Change Healthcare / Optum Network Connectivity and Additional Recommendations

TLP WHITE – Feb 26, 2024, 06:32 AM

On Wednesday, February 21, Change Healthcare began experiencing a cyber security issue and isolated its systems to prevent further impact.   Health-ISAC is sharing this Threat Bulletin to provide additional information:

PDF version:

Text version:

Additional Information

As part of the risk evaluation, healthcare organizations should consider the impacts of severing connectivity to Optum, which includes but is not limited to loss of prior procedure authorizations, electronic prescribing, and other patient care functions. Ultimately, your organization should make its own determination on whether or not to block Optum specifically while considering all the risks and consequences of doing so.

2) Indicators of Compromise (IOCs) 

According to information published by cyber intelligence firm RedSense, Change Healthcare, along with other organizations, fell victim to exploitation of the recently announced ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709).   As the incident is still under investigation, it is not possible to confirm the attack details.

Regardless of what happened at Change Healthcare, RedSense anticipates more organizations will be compromised as the ScreenConnect exploit is apparently fairly trivial to execute.  We would expect to see additional victims in the coming days.  If your organization has ConnectWise ScreenConnect in your environment, please review the indicators and recommendations below.

Atomic IOCs, traffic to/from these could indicate compromise-

• 155.133.5[.]15
• 155.133.5[.]14
• 118.69.65[.]60
• 118.69.65[.]61
• 207.148.120[.]105
• 192.210.232[.]93
• 159.203.191[].1

Additional IOCs, these could indicate compromise as well

· – presence of User.xml in the Windows ScreenConnect path (this file generally equates to an owned server, recommend to isolate endpoint, inspect this file and look for RCE)

· – Examine this file on the server hosting connectwise/screen connect: C:\Program Files (x86)\ScreenConnect\App_Data\User.xml

Evaluate the “<name>” field along with the “<CreationDate>” field.  If a user was recently created, review their <roles> field.  If the role is ‘admin’ related, you probably have been compromised.

• – The attack chain bypasses 2-factor authentication via brute force before executing local commands.  The threat actors initially create an account called ‘cloudadmin’. The ‘cloudadmin’ account then creates a ‘test@2021’ user. The ‘test@2021’ user pings google.com.  Next, the threat actors attempt to establish a connection over HTTPS to transfer[.]sh, a web-based file-sharing service, most likely using the command line.

Additional Background

On February 19, 2024, ConnectWise alerted users of a remote code execution (RCE) flaw that can be leveraged to bypass authentication in ScreenConnect servers. The CVEs associated with these actively exploited vulnerabilities are CVE-2024-1708 (CVSS 8.4) and CVE-2024-1709 (CVSS 10.0). Still, ConnectWise has advised its customers to patch their ScreenConnect servers immediately against the critical vulnerability to prevent RCE attacks.

The critical vulnerability patched in the ConnectWise ScreenConnect remote desktop software has been observed being exploited in the wild. ScreenConnect is a popular remote desktop software with both on-premise and in-cloud deployments. The exploited flaw allows attackers to bypass authentication and gain remote code execution on systems.

These Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) have been pushed into the H-ISAC AMBER MEMBERS collection on the Health-ISAC Indicator Threat Sharing (HITS) automated systems for STIX and TAXII subscribers.