The U.S. Division of Well being and Human Companies (HHS) warns that hackers at the moment are utilizing social engineering techniques to focus on IT assist desks throughout the Healthcare and Public Well being (HPH) sector.
The sector alert issued by the Well being Sector Cybersecurity Coordination Heart (HC3) this week says these techniques have allowed attackers to realize entry to focused organizations’ methods by enrolling their very own multi-factor authentication (MFA) gadgets.
In these assaults, the menace actors use an area space code to name organizations pretending to be workers within the monetary division and supply stolen ID verification particulars, together with company ID and social safety numbers.
Utilizing this delicate data and claiming their smartphone is damaged, they persuade the IT helpdesk to enroll a brand new machine in MFA beneath the attacker’s management.
This offers them entry to company assets and permits them to redirect financial institution transactions in enterprise e-mail compromise assaults.
“The threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts,” HC3 says [PDF].
“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.”
“The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).”
In such incidents, attackers can also use AI voice cloning instruments to deceive targets, making it more durable to confirm identities remotely. That is now a very talked-about tactic, with 25% of individuals having skilled an AI voice impersonation rip-off or figuring out somebody who has, in accordance with a latest world examine.
Scattered Spider vibes
The techniques described within the Well being Division alert are similar to these utilized by the Scattered Spider (aka UNC3944 and 0ktapus) menace group, which additionally makes use of phishing, MFA bombing (aka MFA fatigue), and SIM swapping to realize preliminary community entry.
This cybercrime gang usually impersonates IT workers to trick customer support workers into offering them with credentials or operating distant entry instruments to breach the targets’ networks.
Scattered Spider hackers just lately encrypted MGM Resorts‘ methods utilizing BlackCat/ALPHV ransomware. They’re additionally infamous for the 0ktapus marketing campaign, by which they focused over 130 organizations, together with Microsoft, Binance, CoinBase, T-Cell, Verizon Wi-fi, AT&T, Slack, Twitter, Epic Video games, Riot Video games, and Greatest Purchase.
FBI and CISA issued an advisory in November to spotlight Scattered Spider’s techniques, strategies, and procedures (TTPs) in response to their information theft and ransomware assaults in opposition to an extended string of high-profile corporations.
Nonetheless, HC3 says that related well being sector incidents reported up to now have but to be attributed to a selected menace group.
To dam assaults concentrating on their IT assist desks, organizations within the well being sector are suggested to:
- Require callbacks to confirm workers requesting password resets and new MFA gadgets.
- Monitor for suspicious ACH modifications.
- Revalidate all customers with entry to payer web sites.
- Take into account in-person requests for delicate issues.
- Require supervisors to confirm requests.
- Practice assist desk workers to determine and report social engineering strategies and confirm callers’ identities.
