In early 2024, a hospital discovered unauthorised access to its network via its managed service provider (MSP). The incident highlighted vulnerabilities in how the hospital managed user access and device security. While no patient care or data was affected, the event revealed critical lessons for improving cybersecurity frameworks.
What Happened?
- How Access Was Gained
- A hospital employee’s personal device was used to access the Microsoft Azure Virtual Desktop (AVD) environment.
- Multi-factor authentication (MFA) was enabled but configured with cached sessions, allowing users to bypass MFA for 14 days after initial sign-in.
- What the Attacker Did
- Once inside the network, the malicious actor used a non-installer port scanner that didn’t require administrative privileges, bypassing controls due to the absence of application control.
- Attempts to escalate privileges or brute-force passwords were unsuccessful, with the latter blocked by the proxy server.
- How It Was Detected and Responded To
- Microsoft Defender triggered an alert, prompting the MSP to investigate.
- Immediate actions by the MSP included:
- Forcing a password change for the affected user.
- Terminating active sessions.
- Wiping the AVD instance used.
- Instructing the user to run anti-malware scans on their personal device.
- The Human Element
- The attacker used the employee’s personal details, exposed in a 2023 retail data breach, to masquerade as a legitimate retailer.
- The attacker tricked the employee into sharing their username.
- The employee reported the suspicious activity to the MSP, but the issue was initially deprioritised because it didn’t appear email-based.
What Worked Well?
- Containment: The MSP acted quickly to stop the attack, limiting the threat actor’s ability to escalate privileges or steal data.
- Detection: Microsoft Defender successfully identified unusual activity, enabling a rapid response.
- Reporting Compliance: The hospital reported the incident to the Australian Signals Directorate (ASD) as required under the SOCI Act and shared indicators of compromise (IOCs) to support broader defence efforts.
What Could Have Been Done Better?
- MFA Configuration
While MFA was enabled, the use of cached sessions created a significant vulnerability. Prompting MFA at every login would have reduced the risk. - Application Control
The attacker was able to run a port scanner because there were no application controls in place. Blocking unapproved applications would have restricted the attacker’s ability to scan the network. - Human Awareness and Reporting Processes
- The employee recognised a suspicious call and reported it, but the response process failed to treat the report with the urgency it warranted.
- Clear guidelines and improved incident triaging could have escalated the issue sooner.
4walls Recommendations for Better Cybersecurity
This incident underscores the importance of implementing a robust cybersecurity strategy that addresses both technical and human vulnerabilities. At 4walls, we recommend the following:
- Strengthen MFA Practices
- Configure MFA to prompt at every login, removing the risk of cached sessions.
- Regularly review MFA policies to ensure they align with current best practices.
- Implement Application Control
- Use allowlists to ensure only approved applications can run on devices, minimising the risk of malicious tools being executed.
- Adopt a Comprehensive Cybersecurity Framework
- Develop a strategy that includes regular risk assessments, vulnerability management, and continuous monitoring to identify and mitigate risks proactively.
- A well-rounded framework ensures consistent protection against emerging threats.
- Improve Incident Response Processes
- Train employees to recognise and report suspicious activity across all channels, not just email.
- Establish clear escalation pathways to prioritise potential threats quickly.
- Invest in Cyber Governance Tools
- Tools like the 4walls Cyber Security Dashboard provide real-time monitoring, incident tracking, and compliance insights to help organisations stay ahead of risks.
- Governance training for leadership ensures strategic oversight of cybersecurity measures.
Conclusion
This case is a reminder that cybersecurity is not just about technology—it’s about having the right policies, processes, and training in place. With proactive measures, organisations can reduce the risk of similar incidents, safeguard critical systems, and protect their reputation.
For a deeper dive into how 4walls can help your organisation build a stronger cybersecurity foundation, explore our Cyber Security Dashboard or schedule a Cyber Governance Principles Webinar.