A new security advisory from the U.S. government highlights sophisticated social engineering tactics used by threat actors in recent financially motivated attacks against the healthcare sector. The attackers impersonated healthcare organization employees in phone calls to IT help desks, in order to gain initial access to those employees' email accounts.
As outlined in a new industry alert from the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center, the phone calls to IT help desks would claim to be from an employee in a financial revenue cycle or administrator role. The threat actors did their homework and took careful steps to ensure their impersonations were convincing, making sure that their phone calls were from local area codes and providing sensitive details like employees' social security numbers, corporate IDs and demographic data. These details were likely taken from a mix of public networking sites and previous data breaches.
The threat actors would try to convince help desk attendees to enroll a new device for MFA by claiming that their phones were broken and that they could not log in or receive MFA tokens. If successful, the attackers would gain access to the impersonated employee's email account. In some cases, they would also register a domain spoofing the targeted organizations and create accounts impersonating the victim organization’s chief financial officer.
“After gaining access, the threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts,” according to the HHS in its alert last week. “Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts. The funds were then transferred to overseas accounts.”
The HHS said the sophistication of these social engineering techniques are reminiscent of ones used by Scattered Spider. This cybercriminal group targets large companies and their IT help desk contractors, and is known for a ransomware attack last September against MGM Resorts. In Scattered Spider’s attacks, they have impersonated company IT or help desk staff via phone calls, as a way to obtain credentials from employees, direct them to run commercial remote access tools and to convince them to share their MFA authentication codes. They have also relied on MFA fatigue and SIM swapping attacks.
“Threat actors may also attempt to leverage AI voice impersonation techniques to social engineer targets, making remote identity verification increasingly difficult with these technological advancements."
However, “while the threat actor Scattered Spider (also known as UNC3944) claimed responsibility for this [previous] attack, which led to the deployment of ALPHV (also known as BlackCat) ransomware, there is currently no public attribution for the incident in the health sector,” said HHS. “While these recent campaigns in the health sector did not involve ransomware, both of these incidents did leverage spearphishing voice techniques and impersonation of employees with specific access related to the threat actors’ end goals.”
In order to avoid these types of attacks, healthcare organizations can implement a number of measures in order to double check that the employees are who they say they are. For instance, organizations can require IT help desk employees to call back the phone numbers on record for the employees that are requesting password resets or enrollment of a new device, or require that the supervisor of the employee be contacted to verify these requests.
“It is important to note that when attempting callbacks for verification, the threat actor may claim to be too busy to take a phone call,” according to the advisory. “Other mitigations may involve monitoring for any suspicious ACH changes and revalidating all users with access to payer websites. Some hospitals have implemented procedures that require employees to appear in person at the IT help desk for such requests.”
There were no further details from HHS on the recent cyber incidents involving these tactics, but the healthcare sector has been recently been hit by various threats, including ransomware, as seen in the wide scale Change Healthcare attack. HHS also said attackers are increasingly using AI to amplify their voice-based social engineering tactics and avoid detection. In a recent global study of 7,000 people, one in four said that they had experienced an AI voice cloning scam or knew someone who had, according to HHS.
“Threat actors may also attempt to leverage AI voice impersonation techniques to social engineer targets, making remote identity verification increasingly difficult with these technological advancements,” said the HHS advisory.