HC3 warns of social engineering attacks targeting IT helpdesks

The U.S. Health and Human Services, in collaboration with the Health Sector Cybersecurity Coordination Center, has published an industry alert to advise on measures to defend against spear-phishing voting fraud that ultimately aims to steal electronic fund transfers.

WHY IT MATTERS

User awareness training and better security policies and procedures to improve identity verification with help desk requests can help defend against tactics that manipulate IT staff into granting access to systems through a phone call or other forms of voice communications, HC3 said in the 3 meeting April. alert.

HC3 said it recently investigated two successful spearphishing voting frauds that resulted in legitimate payments being diverted to U.S. bank accounts controlled by the attacker.

“The threat actor is able to provide the required sensitive information for identity verification, including the last four digits of the targeted employee’s Social Security number and company identification number, along with other demographic details,” the agency said in its report.

“These details were likely obtained from professional networking sites and other publicly available sources of information, such as previous data breaches.”

In one attack, HC3 said the threat actor claimed their phone was broken, so they couldn’t log in or receive multi-factor authentication tokens. They convinced the organization’s IT helpdesk to enroll a new device with MFA and gained access to the network, targeting credentials related to payer websites.

By posing as a trusted source and creating a sense of urgency, they gained access to payers’ systems and submitted automated change requests to the clearinghouse, HC3 said.

The agency has identified several helpdesk policies, including requiring callbacks to the registered phone number for the employee requesting a password reset and enrolling a new device, contacting the employee’s supervisor to verify the need, monitoring for suspected ACH changes and re-validating all users with access to payer websites.

“Some hospitals have implemented procedures that require employees to appear in person at the IT help desk for such requests,” HC3 said.

The agency also outlined several measures against MFA abuse for users of Entra ID, formerly Microsoft Azure Active Directory.

THE BIG TREND

In some cases, social engineering attacks aim to drop ransomware, disrupt hospitals and trick an organization into paying a large ransom. Such was the case when OrthoVirginia, a medical practice, was hit by the Ryuk ransomware in 2021.

Phishing, the most common form of abuse to gain a foothold in an organization’s network, can also be addressed in regular security awareness training, according to HC3.

“It’s important to train your workforce to trust nothing and no one when it comes to the digital communications they receive, which now includes voicemails, text messages and phone calls,” advises Steve Cagle, CEO of Clearwater Security and Compliance. OrthoVirginia provided guidance during the ransomware recovery process.

“They must learn to operate from a place of skepticism and doubt anything they cannot verify as legitimate, including QR codes,” he said. Healthcare IT news last year.

Artificial intelligence only gives cybercriminals more weapons to improve the sophistication of these attacks.

ON THE RECORD

“It is important to note that threat actors may also attempt to leverage AI voice impersonation techniques for social engineering purposes, making remote identity verification increasingly difficult with these technological advancements,” HC3 said in the alert.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.