stock.adobe.com
HHS, FBI warn healthcare sector of social engineering scheme
Threat actors have been using phishing schemes to steal login credentials and divert automated clearinghouse payments, HHS and the FBI warned in a joint cybersecurity advisory.
HHS and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory (CSA) to disseminate indicators of compromise related to a social engineering campaign targeting healthcare and public health entities.
Specifically, the CSA warned that threat actors have been using phishing schemes to steal login credentials for initial access and divert automated clearinghouse (ACH) payments to US-controlled bank accounts.
In this scheme, threat actors often call an organization’s IT help desk and impersonate employees to trigger a password reset for the targeted employee’s account. The American Hospital Association (AHA) issued alerts in January and April warning healthcare entities of similar help desk social engineering schemes.
The FBI and HHS described healthcare organizations as “attractive targets” due to their technological dependence, access to sensitive information, size, and patient care impacts.
Some threat actors were able to successfully manipulate IT help desk staff and bypass multifactor authentication. What’s more, the threat actors may seem believable to IT staff because they often have personally identifiable information pertaining to the impersonated employee, enabling them to confirm the individual’s identity.
The CSA warned that after gaining access via social engineering, the threat actors often use living off the land (LOTL) techniques to blend in with typical network behavior.
“By using LOTL, threat actors were able to amend forms to make ACH changes to patients’ accounts which enabled the diversion of legitimate payments to US bank accounts controlled by the actors, followed by a second transfer of funds to overseas accounts,” the CSA stated. “In some instances, the threat actor also attempted to upload malware to victim systems without success.”
The CSA contains detailed indicators of compromise and known phone numbers affiliated with phishing schemes that network defenders can use to fend off these attacks. Additionally, HHS and the FBI recommended training IT help desk employees on this vulnerability and implementing MFA for every account.
Organizations should also pay special attention to securing remote access tools by reviewing logs, using security software to detect instances of remote access software being loaded only in memory, and requiring remote access tools to be used only over virtual private networks.