Hospitals across the nation are on high alert as sophisticated cybercriminals use advanced social engineering tactics to target IT help desks.
The Health Sector Cybersecurity Coordination Center (HC3) has issued a Sector Alert detailing the latest threat to the healthcare industry.
The HC3’s latest report reveals a concerning trend of threat actors using social engineering to gain unauthorized access to hospital systems.
These criminals are impersonating hospital employees in financial roles to deceive IT help desks into granting access to sensitive information and systems.
Tactics Employed by Cybercriminals
- Local Phone Calls: Attackers call IT help desks from local area codes, posing as hospital employees.
- Identity Verification: They provide the last four digits of an employee’s Social Security Number and corporate ID, likely sourced from professional networking sites or previous data breaches.
- MFA Exploitation: By claiming their phone is broken, they persuade help desks to enroll a new device for Multi-Factor Authentication (MFA), bypassing security measures.
- Payment Diversion: Once inside the system, attackers target login information for payer websites to divert payments to their bank accounts.
Analysis of the Threat
- Previous Incidents: In September 2023, Scattered Spider used similar tactics in a high-profile attack on the hospitality and entertainment industry, leading to a ransomware deployment.
- Voice Phishing: The technique, known as spearphishing voice (T1566.004), involves voice calls to manipulate users into providing system access.
- AI Voice Impersonation: A global study found that one in four people had experienced or knew someone who had experienced an AI voice cloning scam.
Mitigation Strategies
Healthcare organizations are advised to implement several mitigation strategies:
- Callback Verification: Require callbacks to the employee’s phone number on record for password resets or new device enrollments.
- In-Person Verification: Some hospitals now require employees to appear in person at the IT help desk for sensitive requests.
- Supervisor Confirmation: Policies may require contacting the employee’s supervisor to verify identity and request legitimacy.
- User Training: Educate users to identify and report social engineering and spearphishing attempts.
Technical Recommendations for Microsoft Environments
For organizations using Entra ID (formerly Microsoft Azure Active Directory), Mandiant recommends:
- Microsoft Authenticator: Enforce number matching and remove SMS as an MFA option.
- Custom Authentication Strength: Specify only “Password + Microsoft Authenticator (Push Notification)” for access.
- Conditional Access Policies: Create policies that grant access only for the newly created authentication strength and block external access to administration features.
The HC3 alert underscores the evolving threat landscape and the need for heightened security measures within the healthcare sector.
Hospitals must remain vigilant and proactive in training staff, implementing robust verification processes, and utilizing advanced security technologies to protect against these sophisticated attacks.
