What Happened?
The Health Sector Cybersecurity Coordination Center (HC3) has issued a security advisory warning organizations in the healthcare and public health sectors about cyber criminals launching advanced social engineering attacks against IT help desks, including AI voice cloning and spearphishing attempts.
Key Takeaways
According to HC3’s advisory, threat actors will steal a real employee’s personally identifiable information (PII), including the last four digits of their Social Security number or their corporate ID, and use these details to call into help desks with local phone numbers. HC3 believes threat actors exfiltrate these details from “professional networking sites,” previous data breach leaks, and other public sources of information.
These malicious actors will pose as employees in an organization’s Finance department with administrator privileges, claim their phone is broken, and that they need to enroll a new MFA device to access corporate resources. Once they have a foothold in an environment, the threat actor will target employee email accounts to redirect bank transactions to “attacker-controlled… bank accounts” in the United States. According to the advisory, at this point, the threat actor will register a domain that looks similar to the targeted organization’s website and impersonate the organization’s Chief Financial Officer.
Security experts have noted these social engineering techniques are incredibly similar to the tactics Scattered Spider (also known as the 0ktapus threat group or UNC3944) used against MGM Resorts in September. However, HC3 has not identified a specific group of cyber criminals responsible for the attacks against healthcare-focused organizations.
Why This Matters to MSPs
The Department of Health and Human Services’ advisory demonstrates to MSPs that simply expecting to recognize your customer’s voice is no longer sufficient against sophisticated spear phishing and impersonation attacks – this is a growing trend within (and beyond) the healthcare sector that cannot be ignored. Moreover, this continued threat may also impact cyber insurance eligibility requirements, and identity verification may become a technology that impacts your MSP’s policy renewal or premiums.
In the event that end user identity verification becomes a requirement, help desks will need a solution that helps them accelerate these processes with strategic automations and PSA integrations.
Action Steps:
CyberQP’s security experts recommend that MSPs supporting organizations in the healthcare sector take the following mitigation actions from HC3’s advisory:
- Require callbacks to the end user’s phone number on record.
- Enforce phone number matching with your identity verification product, and require it for push notifications.
- Remove SMS as an MFA verification option.
- Require users to authenticate from a trusted network location to further secure your MFA and Self-Service Password Reset processes, and block external access to Microsoft Azure and Microsoft 365 administration features with a Conditional Access Policy requiring users to authenticate from a trusted network location OR ensure device compliance. HC3 notes that this tactic cn be used to secure Microsoft Admin Portals, PowerShell, Graph Explorer, and Microsoft Azure Management, among other applications.
