The Anatomy of a Healthcare Cyberattack: Two True Stories

It’s no secret that the healthcare industry is a prime target for attackers. According to research from Check Point, healthcare organizations worldwide were attacked nearly 1500 times a week in 2022 – a growth of 74% compared with 2021. In the US, this growth was a staggering 86%. In the UK, recent research shows that nearly 60 million patient records were breached last year alone.

Hospitals, nursing homes, insurance providers, and even small medical practices – all are being targeted by threat actors looking to get their hands on lucrative PII or medical data.

There is no shortage of blogs that discuss how to secure digital healthcare environments. Yet in this post, we’re going to take a deep (and anonymized) dive into the anatomy of two actual attacks on healthcare providers – both our customers. What’s the value? By understanding actual real-world attack paths, healthcare organizations can learn to better focus their cyber resources and reduce exposures.

True Story #1

True Story #2

• The customer – A large healthcare provider.

• The attack path – The built-in and predefined Authenticated Users group is a Windows group that includes all users whose identities were authenticated when they logged on. XM Cyber found an attack path that could leverage the Authenticated Users group to create permissions to change the GPO policy’s gPCFileSysPath to a path with malicious policies.  One of the affected objects was the AD Users Container – the default location for new user accounts and groups created in the domain. This object had a child object (a user) who was part of the Domain Admin group – which is used to assign administrative roles to users in the domain. By default, members of this group are also members of the Administrators group.  This meant that any user in the domain could get Domain Admin permissions. All an attacker would need was one non-privileged user to click on a phishing campaign to compromise the entire domain.

• The impact – The impact could have been a complete compromise of their domain – downtime, loss of data, compromise of PII, and even a business continuity event.

• The remediation – By removing permissions to modify the path, the healthcare provider was able to remediate the issue before any damage was done.

• The takeaways – Attackers love AD’s various Admin security groups. Once they access one of these groups, they can do whatever they want with AD. A simple step to mitigate this is to make membership in security groups temporary, or – for frequently used groups like Domain Admin – create a system of temporary membership ad hoc. Learn more in our blog about AD security.

The Bottom Line

The stakes are high in healthcare. It’s not just about adhering to regulatory compliance and ensuring business continuity – it can be a matter of life or death. By understanding and addressing potential attack paths, healthcare organizations can drastically lower their risk. With XM Cyber’s exposure management solution, the healthcare customers above were able to gain a context-based understanding of their environment – giving them visibility into how issues could combine to facilitate an attack. By understanding this, they were able to prioritize what really needed fixing and harden their environments to prevent these weaknesses from being leveraged by threat actors.