Healthcare companies carry a lot of sensitive data: patient history information, contact details, Medicare numbers, even financial records. Because of this, they need to ensure their data is fully protected by advanced cyber security solutions.
The recent Medibank data breach leaked the private information of millions of patients – and by simply gaining the user credentials of one Medibank employee. It’s that simple. The legal and financial ramifications since then have been dire for Medibank, with investigations still ongoing.
However, an advanced cyber security platform, Microsoft Sentinel, recently released an update that could have halted the exact method Medibank’s cybercriminals used to gain unauthorised access into the systems before any data was stolen at all.
The Medibank data breach
In October 2022, Australian private health insurer Medibank was the victim of a ransomware extortion attempt, with the cybercriminals compromising the names, date of birth, addresses, phone numbers, and email addresses of around 9.7 million former and current customers, and some of their authorised representatives. They also accessed Medicare numbers for 2.8 million ahm customers, passport and visa details of 1.8 million international student customers, and health claim data for nearly 500,000 customers.
The data was leaked by the ransomware criminals in November, following Medibank’s refusal to pay the $15 million ransom. The Office of the Australian Information Commissioner (OAIC) launched an official investigation in December 2022 that is still ongoing.
How did the ransomware group breach Medibank’s data?
The Medicare cyber incident is believed to have begun when a Medibank employee had their privileged access credentials into the company’s internal systems stolen, and then sold on the dark web.
The purchasers used the credentials to write a script to automate the customer data exfiltration process – similar to the recent Optus data breach. The stolen data was placed into a zip file, and while Medibank’s security team allegedly detected suspicious activity, the data was extracted through two backdoors. 200GB of customer data was stolen before the security team shut down the backdoors.
How are user credentials stolen?
Internal credential theft is one of the most common methods of a successful data breach. The Medibank investigation has not confirmed how the credentials were stolen, but several very common methods are:
Phishing: Emails that appear to be from a trustworthy or legitimate source, encouraging the user to send their credentials back to the sender or click on a link in the email.
Password spray attacks: Automation used to guess passwords at high speed by sending a series of guesses to the target’s user account in an attempt to gain access.
Brute force attacks: The use of trial-and-error to log into a user’s account, similar to password spray attacks.
However, many organisations have blocking mechanisms in place to detect repeated password-guessing attempts. This has led malicious actors to develop slower approaches to avoid detection. Low and slow password spray attacks are one method that has become more common – and may have been used in the theft of credentials that led to the Medibank breach.
What is Microsoft Sentinel?
Microsoft Sentinel is a Security Information and Event Management (SIEM) platform that enables security teams to detect, investigate, and respond to threats quickly and efficiently. This cloud-based solution is designed to provide comprehensive visibility, automated protection, and proactive threat hunting. It uses advanced analytics and machine learning to detect threats that other solutions may miss.
The platform supports proactive threat hunting by allowing security teams to identify malicious activities before they strike. Security teams can use the platform to search for suspicious activities across the IT infrastructure, such as suspicious IP addresses and malicious files. This allows security teams to detect, investigate, and respond to threats before they become a major problem.
Sentinel can detect low and slow spray attacks
Microsoft Sentinel recently released a guided hunting notebook that leverages machine learning (ML) to detect low and slow password spray attempts, as these attacks have become more and more prevalent in gaining user credentials and unauthorised access. These attacks can covertly continue for months without a company’s internal security team becoming aware of the malicious activity.
Using ML and analytics, Microsoft Sentinel can proactively detect anomalous fields for failed sign-in attempts by churning through log data going back months. Sentinel developed an approach to hunting low and slow spray attacks by:
- Detecting anomalous fields for each failed sign-in attempt.
- Clustering failed sign-ins.
- Pruning the clusters from the previous point based on its knowledge of what low and slow looks like, e.g. removing clusters where sign-ins don’t occur at a steady rate.
- Analysing the password spray clusters to find any invariants.
- Identifying the successful sign-ins following the patterns observed from the clusters in the previous steps.
- Creating Sentinel incidents where applicable.
Microsoft Sentinel could have stopped the Medibank breach
The chances of the Medibank cyber incident being caused by a low and slow password spray attack that stole user credentials is quite likely. The ML algorithms analysing user behaviour would have identified the suspicious activity and alerted a security team before the cybercriminals were able to gain the credentials, eliminating the threat before any malicious activity was taken.
The cyber security team at Steadfast Solutions specialise in deploying and managing Microsoft Sentinel for businesses of all sizes and industries. Talk to them today about implementing this advanced, proactive cyber security solution, and eliminate threats from your systems before they have a chance to strike.