The U.S. Department of Health and Human Services (HHS) warns that hackers are now using social engineering tactics to target IT help desks across the Healthcare and Public Health (HPH) sector.
The sector alert issued by the Health Sector Cybersecurity Coordination Center (HC3) this week says these tactics have allowed attackers to gain access to targeted organizations’ systems by enrolling their own multi-factor authentication (MFA) devices.
In these attacks, the threat actors use a local area code to call organizations pretending to be employees in the financial department and provide stolen ID verification details, including corporate ID and social security numbers.
Using this sensitive information and claiming their smartphone is broken, they convince the IT helpdesk to enroll a new device in MFA under the attacker’s control.
This gives them access to corporate resources and allows them to redirect bank transactions in business email compromise attacks.
“The threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts,” HC3 says [PDF].
“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.”
“The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).”
In such incidents, attackers may also use AI voice cloning tools to deceive targets, making it harder to verify identities remotely. This is now a very popular tactic, with 25% of people having experienced an AI voice impersonation scam or knowing someone who has, according to a recent global study.
Scattered Spider vibes
The tactics described in the Health Department alert are very similar to those used by the Scattered Spider (aka UNC3944 and 0ktapus) threat group, which also uses phishing, MFA bombing (aka MFA fatigue), and SIM swapping to gain initial network access.
This cybercrime gang often impersonates IT employees to trick customer service staff into providing them with credentials or running remote access tools to breach the targets’ networks.
Scattered Spider hackers recently encrypted MGM Resorts’ systems using BlackCat/ALPHV ransomware. They are also notorious for the 0ktapus campaign, in which they targeted over 130 organizations, including Microsoft, Binance, CoinBase, T-Mobile, Verizon Wireless, AT&T, Slack, Twitter, Epic Games, Riot Games, and Best Buy.
FBI and CISA issued an advisory in November to highlight Scattered Spider’s tactics, techniques, and procedures (TTPs) in response to their data theft and ransomware attacks against a long string of high-profile companies.
However, HC3 says that similar health sector incidents reported so far have yet to be attributed to a specific threat group.
To block attacks targeting their IT help desks, organizations in the health sector are advised to:
- Require callbacks to verify employees requesting password resets and new MFA devices.
- Monitor for suspicious ACH changes.
- Revalidate all users with access to payer websites.
- Consider in-person requests for sensitive matters.
- Require supervisors to verify requests.
- Train help desk staff to identify and report social engineering techniques and verify callers’ identities.