The Change Healthcare  / Connectwise breach (CVE-2024-1709/CVE-2024-1708) continues to make the news, and the impacts continue to pile up. More than ever, breaches like Change Healthcare underline the value of proactive, preventative cybersecurity solutions like SecLitics Augur predictive threat intelligence.

Augur predicted three important IPs connected to the ConnectWise ScreenConnect, and threat research shows that two (1115[.]133[.]514 and 115[.]133[.]515) of them are still being reported as actively in use. The IPs were part of CIDRs predicted to be malicious an average of 240 days ago. Blocking these predictions meant that Augur subscribers benefited from significant advance protection against this serious emerging threat.

‍Let’s take a look at the latest developments at Change Healthcare to better understand the ongoing impact data breaches and ransomware can have on an organization.

‍

What Happened at Change Healthcare 

Change Healthcare, a key player in the healthcare industry, is grappling with a severe ransomware crisis that has significantly disrupted its operations and those of numerous U.S. medical practices and pharmacies. Initially, a ransomware group named AlphV compromised Change Healthcare’s network (exploiting the Connectwise vulnerability), received a $22 million ransom, and threatened to leak sensitive health data. According to an article on WIRED magazine’s website, despite this payment, another group called RansomHub now claims to possess four terabytes of the company's data, demanding their own ransom while threatening to sell the data to the highest bidder if unpaid.

The credibility of RansomHub's claims was reinforced when they provided WIRED with screenshots of the stolen data, including patient records and contracts. The ongoing situation highlights the peril of trusting ransomware groups, as even after paying a ransom, the data might still be used for further extortion. This scenario underscores the larger issues within the ransomware criminal ecosystem, including disputes among different groups over payment shares and data control, further complicating the efforts to secure breached data.

‍

What Is ConnectWise ScreenConnect?

A research post from Palo Alto Unit 42 on February 24 explains that the ConnectWise ScreenConnect exploit involves two critical vulnerabilities identified as CVE-2024-1708 and CVE-2024-1709. CVE-2024-1708 is a path-traversal vulnerability that allows an attacker to execute remote code or directly impact confidential data or critical systems, with a severity score of 8.4 (High). CVE-2024-1709 is an authentication bypass vulnerability that allows an attacker direct access to confidential information or critical systems, with a severity score of 10.0 (Critical)​​. 

‍

The Ongoing Perils of Ransomware

Experts emphasize that ransomware victims should not expect cybercriminals to honor agreements to delete stolen data, pointing out the increasing unpredictability of outcomes in such attacks. Meanwhile, the ongoing disruptions are causing significant financial and operational strain on healthcare providers, with some facing potential bankruptcy. The American Medical Association reports widespread impacts, including lost revenue and delayed medical procedures. As the situation unfolds, it serves as a stark reminder of the persistent threats posed by cybercriminals in the digital age.

‍
Mitigation and Response

To mitigate the risks, ConnectWise has released patches for affected versions of ScreenConnect (versions 23.9.7 and prior). Organizations using ConnectWise-hosted ScreenConnect instances are recommended to take no further action, as these instances have been updated to remediate the issue. However, organizations using on-premise instances should immediately upgrade their ScreenConnect instances to version 23.9.8 or later to address these vulnerabilities​​. To read more about mitigation, you can check out this post on the Lodestone blog. 

‍

Continuing Impact

Change Healthcare may be the highest-profile victim of the ConnectWise vulnerability, but it’s far from being the only organization affected by it. Despite the mitigation measures provided by Connectwise, threat intel researchers predict new compromises will continue to emerge and healthcare organizations who fail to update their software or who were previously compromised will continue to fall victim to this exploit. So if your organization uses ConnectWise, make sure you apply the patches and block the IPs listed at the beginning of this post.

‍

Get Zero-day Protection Today!

Recently, Augur predicted major elements of the MOVEit,Solar Winds, Log4JShell, Colonial Pipeline and ProxyNotShell hacks months ahead of first reports. You can learn more about how Augur predicts the future here and how it solves real-world security problems here. If you want to talk to someone about how Augur’s predictive intelligence can improve your overall security posture, email us at augur@seclytics.com.

‍

Stay in The Loop

To stay up to date on all the latest SecLytics news and events, check out our blog or, even better, follow us on LinkedIn!