The Hack That Broke American Healthcare

The Hack That Broke American Healthcare

From The Bit Baker Quarterly Roundup — Q1 2024

PLUS: A supply chain backdoor that nearly compromised Linux, and the LockBit ransomware takedown

Good morning, Dave. If anyone still thought ransomware was a manageable nuisance, Q1 2024 ended that delusion. In February, a single attack on Change Healthcare — a company most people had never heard of — paralyzed prescription processing, insurance claims, and payment systems across the entire US healthcare system. Hospitals couldn't get paid. Pharmacies couldn't fill prescriptions. And the $22 million ransom payment didn't even fix it.

That was just one quarter. A sophisticated supply chain backdoor embedded in XZ Utils came within inches of compromising SSH authentication on every major Linux distribution. Russia's Midnight Blizzard group was found inside Microsoft's own corporate email. And in one of the few bright spots, an international law enforcement coalition dismantled LockBit's infrastructure. Q1 set a tone for 2024 that never really let up.

In this quarter's security Bit Baker:

• Change Healthcare ransomware attack cripples the US health system
• XZ Utils backdoor nearly compromises Linux at the foundation
• Operation Cronos takes down LockBit's ransomware empire
• Midnight Blizzard breaches Microsoft executive emails

Change Healthcare Attack Exposes a Single Point of Failure

The Bit Baker: ALPHV/BlackCat ransomware operators breached Change Healthcare on February 21, triggering the most disruptive cyberattack in US healthcare history — affecting over 100 million patient records and shutting down payment infrastructure that processes nearly half of all American medical claims.

Unpacked:

• Attackers got in through a Citrix remote access portal that lacked multi-factor authentication. They spent nine days inside the network — moving laterally, exfiltrating up to 6 terabytes of data including Social Security numbers, medical records, and military personnel files — before deploying ransomware on February 21.
• UnitedHealth Group paid a $22 million Bitcoin ransom, but BlackCat pulled an exit scam: they took the payment, stiffed their own affiliate, and never deleted the stolen data. The affiliate later resurfaced on RansomHub, leaking samples and demanding a second payment.
• The downstream impact was staggering. Hospitals lost the ability to verify insurance coverage. Pharmacies couldn't process prescriptions. Small medical practices faced cash flow crises that pushed some toward insolvency. Congressional hearings followed.

Bottom line: Change Healthcare processed roughly 15 billion healthcare transactions a year — and nobody outside the industry knew how much depended on it until it went dark. The attack didn't exploit some exotic zero-day. It walked through an unlocked door. That's the part that should concern every CISO reading this.

XZ Utils Backdoor: The Supply Chain Attack That Almost Worked

The Bit Baker: On March 29, a Microsoft engineer named Andres Freund discovered a backdoor in XZ Utils versions 5.6.0 and 5.6.1 — a critical Linux compression library — that would have enabled attackers to bypass SSH authentication on virtually every major Linux distribution. It received a perfect CVSS 10.0 score.

Unpacked:

• The backdoor was planted by a contributor using the handle "JiaT75" who had spent two years building trust in the XZ project, gradually gaining commit access before injecting obfuscated malicious code into upstream tarballs starting with version 5.6.0 in February 2024.
• The payload was surgical: during the build process, a hidden object file hooks into OpenSSL's RSA decryption, letting anyone with the right Ed448 private key bypass SSH authentication or execute arbitrary commands — all before the user even logs in.
• Freund caught it by accident while investigating a 500-millisecond latency anomaly in SSH connections. If the backdoored versions had reached stable distribution releases — Fedora Rawhide and Debian testing were already affected — the blast radius would have been catastrophic.

Bottom line: The XZ attack is a case study in patience and sophistication. Two years of social engineering a single maintainer, targeting a low-profile dependency that sits beneath SSH on millions of servers. The security community got lucky that one engineer noticed something felt slow. That's not a defense strategy.

Operation Cronos Dismantles LockBit's Infrastructure

The Bit Baker: On February 19, a coalition of law enforcement agencies from 10 countries — led by the UK's NCA and the FBI — seized LockBit's infrastructure in Operation Cronos, taking down the world's most prolific ransomware group and recovering over 1,000 decryption keys.

Unpacked:

• Authorities seized 28+ servers, the Stealbit data exfiltration tool, source code, and cryptocurrency accounts. They arrested two affiliates in Poland and Ukraine and unsealed indictments against Russian nationals Artur Sungatov and Ivan Kondratyev.
• In a move straight out of a spy movie, law enforcement replaced LockBit's leak site with their own content — including a countdown timer that led to the release of intelligence about the group's operations, deliberately mimicking LockBit's own extortion tactics.
• LockBit restored new infrastructure by February 24 and posted a defiant rebuttal, but the damage was done. Post-operation tracking showed a significant drop in victims, with only 95 listed on new leak sites — a fraction of the group's usual pace.

Bottom line: Operation Cronos proved that international coordination against ransomware gangs can work. But LockBit's partial recovery also proved that infrastructure takedowns alone don't kill these operations permanently. The people behind the keyboards are still free, and the code still exists.

Russia's Midnight Blizzard Found Inside Microsoft

The Bit Baker: In January, Microsoft disclosed that Midnight Blizzard — the Russian intelligence group behind the 2020 SolarWinds compromise — had breached Microsoft's own corporate email systems, accessing accounts belonging to senior leadership, cybersecurity staff, and legal teams.

Unpacked:

• The initial entry vector was embarrassingly low-tech: password spraying against a legacy non-production test account that lacked MFA. From there, attackers escalated through OAuth applications to grant themselves full mailbox access across Exchange Online.
• The attackers were specifically searching for information about themselves — looking for what Microsoft knew about Midnight Blizzard's operations, a classic counterintelligence move that suggests state-directed objectives rather than financial motives.
• Microsoft detected the breach on January 12, disrupted the access, and began notifying affected employees. But by March, the company disclosed that Midnight Blizzard had used stolen email contents to attempt access to source code repositories.

Bottom line: When the security vendor gets compromised by a nation-state using password spraying and a missing MFA policy, it's a wake-up call for everyone. If Microsoft can have gaps in its legacy infrastructure, any organization can. The lesson isn't about blame — it's about the relentless pace of identity-based attacks.

The Shortlist

Ivanti faced widespread exploitation of two zero-day vulnerabilities in Connect Secure VPN (CVE-2023-46805 and CVE-2024-21887), with attackers chaining authentication bypass and command injection for unauthenticated remote code execution on thousands of devices.

AnyDesk confirmed a breach of its production systems in February, forcing a mandatory password reset for all customers and certificate revocation — raising questions about remote desktop tools as high-value targets.

ConnectWise patched critical vulnerabilities in ScreenConnect that allowed authentication bypass and remote code execution, with active exploitation detected within hours of disclosure.

CISA itself was breached through the same Ivanti vulnerabilities it had warned others about — an ironic reminder that no organization is immune when a zero-day is under mass exploitation.

References

1. Change Healthcare $22 million ransomware payment
2. Understanding the Change Healthcare breach
3. Change Healthcare cyberattack impact on health care organizations
4. XZ backdoor attack CVE-2024-3094 — all you need to know
5. CVE-2024-3094 XZ upstream supply chain attack
6. Law enforcement disrupts world's biggest ransomware operation
7. US and UK disrupt LockBit ransomware variant
8. Microsoft actions following attack by nation-state actor Midnight Blizzard
9. Midnight Blizzard guidance for responders on nation-state attack
10. Active exploitation of two zero-day vulnerabilities in Ivanti Connect Secure VPN