Medibank breach: Security failures revealed (lack of MFA among them)
The 2022 Medibank data breach / extortion attack perpetrated by the REvil ransomware group started by the attackers leveraging login credentials stolen from a private computer of an employee of a Medibank’s IT contractor.
According to a statement by the Australian Information Commissioner (AIC) filed with the Federal Court of Australia, the credentials were stolen by way of infostealer malware, after that employee “saved his Medibank username and password for a number of Medibank accounts to his personal internet browser profile on the work computer he used to provide IT services to Medibank”, and then signed into his internet browser profile on his personal computer.
The result? The credentials were synced across to his personal computer, allowing the infostealer to grab them.
No MFA and ignored alerts
The attackers used the compromised credentials for a standard access and an admin Medibank account to log onto Medibank’s Microsoft Exchange server and authenticate and log onto Medibank’s (Palo Alto Networks) “Global Protect” VPN solution (since multi-factor authentication protection wasn’t enabled).
“On or around 24 and 25 August 2022”, the company’s EDR software picked up on suspect activity and sent alerts, but the alerts “were not appropriately triaged or escalated by either Medibank or its service provider.”
By leveraging those and other credentials unearthed while probing various Medibank’s IT systems, the attackers later accessed the database containing Medibank customers’ personal and health information and exfiltrated 520 gigabytes of data from it.
It was only on 11 October 2022, when Medibank’s Security Operations team triaged an alert warning that some files have been modified so that the ProxyNotShell vulnerability could be exploited, that the company noticed something was amiss. And it took them five more days to discover that data was exfiltrated.
The attackers tried to extort Medibank by threatening to make the sensitive data public. When that did not work, all of it – 9.7 million records – was published on the dark web.
The data was not protected as it should have been
In the wake of the breach, the Office of the Australian Information Commissioner (OAIC) started an investigation to see whether Medibank – one of the largest private health insurance providers in the country – took “reasonable steps” to protect their customers’ data. According to the AIC statement, they did not.
The specifics have been redacted, but the AIC said that Medibank “failed adequately to manage cybersecurity and/or information security risk congruent with the nature and volume of personal information it held (…), its size, and the risk profile of organisations operating within its sector.”
An appendix of the filing pointed out a number of measures Medibank should have adopted, including implementing multi-factor authentication for remote access users to the Global Protect VPN and to critical information assets (i.e., the customer database) once inside its network perimeter.
An another appendix points out that the risks associated with lack of MFA was known to the company due to having been surfaced by several security audits, but the company failed to implement the security measure before getting breached.