Threat actors are targeting IT help desk employees at healthcare and public health (HPH) organizations to gain access to corporate networks and divert payments, the US Department of Health warns.
As part of such an attack, a threat actor was seen calling an IT help desk employee over the phone, from a local area code, posing as an employee in a financial role, and convincing them to enroll a new device in multi-factor authentication (MFA).
The attackers provided the employee with sensitive information, including their Social Security number, likely obtained from publicly available information or data breaches, and claimed that their phone was broken and could not receive MFA tokens, requesting the enrollment of a new device.
After gaining access to the target network, the threat actor looked for login information related to payer websites, and submitted a form to make ACH changes to payer accounts.
“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts. The funds were then transferred to overseas accounts,” the Health Department’s alert reads (PDF).
In September 2023, the department says, these social engineering tactics were used to target an organization in the hospitality and entertainment industry as part of a ransomware attack. The attack was claimed by Scattered Spider and led to the deployment of Alphv/BlackCat ransomware.
The recent campaign against healthcare entities, however, did not employ ransomware, albeit it used the same spear-phishing voice techniques and employee impersonation tactics.
Possible mitigations for such attacks include callbacks to the phone number on record for the employee requesting the enrollment of a new device and a password reset, monitoring for suspicious ACH changes, and requiring that these requests be verified by the supervisor of the employee.
“Additionally, users can be trained to identify and report social engineering techniques and spear-phishing attempts, while also being suspicious of and verifying the identity of callers,” the department says.
Organizations using Entra ID (formerly Microsoft Azure Active Directory) are advised to prevent MFA abuse by enforcing the use of Microsoft Authenticator with number matching, removing SMS as the second verification factor, creating conditional access policies, and blocking external access to Microsoft Azure and Microsoft 365 administration features.
Related: US Offering $10 Million Reward for Information on Change Healthcare Hackers
Related: Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency
Related: US, UK, Australia Sanction Russian Man Over Ransomware Attack on Healthcare Insurer