“It’s highly likely that the absence of multi-factor authentication allowed attackers to circumvent the security measures of UnitedHealth Group’s [Change] Healthcare unit,” Aleem said. “Initial reports suggest that the attackers remained undetected in the environment for over a week and conducted lateral movement.”
Aleem added: “It’s probable that the attackers left some traces, or ‘breadcrumbs’, which went unnoticed by the UnitedHealth IT security team, thereby extending the breach exposure time.”
According to the latest edition of Verizon’s annual Data Breach Incident Report (DBIR), 74% of all breaches include a human element, with credential theft playing a big role.
Mark Allen, head of cybersecurity at CloudCoCo, said, it was entirely plausible that MFA not being enabled played a role in hackers being able to remotely access the systems at Change Healthcare.
“Every organisation needs to cultivate a robust cybersecurity environment, and that starts with a basic zero-trust strategy at its core,” he said. “Deploying MFA is non-negotiable. It’s the front line in ensuring that users are who they claim to be.”
While MFA is a recommended tool for preventing cyberattacks, it’s not the only defensive tool capable of mitigating ransomware attacks. MFA in itself is far from “bullet-proof” because it can be bypassed in man-in-the-middle (MitM) attacks, Sygnia’s Aleem warned.