Drug distributor AmerisourceBergen confirms security breach

Pharmaceutical distributor AmerisourceBergen confirmed that hackers compromised the IT system of one of its subsidiaries after threat actors began leaking allegedly stolen data.

AmerisourceBergen is a pharmaceutical product distributor, medical business consultant, and patient services provider. The company is a giant in the healthcare industry, employing 42,000 people and operating multiple distribution centers in the United States, Canada, and the UK, with 150 offices worldwide.

As first reported by security researcher Dominic Alvieri, the Lorenz ransomware gang ended a lengthy period of silence by listing AmerisourceBergen and their allegedly stolen data on its extortion site.

AmerisourceBergen confirmed the attack to BleepingComputer, stating that the intrusion was contained and they are investigating whether the incident has resulted in the compromise of sensitive data.

The complete statement from AmerisourceBergen is shared below:

“AmerisourceBergen’s internal investigation quickly identified that a subsidiary’s IT system was compromised. We immediately engaged the appropriate teams to limit the intrusion, contained the disruption and took precautionary measures to ensure all systems were and are now clear of any intrusions.”

“This was an isolated incident and we are in the process of investigating to determine whether any sensitive data was compromised. We take our responsibility to protect data very seriously and continue to secure and strengthen our networks to prevent any future issues.” - AmerisourceBergen.

The Lorenz ransomware group has posted all files allegedly stolen from AmerisourceBergen and MWI Animal Health, presumably the subsidiary that was breached.

The threat actors set the post date to November 1, 2022, even though the files were published just now, which might indicate that the breach happened a couple of months back.

AmerisourceBergen listed on Lorenz (BleepingComputer)

It is important to note that while the leaked files appear genuine, AmerisourceBergen has not yet confirmed these files were stolen from its networks.

Lorenz ransomware operators were recently observed using critical flaws in Mitel telephony systems to gain access to corporate networks. The threat actors then lay low for several months until they are ready to use the deployed backdoor for data exfiltration and encrypt files.

Although Lorenz isn’t the most prolific threat group in the ransomware space, its attacks have a major impact due to targeting large firms.

A notable example from last year was an attack against the multinational defense contractor Hensoldt that resulted in the exfiltration of internal documents.