Hackers Are Targeting Healthcare Help Desks with Advanced Social Engineering Tactics, Says HC3

The Health Sector Cybersecurity Coordination Center (HC3) has warned that hackers are targeting IT help desks in the health sector with advanced social engineering tactics.

“Social engineering is being used across the Healthcare and Public Health (HPH) sector to gain unauthorized access to systems,” reads the notice.

Threat actors are using sophisticated techniques to target IT help desk employees with phone calls from an area code local to the target organization. They claim to be an employee in a financial role (specifically in revenue cycle or administrator roles) whose phone is broken, preventing them from logging in or receiving MFA tokens.

The threat actor is able to provide the required information for identity verification, including the last four digits of the impersonated employee’s Social Security Number (SSN) and corporate ID number, along with other demographic details – all harvested from professional networking sites and data dumps from past breaches.

With the help desk employee persuaded to enroll a new device for authentication, the threat actor moves to submit a form to make ACH changes for payer accounts.

“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts,” according to the notice.

The HC3 recommends that healthcare organizations stay vigilant and implement several mitigations, including:

·      Require callbacks to the phone number on record for the employee requesting a password reset and enrollment of a new device

·      Monitor for any suspicious ACH changes and revalidate all users with access to payer websites

·      Implement policies that require supervisors to be contacted to verify requests

·      Train staff to identify and report social engineering techniques

·      Remove SMS as an MFA verification option

·      Enforce Microsoft Authenticator with number matching

·      Ensure MFA and SSPR registration is secure by requiring users to authenticate from a trusted network location and/or ensuring device compliance

·      Block external access to Microsoft Azure and Microsoft 365 administration features…

… and more.

Unlike most campaigns targeting healthcare organizations, these attacks seem to squarely focus on gaining access to accounts able to make money transfers in the name of the institution. Attackers therefore heavily rely on persuading the targeted employee to provide external access to various internal systems, and even use sophisticated voice-cloning technology to achieve their goals.

The US Federal Trade Commission recently asked the general public for good ideas to combat voice-cloning crime, offering $25,000 to the best scam-buster.