Cybercriminals managed to breach one of the servers used for HealthCare.gov, the official website of the United States' health insurance marketplace, federal officials reported on Thursday.
The affected machine is a test server and it reportedly doesn't contain any personal information. Furthermore, there's no evidence that any data was transmitted outside the agency, Department of Health and Human Services (DHHS) representatives told the Wall Street Journal.
The server in question shouldn't have been accessible via the Internet so it had little protection installed on it. Officials believe this isn't the work of a foreign state and that HealthCare.gov was not specifically targeted. It appears the attacker had scanned the Web for vulnerable servers on which he could plant malware used for distribute denial-of-service (DDoS) attacks.
The attacker had planted the malware in July, but the breach was detected only on August 25 during a daily security scan, officials said.
While there's no evidence that the attackers caused any serious damage, experts warn that such incidents should be taken seriously.
"While it appears the HealthCare.gov system that was compromised wasn't directly related to the production systems that run the site, it's quite common for attackers to escalate privilege or otherwise impact infrastructure security by leveraging such systems," Mark Stanislav, security evangelist at Duo Security, told SecurityWeek.
"Depending on the usage of this server, it could have potentially contained passwords of administrators that could have been reused elsewhere (e-mail, other servers, VPN connections, etc.). Further, since this test server was noted to have software uploaded to it by the attackers, it's possible that a developer could have visited the site and been compromised through a client-side exploit like a browser plugin vulnerability. Lastly, test servers are often given more network privileges in many cases that could have been used as a foothold to compromise other infrastructure," Stanislav added.
Other experts advise officials to carefully analyze the breach because the attackers might have gained access to sensitive data.
"I hope the incident response teams and forensics teams are taking a really good, hard look at the breach evidence. Having the ability to upload 'malicious software' typically means the hacker had significant access to the web server. If the hacker really had the ability to upload arbitrary software to the web server, they certainly had the ability to steal healthcare data if they desired," Billy Rios, director of threat intelligence at Qualys, said in an emailed statement.
Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, believes this could have been avoided.
"Like a lot of the other breaches that have made headlines over the past few months, this was the result of simple, compounded mistakes. A basic security flaw went overlooked, and it was assumed that because the system in question wasn’t supposed to be connected to the internet, it wasn’t high priority and didn’t warrant continuous monitoring. But accidently connecting a system like this to the internet happens all the time. Complex enterprise systems are susceptible to mistakes," Cowperthwaite told SecurityWeek. "This could have been avoided. The technology is out there. When you’re a known target, you can’t afford to ignore anything on your network. It’s surprising that a high profile organization with the resources necessary to continuously monitor these systems could miss a problem like this."
HealthCare.gov has been criticized by security experts from day one. In January, David Kennedy, founder of TrustedSec, revealed that it only took him four minutes to identify a vulnerability that could have been exploited to access the details of 70,000 people.
"They didn’t have enough time to formally develop the websiteand grow in a manner to be successful," Kennedy told SecurityWeek in January. "When that happens, security is put in the back burner to making sure you can get the site out in time. To this date, they can’t be doing any formal testing all around on the site. Maybe some here or there, but nothing that we would consider industry best practices."