Warning: Hospitals on High Alert as Hackers Target IT Help Desks
The US Department of Health and Human Services (HHS) has issued a warning to hospitals and healthcare institutions regarding a new tactic employed by hackers targeting IT help desks. The alert, issued by the Health Sector Cybersecurity Coordination Center (HC3), highlights the use of social engineering techniques by threat actors within the Healthcare and Public Health (HPH) sector.
According to the alert, hackers have been able to infiltrate targeted organizations' systems by exploiting vulnerabilities in their IT help desk procedures. Specifically, attackers have been successful in enrolling their own multi-factor authentication (MFA) devices by posing as employees from the financial department during phone calls to IT help desks. They provide stolen ID verification details, including corporate ID and social security numbers, and claim that their smartphone is broken, persuading help desk personnel to enroll a new device under the attacker's control.
Once access is gained, hackers exploit corporate resources to redirect bank transactions and initiate business email compromise attacks. The HC3 report mentions instances where threat actors targeted login information related to payer websites, allowing them to make unauthorized changes to payer accounts and divert legitimate payments to attacker-controlled bank accounts.
In addition to these tactics, attackers may utilize AI voice cloning tools to enhance deception, making it more challenging to verify identities remotely. This approach has become increasingly prevalent, with a recent global study indicating that 25% of individuals have either experienced or know someone who has fallen victim to an AI voice impersonation scam.
The tactics described in the HC3 alert bear similarities to those employed by the cybercrime group known as Scattered Spider (aka UNC3944 and 0ktapus). This group utilizes phishing, MFA bombing, and SIM swapping techniques to gain initial network access, often impersonating IT personnel to deceive customer service staff and gain access credentials.
Scattered Spider has been associated with high-profile attacks, including the encryption of MGM Resorts' systems using BlackCat/ALPHV ransomware. Despite their notoriety, specific incidents within the healthcare sector have yet to be attributed to this group.
To mitigate the risk of attacks targeting IT help desks, healthcare organizations are advised to implement several measures, including requiring callbacks to verify employee requests, monitoring for suspicious changes in financial transactions, and validating all users accessing payer websites. Additionally, organizations should consider implementing in-person verification for sensitive matters, requiring supervisor approval for certain requests, and providing comprehensive training to help desk staff on identifying and reporting social engineering tactics.
According to the alert, hackers have been able to infiltrate targeted organizations' systems by exploiting vulnerabilities in their IT help desk procedures. Specifically, attackers have been successful in enrolling their own multi-factor authentication (MFA) devices by posing as employees from the financial department during phone calls to IT help desks. They provide stolen ID verification details, including corporate ID and social security numbers, and claim that their smartphone is broken, persuading help desk personnel to enroll a new device under the attacker's control.
Once access is gained, hackers exploit corporate resources to redirect bank transactions and initiate business email compromise attacks. The HC3 report mentions instances where threat actors targeted login information related to payer websites, allowing them to make unauthorized changes to payer accounts and divert legitimate payments to attacker-controlled bank accounts.
In addition to these tactics, attackers may utilize AI voice cloning tools to enhance deception, making it more challenging to verify identities remotely. This approach has become increasingly prevalent, with a recent global study indicating that 25% of individuals have either experienced or know someone who has fallen victim to an AI voice impersonation scam.
The tactics described in the HC3 alert bear similarities to those employed by the cybercrime group known as Scattered Spider (aka UNC3944 and 0ktapus). This group utilizes phishing, MFA bombing, and SIM swapping techniques to gain initial network access, often impersonating IT personnel to deceive customer service staff and gain access credentials.
Scattered Spider has been associated with high-profile attacks, including the encryption of MGM Resorts' systems using BlackCat/ALPHV ransomware. Despite their notoriety, specific incidents within the healthcare sector have yet to be attributed to this group.
To mitigate the risk of attacks targeting IT help desks, healthcare organizations are advised to implement several measures, including requiring callbacks to verify employee requests, monitoring for suspicious changes in financial transactions, and validating all users accessing payer websites. Additionally, organizations should consider implementing in-person verification for sensitive matters, requiring supervisor approval for certain requests, and providing comprehensive training to help desk staff on identifying and reporting social engineering tactics.