Hospital IT Helpdesks Targeted in Social Engineering Campaign

The Health Sector Cybersecurity Coordination Center (HC3) and the American Hospital Association (AHA) have issued warnings concerning a social engineering campaign that targets IT helpdesk at American hospitals. Based on the AHA, the campaign utilizes the stolen credentials of revenue cycle staff or personnel in other sensitive financial positions. The attacker gets in touch with the IT helpdesk and utilizes stolen protected health information (PII) to reply to security questions presented by IT helpdesk personnel. As soon as the attacker has gone through the questions, they ask for a password reset and the enrollment of a new device, usually having a local area code, to check sent multi-factor authentication (MFA) codes.

As soon as the new device is registered, the attacker sign into the user’s account and passes the MFA verification, the MFA code is delivered to the newly enrolled device. The AHA states that these cyberattacks could also get around phishing-resistant MFA. The primary objective of the campaign seems to be to reroute legit payments. When access is acquired to a staff’s email account, payment information is altered particularly the payment processors, which results in bogus transactions to U.S. bank accounts. Access could also be utilized to download malware on the system.

HC3 knows this social engineering campaign and stated IT helpdesks are informed that the user’s phone is broken and is unable to get any MFA codes. The helpdesk is given the last four numbers of the target staff’s corporate ID number, Social Security number (SSN), and demographic information to get security check approval. HC3 hints the data is probably extracted from publicly accessible resources like professional networking websites and/or previous data breaches. The strategies in the campaign reflect those utilized by a threat group called Scattered Spider (UNC3944). Scattered Spider professed responsibility for an identical campaign attacking the hospitality and entertainment business, which resulted in the use of BlackCat ransomware to encrypt system files. It is believed that no ransomware is used in the campaigns attacking the healthcare industry and it is uncertain which threat group is responsible for the campaign.

The AHA first became aware of the attacks in January 2024 and published an alert to hospitals. The alert is reissued because of an increase in cases. The risk presented by this modern and advanced tactic could be avoided by providing stringent IT help desk security practices. At least, a call back to the phone number on file is required for the worker asking for password resets and new device registration, according to AHA’s national expert for cybersecurity and risk, John Riggi. Companies may also want to call on the supervisor of the requesting employee. Additionally, a video call with the requesting staff may be initiated and a screenshot is taken while the staff is showing a genuine government ID. One big health system has updated its guidelines and processes after a successful attack and currently demands the personnel to see the IT helpdesk face-to-face before resetting their password or registering another device.

The HC3 advisory and suggested mitigations are available in this article.