The US Department of Health and Human Services (HHS) has issued a warning that hackers are attempting to target the helpdesks of hospitals in order to gain access to critical hospital systems.
The hackers have been observed contacting hospital IT help desks using local area code phone numbers and then pretending to be a hospital employee, providing the helpdesk with stolen identification.
The hackers then request that their device be set up to use the employee’s multi-factor authentication. Once they have access to the hospital’s internal systems, they are free to steal data and re-route transactions into their own bank accounts.
Hospital data and finances a honeypot for hackers
The Health Sector Cybersecurity Coordination Center (HC3) issued a warning for hospitals to be vigilant in the face of hackers using elaborate social engineering campaigns to gain access to hospital systems. The HC3 stated that the hackers “specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts” in order to steal money.
“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts,” HC3 continued. “The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).
While no threat actor has been formally identified as responsible for these attacks, HC3 issued a number of guidance points to IT help desks in order to avoid succumbing to such an attack: (PDF)
- Require callbacks for employees requesting new device MFA enrollment or password resets using the number on file for the employee
- Monitor ACH changes for suspicious activity and frequently revalidate users who have access to payer websites
- Employees requesting MFA device enrollment, password resets, or ACH changes should report in person to the IT helpdesk
- Where this is not possible, contact the employee supervisor for verification
- Train helpdesk employees to identify social engineering techniques and spearphishing attempts
Via BleepingComputer