A scathing report by Australia's Information Commissioner details how misconfigurations and missed alerts allowed a hacker to breach Medibank and steal data from over 9 million people.
In October 2022, Australian health insurance provider Medibank disclosed that it had suffered a cyberattack that disrupted the company's operations.
A week later, the company confirmed that the threat actors stole all of its customer's personal data and a large number of health claims data, causing a data breach that impacted 9.7 million people.
The data from the attack was later leaked by a ransomware gang known as BlogXX, which was believed to be an offshoot of the shutdown REvil ransomware gang.
The attack was ultimately linked to a Russian national named Aleksandr Gennadievich Ermakov, who was sanctioned by Australia, the UK, and the USA.
OAIC's findings
In a new report released by the Office of the Australian Information Commissioner (OAIC), the agency's investigation determined that significant operational failures allowed the hacker to breach Medibank's network.
"The Commissioner alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988," reads an OAIC press statement.
According to the report, it all started with a Medibank contractor (IT Service Desk Operator) using his personal browser profile on his work computer and saving his Medibank credentials in the browser.
These credentials were then synced to his home computer, which became infected with information-stealing malware, allowing the threat actors to steal all the saved passwords in his browser on August 7, 2022. These credentials provided access to both a standard and an elevated access (admin) account at Medibank.
"During the Relevant Period, the Admin Account had access to most (if not all) of Medibank's systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases)," reads the OAIC report.
It is unclear if the attacker behind the Medibank breach purchased the stolen credentials from an online dark web cybercrime marketplace or conducted the information-stealing malware campaign.
However, the threat actor began using these credentials on August 12 to first breach the company's Microsoft Exchange server and then later to log into Medibank's Palo Alto Networks Global Protect Virtual Private Network (VPN) implementation, providing internal access to the corporate network.
The report states that Medibank failed to protect users' data as it had not enforced multi-factor authentication on VPN credentials and allowed anyone with access to the credentials to log into the device.
"The threat actor was able to authenticate and log onto Medibank's Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank's Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Rather, Medibank's Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required," continued the report.
Using this access to the internal network, the threat actor began spreading through the systems, stealing 520 GB of data from the company's MARS Database and MPLFiler systems between August 25 and October 13, 2022.
This data included customers' names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health-related information, and claims data (such as patient names, provider names, primary/secondary diagnosis and procedure codes, and treatment dates.
To make matters worse, the report alleges that the company's EDR software raised alerts about suspicious behavior on August 24 and 25, which were not properly triaged.
It wasn't until mid-October, when Medibank brought in a threat intelligence firm to investigate a Microsoft Exchange ProxyNotShell incident, that they discovered data was previously stolen in the cyberattack.
Protecting credentials with MFA
With billions of credentials having been stolen by information-stealing malware and data breaches, it creates a massive attack surface that is hard to defend against without additional defenses, such as multi-factor authentication.
All organizations must operate under the assumption that their corporate credentials have been exposed in some manner, and thus, using MFA adds an additional defense that makes it far more difficult for threat actors to breach a network.
This is especially true for VPN gateways, which are designed to be publicly exposed on the internet to allow remote employees to log in to the corporate networks.
However, this also provides an attack surface commonly targeted by ransomware gangs and other threat actors to breach networks and thus must be protected with additional defenses, such as MFA.