In the **2024 Change Healthcare breach**, attackers exploited a server lacking multifactor authentication (MFA) to infiltrate the company’s **Active Directory (AD)**, the central authentication backbone for over 90% of Fortune 1000 firms. Once inside, they escalated privileges, executed lateral movement, and deployed a **ransomware attack** that crippled operations. The incident forced a **complete halt to patient care services**, exposed **sensitive health records**, and resulted in the company paying **millions in ransom** to restore systems. The attack disrupted billing, claims processing, and pharmacy operations nationwide, causing prolonged financial and reputational damage. The breach highlighted critical vulnerabilities in AD security, including **weak credential management, unpatched systems, and excessive privileged access**, which allowed attackers to maintain persistence and evade detection by mimicking legitimate AD operations. Recovery efforts took weeks, with lingering impacts on healthcare providers and patients reliant on Change Healthcare’s infrastructure.
Source: https://thehackernews.com/2025/11/active-directory-under-siege-why.html
Change Healthcare cybersecurity rating report: https://www.rankiteo.com/company/change-healthcare
"id": "CHA1032510111225",
"linkid": "change-healthcare",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Patients and Healthcare '
'Providers (Exact Number '
'Undisclosed)',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Change Healthcare',
'size': 'Large (Fortune 1000)',
'type': 'Healthcare Technology Company'}],
'attack_vector': ['Compromised Credentials (Phishing/Malware/Breach '
'Databases)',
'Server Without MFA',
'Active Directory Exploitation (Golden Ticket, DCSync, '
'Kerberoasting)',
'Hybrid Environment Abuse (Azure AD Connect, OAuth Tokens, '
'NTLM Relay)'],
'data_breach': {'data_encryption': 'Likely (Ransomware Encryption)',
'data_exfiltration': 'Confirmed (Health Records)',
'personally_identifiable_information': 'Yes (Patient '
'Identities)',
'sensitivity_of_data': 'High (Protected Health Information - '
'PHI)',
'type_of_data_compromised': ['Health Records',
'Patient Data',
'Potentially Administrative '
'Credentials']},
'date_publicly_disclosed': '2024-02-00',
'description': 'In the 2024 Change Healthcare breach, attackers exploited a '
'server lacking multifactor authentication (MFA), pivoted to '
'Active Directory (AD), escalated privileges, and executed a '
'highly costly ransomware attack. The incident disrupted '
'patient care, exposed health records, and resulted in '
'millions paid in ransom. The attack demonstrated the '
"criticality of AD as the 'holy grail' for adversaries, "
'enabling full network control through techniques like Golden '
'Ticket, DCSync, and Kerberoasting. Hybrid environments '
'(on-premises + cloud) expanded the attack surface, with '
'attackers exploiting synchronization gaps, legacy protocols '
'(e.g., NTLM), and fragmented security postures. Common '
'vulnerabilities included weak passwords, stale service '
'accounts, cached credentials, and poor visibility into '
'privileged access. The breach underscored the need for '
'layered defenses: strong password policies, privileged access '
'management (PAM), zero-trust principles, continuous '
'monitoring, and rapid patching of domain controllers.',
'impact': {'brand_reputation_impact': 'Significant (Loss of Trust in '
'Healthcare Data Security)',
'customer_complaints': 'High (Patients and Healthcare Providers)',
'data_compromised': ['Health Records', 'Patient Data'],
'downtime': 'Extended (Patient Care Disruption)',
'financial_loss': 'Millions (Ransom Paid + Operational Costs)',
'identity_theft_risk': 'High (Exposed Health Records)',
'operational_impact': 'Severe (Halt in Patient Services, '
'Administrative Paralysis)',
'systems_affected': ['Active Directory',
'Domain Controllers',
'Hybrid Cloud Infrastructure (Azure AD)',
'Patient Care Systems']},
'initial_access_broker': {'backdoors_established': 'Likely (Persistent AD '
'Access via Golden '
'Ticket/DCSync)',
'data_sold_on_dark_web': 'Possible (Exfiltrated '
'Health Records)',
'entry_point': 'Server Without MFA',
'high_value_targets': ['Active Directory',
'Domain Controllers',
'Health Records Databases']},
'investigation_status': 'Likely Ongoing (2024–2025)',
'lessons_learned': ["Active Directory is the 'holy grail' for attackers; "
'compromising it grants full network control.',
'Hybrid environments (on-premises + cloud) introduce '
'complex attack surfaces (e.g., Azure AD Connect, OAuth '
'tokens, NTLM).',
'Legacy protocols (NTLM) and fragmented security tools '
'create visibility gaps exploited by attackers.',
'Weak passwords, stale service accounts, and cached '
'credentials are top entry points.',
'Privileged access management (PAM) and zero-trust '
'principles are critical to limiting lateral movement.',
'Continuous monitoring for AD changes (e.g., group '
'modifications, replication anomalies) can detect attacks '
