An attack on Advanced, the managed services provider (MSP) was ransomware, the company has confirmed for the first time, saying the attackers used “legitimate third-party credentials” to access its systems and confirming that customer data was compromised in the attack, which took seven NHS and other medical applications offline.
The attackers logged in using these credentials (the report does not say how these were obtained) then established an RDP session to the Citrix server of Staffplan (one of its most affected apps), the company said.
It added that it is happy to share "additional" Indicators of Compromise with customers "on request".
Advanced added in a summary of the incident seen by The Stack: “During the initial logon session, the attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware” – which it confirmed in the same report to be LockBit 3.0.
Advanced has some 25,000 customers including major government clients and revenues of £330 million.
The data of 16 Staffplan and Caresys application customers was stolen in the attack, it said.
Staffplan will not be back online until the end of this year at best – despite backups being available as recently as the day before the incident, as we reported last month --with documents seen by The Stack revealing the extent of potential risk to patients downstream, including the risk of basic care not being met in care homes.
Staffplan is used by over 79,000 care home workers and a hazard log spreadsheet for the software shows that the risks of server disruption include “medication doses missed”, “basic needs not met, such as nutrition and personal care”, “health needs not met, such as wound care and physical support” and “required number of carers not met” as nightmare service restoration efforts continue for the MSP in the wake of the cybersecurity incident.
Advanced post-incident summary: We were ready to rebuild within days
In the post-incident summary Advanced suggests that external compliance constraints rather than in-house capabilities were responsible for the delay in getting applications back online, saying: "Although we were equipped and able to completely rebuild certain health and care products by the Monday following the incident, we were required to satisfy an assurance process set forth by our partners at the NCSC, NHS, and NHS Digital.
"This assurance process helped to provide confidence that once our rebuilt products were ready to go live, they were fully remediated and safe for our customers to use. As we learned more about this assurance process and adjusted in real time to meet certain requirements, it took longer than expected, which has impacted our overall recovery timeline. We have prioritized safety and security during every step of our recovery process."
(The Stack speculates that a crude rough translation of this may be: "We were told we couldn't get applications back online that rely on critically vulnerable legacy software or they would simply get popped again...")
Sources close to the app build say Staffplan was written in Delphi 5, a development tool for Windows released in 1999, and had not been “significantly” updated since it was written in 2009. It is understood to have a range of complex dependencies and libraries that require legacy versions of Windows to function. Advanced only removed a dependency on the now discontinued Microsoft Silverlight application framework earlier this year.
The attack is the second major data breach from Advanced systems in two years.
In 2020 security researchers at attack surface specialist TurgenSec identified an unsecured database hosting over 10,000 legal documents containing passport numbers, hashed passwords and more that had been scanned and uploaded by law firms using Laserform, a product from Advanced. The breach affected over 190 law firms.
TurgenSec’s blog on the discovery and efforts to collaborate on disclosure suggests that Advanced has a lot of work to do vis-a-vis modernising its response to security disclosures and indeed breaches. (The Stack takes the view that responsible security disclosures by white hats should be met with warm appreciation for the free help.)
MSPs have faced mounting attacks in recent years and regular warnings that they will continue to face heightened levels of attack, including a joint May 2022 advisory from US and UK authorities. A July 2021 attack on software provider Kaseya was among the most impactful. In that incident cybercriminals abused a SQL injection vulnerability in remote access software from the company to then hack 50+ MSPs that used its products; piggybacking on that access in turn to hit over 1,500 downstream customer organisations with ransomware.