The US Department of Health and Human Services (HHS) has warned that hackers are trying to target hospital help desks to gain access to critical hospital systems.
The hackers have been observed contacting hospital IT help desks using local area code numbers and then posing as a hospital employee, providing the help desk with a stolen ID.
The hackers then ask them to set their device to use the employee’s multi-factor authentication. Once they gain access to the hospital’s internal systems, they are free to steal data and redirect transactions to their own bank accounts.
Hospital data and finance a honeypot for hackers
The Health Sector Cybersecurity Coordination Center (HC3) warned hospitals to be vigilant in light of hackers using extensive social engineering campaigns to gain access to hospital systems. The HC3 stated that the hackers “specifically targeted credentials related to payer websites, where they then submitted a form to make ACH changes to payer accounts” to steal funds.
“Once employee email accounts were accessed, they sent instructions to payment processors to redirect legitimate payments to attacker-controlled U.S. bank accounts,” HC3 continued. “The money was then transferred to offshore accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the Chief Financial Officer (CFO) of the target organization.
While no threat actors responsible for these attacks have been formally identified, HC3 has issued a number of guidelines to IT helpdesks to avoid succumbing to such an attack:PDF)
- Require callbacks for employees requesting MFA enrollment for a new device or password reset using the number on file for the employee
- Monitor ACH changes for suspicious activity and regularly validate users accessing payer websites
- Employees requesting MFA device enrollment, password resets, or ACH changes must report in person to the IT Help Desk
- If this is not possible, please contact the employee’s supervisor for verification
- Train help desk agents to identify social engineering techniques and spear phishing attempts
Through BleepingComputer