Cyber Incident Victim: BVA
Date:
Feb 2021
Location:
France
Summary
The French mutual health insurer MNH experienced a cyberattack involving system disconnections that disrupted websites, member portals, and phone services, with recovery efforts underway. Although the polling firm BVA was separately impacted by ransomware during this timeframe, the specific threat actor or intrusion method for BVA remains unconfirmed; MNH's incident was attributed to the RansomExx group, with speculation suggesting potential exploitation of a Citrix vulnerability (CVE-2019-19781) as an initial attack vector.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 5, 2021, a cyberattack was disclosed by the Mutuelle Nationale des Hospitaliers et des Professionnels de la Santé et du Social (MNH), a French insurance company. MNH announced that its computer systems had been disconnected due to a security breach, rendering its websites, member area, extranets, and telephone platform temporarily unavailable. This disruption extended the processing times for various requests, causing inconvenience to customers. The attack on MNH raised concerns about the potential impact on sensitive data and the disruption of essential services.
LeMagIT, a French IT publication, speculated that the attack did not originate from email vectors, as MNH's email system was protected by Proofpoint security solutions. Instead, they suggested that a Citrix / Netscaler Gateway system, vulnerable to the CVE-2019-19781 flaw, might have been exploited. This vulnerability, nicknamed "Shitrix," had been patched by MNH in January 2020, but attackers could have established a bridgehead, lying dormant until they decided to exploit it fully.
The polling firm BVA was also hit by a ransomware attack around the same time, leading to speculation about a potential connection between the two incidents. Subsequent reports confirmed that the MNH attack was carried out by the RansomExx threat actor group, known for their ransomware activities.
The impact of the attack on MNH's operations was significant. With their websites and telephone platform unavailable, customers experienced delays in accessing their accounts, managing policies, and receiving support. The disruption extended to the corresponding and elected extranets, affecting the ability of these stakeholders to communicate and access relevant information. MNH's swift response to disconnect their systems likely prevented the attack from causing further damage and contained the breach to a certain extent.
While the full scope of the incident remains undisclosed, the potential compromise of sensitive data, including personal and health information, cannot be overlooked. The attackers' motive, as inferred from the tactics employed and the nature of the attack, appeared to be financial gain. The use of ransomware and the targeting of multiple organizations suggest a profit-driven agenda. Additionally, the exploitation of the Shitrix vulnerability indicated a level of sophistication and determination to breach well-protected systems.
The incident highlights the evolving nature of cyber threats and the challenges faced by organizations in maintaining robust cybersecurity postures. MNH's use of email protection measures demonstrates their awareness of potential risks. However, the existence of a vulnerable gateway system underscores the difficulty of maintaining comprehensive security across all vectors, especially in large organizations with complex IT infrastructures.
The impact of the attack on MNH's operations and the potential breach of sensitive data underscore the criticality of proactive threat hunting and the swift implementation of patches and security updates. While MNH's response to disconnect systems likely mitigated the damage, the incident serves as a reminder of the cat-and-mouse game played between attackers and defenders in the digital realm.
The disclosure of the cyberattack by MNH's chairman and CEO reflects their commitment to transparency and customer assurance. Their prompt acknowledgment of the incident and promise to communicate updates on the situation demonstrate a proactive approach to crisis management. This transparency is crucial in maintaining trust and confidence among customers, employees, and other stakeholders during such challenging times.
As the dust settles on this particular incident, it provides an opportunity for organizations worldwide to reflect on their cybersecurity posture and resilience. The evolving nature of cyber threats demands constant vigilance, proactive threat hunting, and a comprehensive approach to security that addresses both known and unknown vulnerabilities. The impact of cyberattacks can be far-reaching, affecting not only the targeted organization but also its customers, employees, and the broader community that relies on their services.
The MNH cyberattack serves as a stark reminder that cybersecurity is an ever-present challenge and that the preservation of data confidentiality, integrity, and availability is critical to maintaining trust and stability in the digital era. As attackers become more sophisticated and relentless, organizations must remain vigilant, adaptable, and proactive in their defense strategies to safeguard their systems, data, and stakeholders' interests.