Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News

HHS warns of social engineering attacks targeting IT help desks across health sector

April 08, 2024
HHS warns of social engineering attacks targeting IT help desks across health sector

The Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) issued a sector alert covering observed threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations. In general, threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goals. 

Based on its observations, the agency recommends various mitigations outlined in this alert, which involve user awareness training and policies and procedures for increased security for identity verification with help desk requests. 

Social engineering is being used across the healthcare and public health (HPH) sector to gain unauthorized access to systems. Threat actors employ sophisticated social engineering techniques to target an organization’s IT help desk with phone calls from an area code local to the target organization, claiming to be an employee in a financial role (specifically in revenue cycle or administrator roles). 

“The threat actor is able to provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details,” the HC3 sector alert detailed. “These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches. The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in multi-factor authentication (MFA) to gain access to corporate resources.” 

After gaining access, the HC3 added that the threat actor targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts. “Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts. The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).”

In September 2023, a notable incident utilizing social engineering techniques targeted an organization in the hospitality and entertainment industry, as highlighted in the HC3 alert. The threat actor Scattered Spider (also known as UNC3944) claimed responsibility for this attack, resulting in the deployment of ALPHV (also known as BlackCat) ransomware. However, there is currently no public attribution for a similar incident in the health sector.

“While these recent campaigns in the health sector did not involve ransomware, both of these incidents did leverage spearphishing voice techniques and impersonation of employees with specific access related to the threat actors’ end goals,” the HC3 alert disclosed. “Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications.” 

The sector alert added that spearphishing frequently involves social engineering techniques, such as posing as a trusted source (impersonation) and/or creating a sense of urgency or alarm for the recipient. “It is important to note that threat actors may also attempt to leverage AI voice impersonation techniques to social engineer targets, making remote identity verification increasingly difficult with these technological advancements. A recent global study found that out of 7,000 people surveyed, one in four said that they had experienced an AI voice cloning scam or knew someone who had.”

HC3 identified that various mitigations might be implemented by healthcare organizations, including requiring callbacks to the phone number on record for the employee requesting a password reset and enrollment of a new device. “It is important to note that when attempting callbacks for verification, the threat actor may claim to be too busy to take a phone call. Other mitigations may involve monitoring for any suspicious ACH changes and revalidating all users with access to payer websites.” 

Furthermore, some hospitals have implemented procedures that require employees to appear in person at the IT help desk for such requests. “Another suggestion is implementing policies that require the supervisor of the employee to be contacted to verify these requests. Additionally, users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identity of callers,” it added.

In February, the HC3 issued an analyst note on the Akira ransomware, which is a relatively new ransomware gang that has demonstrated aggressive and capable targeting of the U.S. health sector in its short lifespan. It added that there is research suggesting that Akira hackers have connections to the now-defunct Conti ransomware gang, and are known to target the U.K., Canada, Australia, New Zealand, and other countries.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure