The Anatomy of a Healthcare Cyberattack: Two True Stories

Posted by: Michael Lavengood
May 17, 2023
Getting your Trinity Audio player ready...

It’s no secret that the healthcare industry is a prime target for attackers. According to research from Check Point, healthcare organizations worldwide were attacked nearly 1500 times a week in 2022 – a growth of 74% compared with 2021. In the US, this growth was a staggering 86%. In the UK, recent research shows that nearly 60 million patient records were breached last year alone.

Hospitals, nursing homes, insurance providers, and even small medical practices – all are being targeted by threat actors looking to get their hands on lucrative PII or medical data.

There is no shortage of blogs that discuss how to secure digital healthcare environments. Yet in this post, we’re going to take a deep (and anonymized) dive into the anatomy of two actual attacks on healthcare providers – both our customers. What’s the value? By understanding actual real-world attack paths, healthcare organizations can learn to better focus their cyber resources and reduce exposures.


True Story #1

  • The customer – A hospital with high cyber awareness, excellent cybersecurity hygiene, and a high level of commitment to best practices.
  • The attack path – Despite the fact that security was seriously a high priority for this organization, their Active Directory was highly vulnerable. Active Directory (AD) is Windows’ default identity and access management service. Its role is to authenticate and authorize users and computers – assigning and enforcing security policies for all network endpoints. Clearly, AD is highly central to the functioning of networks and critical for productivity. Despite this, inside our customer’s Active Directory, all authenticated users (essentially any user at all) in the domain had been accidentally granted the right to reset passwords.
  • The impact – Via phishing or other social engineering techniques, an attacker could easily take over one Active Directory user. Once this was done, the attacker could then reset any passwords for all other AD users, organization-wide, thus taking over any account in the domain.
  • The remediation – Once we brought this oversight to their attention, the hospital locked down the system, then immediately hardened their Active Directory security practices. They also put a remediation plan in place which covered analysis of critical assets at risk, their choke points, and the attack techniques that could be leveraged.
  • The takeaways – Because AD is such a common network fixture, even security teams tend to simply accept that it’s inherently secure…until they find out the hard way that it’s not. Check out our recent blog that offers some great tips for hardening AD security proactively.

True Story #2

  • The customer – A large healthcare provider.
  • The attack path – The built-in and predefined Authenticated Users group is a Windows group that includes all users whose identities were authenticated when they logged on. XM Cyber found an attack path that could leverage the Authenticated Users group to create permissions to change the GPO policy’s gPCFileSysPath to a path with malicious policies.  One of the affected objects was the AD Users Container – the default location for new user accounts and groups created in the domain. This object had a child object (a user) who was part of the Domain Admin group – which is used to assign administrative roles to users in the domain. By default, members of this group are also members of the Administrators group.  This meant that any user in the domain could get Domain Admin permissions. All an attacker would need was one non-privileged user to click on a phishing campaign to compromise the entire domain.
  • The impact – The impact could have been a complete compromise of their domain – downtime, loss of data, compromise of PII, and even a business continuity event.
  • The remediation – By removing permissions to modify the path, the healthcare provider was able to remediate the issue before any damage was done.
  • The takeaways – Attackers love AD’s various Admin security groups. Once they access one of these groups, they can do whatever they want with AD. A simple step to mitigate this is to make membership in security groups temporary, or – for frequently used groups like Domain Admin – create a system of temporary membership ad hoc. Learn more in our blog about AD security.

The Bottom Line

The stakes are high in healthcare. It’s not just about adhering to regulatory compliance and ensuring business continuity – it can be a matter of life or death. By understanding and addressing potential attack paths, healthcare organizations can drastically lower their risk. With XM Cyber’s exposure management solution, the healthcare customers above were able to gain a context-based understanding of their environment – giving them visibility into how issues could combine to facilitate an attack. By understanding this, they were able to prioritize what really needed fixing and harden their environments to prevent these weaknesses from being leveraged by threat actors.


Michael Lavengood

Sales Engineering - Americas

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.