every third-party risk management provider has their own line of questioning, but some general questions regarding user credentials and privileges might include:
Most questionnaires have many more questions than the above five, and the questionnaire covers a provider’s relationship between their security access controls, procedures and policies, and methods used to monitor and protect data. Some questions are simple “Yes” or “No” answers, but others might require a more detailed answer.
Every question is given a total number of points. A provider might score some or all points for each question. More points increase the provider’s risk score. A high risk score indicates that the provider is at a high risk of being compromised and should either remediate areas of their security practice to lower their risk score or lose an organization’s business.
It’s impossible to completely eliminate risk, so every provider will likely have some inherent risk. The lower the risk score, however, the lower the risk to a corporation's network environment. It’s ultimately the organization’s decision to choose a third-party vendor, but choosing one that doesn’t risk a multi-million dollar fallout from a data breach should be a priority, not only to protect your organization but to protect customers.
Medibank customers were the ones that suffered the most from third-party vendor risk. The insurance company reported record growth³ in February 2023 despite the cybersecurity incident that could cost them almost $500 million in damages. Medibank customers have been warned to prepare for phishing and social engineering attacks from their stolen patient data, but it’s not without reason that cyber-criminals could use the sensitive health information for more nefarious threats (e.g., blackmail or threats of exposing mental health treatment to employers unless the victim pays a ransom).
It could take several years for Medibank to finalize all aspects of their recent data breach. Businesses can take note of the high cost of a data breach from third-party vendor risk and take action to proactively reduce risk of a data breach from phishing and credential theft. Risk management of third-party vendors is necessary for proactive security to stop attackers from compromising your network.
Most organizations have dozens of third-party vendors, so their attack surface grows with every new provider. Vendors are a necessary part of doing business, but they should also have the same level of security as your own business.
Find out how Access Point can help you avoid costly data breaches from supply chain vendors.
¹ https://www.medibank.com.au/livebetter/newsroom/post/medibank-cyber-incident
² https://www.insurancejournal.com/news/international/2022/11/10/694648.htm
³ https://www.asx.com.au/asxpdf/20230223/pdf/45lxc7w3hl6c2b.pdf
Figure 1 : Retrieved from Reddit at https://www.reddit.com/r/australia/comments/z9ckxe/email_correspondence_between_medibank_and_hackers/
Figure 2: Retrieved from Reddit at https://www.reddit.com/r/australia/comments/z9ckxe/email_correspondence_between_medibank_and_hackers/
Last month, NIST published its first set of post-quantum cryptography (PQC) standards, setting a new benchmark for enterprises, government agencies, and vendors to withstand future cyberattacks from quantum computers. The time to start transitioning is now. Discover what’s at stake with CyberWatch.
Hospitals and healthcare providers have increasingly become targets of cyberattacks, which pose significant risks to patient care and safety. This document examines the various ways in which cyberattacks can disrupt hospital operations, compromise patient data security, and ultimately affect the quality of patient care. It also explores strategies and best practices that hospitals can implement to mitigate these risks and enhance their cybersecurity posture.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
