Medibank or its partners allegedly missed or didn’t act on alerts from its endpoint detection and response (EDR) tool before a threat actor stole data from the insurer’s systems, Australia’s privacy regulator has said.
The Office of the Australian Information Commissioner’s (OAIC) has published court documents [pdf] that allege the insurer had an up to six-week window from when the EDR alerts were generated to when it became clear that data had been stolen, to act.
The OAIC filed a lawsuit against Medibank earlier this month alleging failures by the insurer to protect customers’ personal information.
The office’s concise statement of claim offers an alleged chronology of events that saw an IT service desk contractor’s admin credentials stolen and then misused to enter and chart Medibank’s network before stealing sensitive information.
The forensic details OAIC alleges go beyond Medibank’s disclosure [pdf] that the stolen credentials were used to access Medibank’s network via “a misconfigured firewall”, from which point the attacker was able to remain undetected and expand laterally.
In support of the proceeding OAIC filed earlier this month, the regulator argued that Medibank did not “implement effective contractor assurance” or take other “reasonable steps” from a cyber security perspective.
These covered domains including security monitoring, MFA for authenticating remote access to Medibank’s VPN, “restricting access” to data holdings based on the “responsibilities of users”, and “processes” for responding to detected “incidents in a timely manner”.
OAIC accused Australia’s largest health insurer of not “undertaking a first-level review and triage of all security alerts generated by Medibank’s EDR (endpoint detection and response) security software” or detecting suspicious exfiltration by “configuring volumetric alerts”.
Admin credentials saved to personal browser profile
OAIC alleged that at some time before August 7 2022 a contractor saved credentials, including for an admin account, to their personal internet browser profile on a work computer.
The credentials then “synced across to [their] personal computer”, the OAIC alleged, and were stolen by malware on that device.
The admin account granted access “to most (if not all) of Medibank’s systems.”
The OAIC alleges the attacker first tried the credentials on a Microsoft Exchange server before finding they worked for Medibank’s VPN.
It alleged that one reason the attack succeeded was ’“because…Medibank’s Global Protect VPN…did not require two or more proofs of identity or multi-factor authentication.”
“Rather, Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required,” it alleged.
Medibank’s EDR “generated various alerts” around a fortnight after the attacker had gained persistence.
However, for whatever reason, the OAIC alleges the EDR alerts were not acted upon. The attacker then accessed customer databases and stole 520GB of data sometime over the following six weeks.
The OAIC alleged that the attack and exfiltration was only uncovered on October 11 when “Medibank’s Security Operations team triaged a high severity incident for an…alert that identified modification of files needed to exploit the ProxyNotShell vulnerability”, a zero-day found in Microsoft Exchange.
Several days later, investigations by digital forensic partner Microsoft Threat Intelligence Centre (MSTIC) allegedly uncovered “a series of suspicious volumes of data exfiltrated out of Medibank’s network”,
OAIC alleged that Medibank “was not aware that customer data had been accessed by a threat actor and exfiltrated from its systems” until this time.
This January, Microsoft also revealed that MSTIC played a “key” role in helping the Australian Signals Directorate unmask the hacker.
MSTIC said that it fed information to the Australian Signals Directorate, which was used to identify the individual behind the sophisticated attack.