13 comments

[ 3.0 ms ] story [ 24.6 ms ] thread
The title is not correct. They used credentials to get access to the vpn. How they moved laterally is obviously the interesting part anyway. Change the title, it gives cover to the lumbering behemoth that fault might lie anywhere besides UnitedHealths corrupt IT.
You are correct. I made a mistake with the title, it should say that access was acquired through a Citrix account without MFA as opposed to a direct Citrix bug. My bad. I will email mods to change it.

This Reuters[0] article is much more specific about saying it was a Citrix vulnerability, but since Citrix has not issued an official statement, it's better to have it changed to the default title.

[0]: https://www.reuters.com/technology/cybersecurity/unitedhealt...

Fixed now. Thanks!

(Submitted title was "UnitedHealth hackers exploited Citrix bug, CEO says")

How they moved laterally was likely trivial. Every place that I seen with a VPN tends to trust everything within the VPN.
Check the network share for a folder called "Passwords"
Mandate MFA/passkeys/crypto primitives using regulatory mechanisms.
* And no lame half-measures involving code-by-SMS or code-by-email.
(comment deleted)
I have relatives with a small business whose Verizon phones were allegedly taken over and then used code by SMS to get into a bunch of other things.

And then Verizon allegedly allowed it to happen again a few days later after they had thought the original phones/sims shut down

Screw Change Healthcare. I had the misfortune of dealing with them once as a vendor years ago. Horrible DevSecOps culture due to penny pinching.
(comment deleted)
(comment deleted)