'early.',
'Rapid patching of domain controllers is essential to '
'close privilege escalation paths.',
'Password policies must evolve: block breached '
'credentials, enforce MFA, and use dynamic feedback for '
'users.'],
'motivation': ['Financial Gain (Ransom Payment)',
'Data Theft (Health Records)',
'Disruption (Patient Care Halt)'],
'post_incident_analysis': {'corrective_actions': ['Mandated MFA for all '
'privileged and sync '
'accounts.',
'Deployed **Specops '
'Password Policy** to block '
'compromised credentials.',
'Implemented **just-in-time '
'(JIT) access** for '
'administrative tasks.',
'Disabled **NTLM** and '
'enforced SMB signing.',
'Unified **SIEM/XDR '
'monitoring** for AD and '
'cloud identities.',
'Accelerated **patch '
'management** for domain '
'controllers.',
'Conducted **AD security '
'assessment** and red team '
'exercises.'],
'root_causes': ['Lack of MFA on critical server '
'(initial access point).',
'Weak password policies '
'(reused/breached credentials).',
'Excessive permissions for service '
'accounts (lateral movement).',
'Unpatched domain controllers '
'(privilege escalation flaw).',
'Hybrid environment complexity '
'(Azure AD Connect abuse).',
'Fragmented security tools '
'(on-premises vs. cloud visibility '
'gaps).']},
'ransomware': {'data_encryption': 'Yes (Systems Locked)',
'data_exfiltration': 'Yes (Double Extortion)',
'ransom_paid': 'Millions (Exact Amount Undisclosed)'},
'recommendations': [{'actions': ['Implement **Specops Password Policy** or '
'similar to block >4B compromised passwords '
'in real-time.',
'Enforce **12+ character passwords** with '
'dynamic feedback during creation.',
'Enable **continuous scanning** for breached '
'credentials (not just at reset).',
'Require **MFA for all privileged accounts** '
'(admin, service, sync accounts).'],
'category': 'Credential Security'},
{'actions': ['Segregate **admin accounts** from standard '
'user accounts.',
'Adopt **just-in-time (JIT) access** for '
'elevated privileges (auto-revoke after '
'use).',
'Route admin tasks through **privileged '
'access workstations (PAWs)**.',
'Audit and remove **stale accounts** (former '
'employees, unused service accounts).'],
'category': 'Privileged Access Management (PAM)'},
{'actions': ['Disable **legacy protocols** (NTLM, LM) or '
'enforce **NTLM blocking**.',
'Deploy **conditional access policies** '
'(evaluate device health, user location, '
'behavior).',
'Monitor **AD changes** (group '
'modifications, replication anomalies, '
'off-hour admin actions).',
'Patch **domain controllers within 48 '
'hours** of critical updates.'],
'category': 'Active Directory Hardening'},
{'actions': ['Unify **on-premises and cloud security '
'tools** to eliminate visibility gaps.',
'Secure **Azure AD Connect** with '
'least-privilege sync accounts and MFA.',
'Monitor **OAuth token usage** for anomalous '
'cloud-to-on-premises access.',
'Enforce **consistent security policies** '
'across hybrid identities.'],
'category': 'Hybrid Environment Security'},
{'actions': ['Deploy **SIEM/XDR solutions** with '
'AD-specific detection rules (e.g., Golden '
'Ticket, DCSync).',
'Conduct **regular red team exercises** to '
'test AD defenses.',
'Train staff on **phishing resistance** and '
'**credential hygiene**.',
'Establish an **incident response plan** '
'with AD-specific playbooks.'],
'category': 'Detection & Response'}],
'references': [{'source': 'Verizon Data Breach Investigations Report (DBIR)',
'url': 'https://www.verizon.com/business/resources/reports/dbir/'},
{'source': 'Specops Software - Active Directory Security',
'url': 'https://specopssoft.com/'},
{'source': 'Microsoft Security Guidance for Active Directory',
'url': 'https://learn.microsoft.com/en-us/security/'},
{'source': 'Change Healthcare Ransomware Attack Coverage '
'(Various News Outlets)'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA (Health Insurance '
'Portability and '
'Accountability Act)'],
'regulatory_notifications': 'Likely (HHS Breach '
'Reporting '
'Requirements)'},
'response': {'incident_response_plan_activated': 'Likely (Given Scale of '
'Breach)',
'remediation_measures': ['Ransom Payment (Millions)',
'Patch Deployment for Domain '
'Controllers (Post-Breach)',
'Potential Review of AD Security '
'Posture']},
'title': 'Active Directory Compromise and Ransomware Attack on Change '
'Healthcare (2024)',
'type': ['Data Breach',
'Ransomware',
'Privilege Escalation',
'Lateral Movement'],
'vulnerability_exploited': ['Weak/Reused Passwords (88% of breaches per '
'Verizon DBIR)',
'Service Accounts with Non-Expiring Passwords & '
'Excessive Permissions',
'Cached Administrative Credentials in Workstation '
'Memory',
'Lack of Visibility into Privileged Account Usage',
'Stale Accounts (Former Employees with Retained '
'Access)',
'Unpatched Domain Controllers (Privilege '
'Escalation Flaw, April 2025)',
'Legacy Protocols (NTLM Enabled for Backward '
'Compatibility)',
'Fragmented Security Posture (On-Premises vs. '
'Cloud Visibility Gaps)']}