Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

HealthCare.gov Server Hacked, Infected With Malware

Cybercriminals managed to breach one of the servers used for HealthCare.gov, the official website of the United States’ health insurance marketplace, federal officials reported on Thursday.

Cybercriminals managed to breach one of the servers used for HealthCare.gov, the official website of the United States’ health insurance marketplace, federal officials reported on Thursday.

The affected machine is a test server and it reportedly doesn’t contain any personal information. Furthermore, there’s no evidence that any data was transmitted outside the agency, Department of Health and Human Services (DHHS) representatives told the Wall Street Journal.

The server in question shouldn’t have been accessible via the Internet so it had little protection installed on it. Officials believe this isn’t the work of a foreign state and that HealthCare.gov was not specifically targeted. It appears the attacker had scanned the Web for vulnerable servers on which he could plant malware used for distribute denial-of-service (DDoS) attacks.

The attacker had planted the malware in July, but the breach was detected only on August 25 during a daily security scan, officials said.

While there’s no evidence that the attackers caused any serious damage, experts warn that such incidents should be taken seriously.

“While it appears the HealthCare.gov system that was compromised wasn’t directly related to the production systems that run the site, it’s quite common for attackers to escalate privilege or otherwise impact infrastructure security by leveraging such systems,” Mark Stanislav, security evangelist at Duo Security, told SecurityWeek.

“Depending on the usage of this server, it could have potentially contained passwords of administrators that could have been reused elsewhere (e-mail, other servers, VPN connections, etc.). Further, since this test server was noted to have software uploaded to it by the attackers, it’s possible that a developer could have visited the site and been compromised through a client-side exploit like a browser plugin vulnerability. Lastly, test servers are often given more network privileges in many cases that could have been used as a foothold to compromise other infrastructure,” Stanislav added.

Other experts advise officials to carefully analyze the breach because the attackers might have gained access to sensitive data.

Advertisement. Scroll to continue reading.

“I hope the incident response teams and forensics teams are taking a really good, hard look at the breach evidence. Having the ability to upload ‘malicious software’ typically means the hacker had significant access to the web server. If the hacker really had the ability to upload arbitrary software to the web server, they certainly had the ability to steal healthcare data if they desired,” Billy Rios, director of threat intelligence at Qualys, said in an emailed statement.

Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, believes this could have been avoided.

“Like a lot of the other breaches that have made headlines over the past few months, this was the result of simple, compounded mistakes. A basic security flaw went overlooked, and it was assumed that because the system in question wasn’t supposed to be connected to the internet, it wasn’t high priority and didn’t warrant continuous monitoring. But accidently connecting a system like this to the internet happens all the time. Complex enterprise systems are susceptible to mistakes,” Cowperthwaite told SecurityWeek. “This could have been avoided. The technology is out there. When you’re a known target, you can’t afford to ignore anything on your network. It’s surprising that a high profile organization with the resources necessary to continuously monitor these systems could miss a problem like this.”

HealthCare.gov has been criticized by security experts from day one. In January, David Kennedy, founder of TrustedSecrevealed that it only took him four minutes to identify a vulnerability that could have been exploited to access the details of 70,000 people.

“They didn’t have enough time to formally develop the websiteand grow in a manner to be successful,” Kennedy told SecurityWeek in January. “When that happens, security is put in the back burner to making sure you can get the site out in time. To this date, they can’t be doing any formal testing all around on the site. Maybe some here or there, but nothing that we would consider industry best practices.”

RelatedHealthcare.gov’s Poor Security Diagnosis Shows Importance of Security Lifecycle

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.