Summary: The U.S. Department of Health and Human Services (HHS) has warned that hackers are using social engineering tactics to target IT help desks in the Healthcare and Public Health sector, allowing them to gain access to organizations’ systems and carry out business email compromise attacks.
Threat Actor: Scattered Spider | Scattered Spider
Victim: Healthcare and Public Health sector | Healthcare and Public Health sector
Key Point :
- Hackers are using social engineering tactics to target IT help desks in the Healthcare and Public Health sector, gaining access to organizations’ systems.
- They enroll their own multi-factor authentication (MFA) devices by pretending to be employees in the financial department and providing stolen ID verification details.
- Once access is gained, they redirect bank transactions in business email compromise attacks.
- The tactics used by the threat actor are similar to those used by the Scattered Spider group, which has targeted high-profile organizations in the past.
- To prevent such attacks, organizations are advised to require callbacks for verification, monitor for suspicious changes, revalidate user access, consider in-person requests for sensitive matters, require supervisor verification, and train help desk staff to identify social engineering techniques.
The U.S. Department of Health and Human Services (HHS) warns that hackers are now using social engineering tactics to target IT help desks across the Healthcare and Public Health (HPH) sector.
The sector alert issued by the Health Sector Cybersecurity Coordination Center (HC3) this week says these tactics have allowed attackers to gain access to targeted organizations’ systems by enrolling their own multi-factor authentication (MFA) devices.
In these attacks, the threat actors use a local area code to call organizations pretending to be employees in the financial department and provide stolen ID verification details, including corporate ID and social security numbers.
Using this sensitive information and claiming their smartphone is broken, they convince the IT helpdesk to enroll a new device in MFA under the attacker’s control.
This gives them access to corporate resources and allows them to redirect bank transactions in business email compromise attacks.
“The threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts,” HC3 says [PDF].
“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.”
“The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).”
In such incidents, attackers may also use AI voice cloning tools to deceive targets, making it harder to verify identities remotely. This is now a very popular tactic, with 25% of people having experienced an AI voice impersonation scam or knowing someone who has, according to a recent global study.
Scattered Spider vibes
The tactics described in the Health Department alert are very similar to those used by the Scattered Spider (aka UNC3944 and 0ktapus) threat group, which also uses phishing, MFA bombing (aka MFA fatigue), and SIM swapping to gain initial network access.
This cybercrime gang often impersonates IT employees to trick customer service staff into providing them with credentials or running remote access tools to breach the targets’ networks.
Scattered Spider hackers recently encrypted MGM Resorts‘ systems using BlackCat/ALPHV ransomware. They are also notorious for the 0ktapus campaign, in which they targeted over 130 organizations, including Microsoft, Binance, CoinBase, T-Mobile, Verizon Wireless, AT&T, Slack, Twitter, Epic Games, Riot Games, and Best Buy.
FBI and CISA issued an advisory in November to highlight Scattered Spider’s tactics, techniques, and procedures (TTPs) in response to their data theft and ransomware attacks against a long string of high-profile companies.
However, HC3 says that similar health sector incidents reported so far have yet to be attributed to a specific threat group.
To block attacks targeting their IT help desks, organizations in the health sector are advised to:
- Require callbacks to verify employees requesting password resets and new MFA devices.
- Monitor for suspicious ACH changes.
- Revalidate all users with access to payer websites.
- Consider in-person requests for sensitive matters.
- Require supervisors to verify requests.
- Train help desk staff to identify and report social engineering techniques and verify callers’ identities.
“An interesting youtube video that may be related to the article above”