April 8, 2024 at 09:54AM
Healthcare and public health (HPH) organizations are being targeted by threat actors aiming to infiltrate corporate networks and divert payments. The US Department of Health warns of a recent attack in which an IT help desk employee was impersonated over the phone to gain network access and initiate unauthorized payment transfers. Mitigation measures are recommended.
From the provided meeting notes, we can gather the following key takeaways:
– Threat actors are targeting IT help desk employees at healthcare and public health (HPH) organizations to gain access to corporate networks and divert payments.
– The attackers are using social engineering tactics and employee impersonation techniques to deceive IT help desk employees into enrolling new devices in multi-factor authentication (MFA) and gaining access to sensitive information.
– After gaining access to the target network, the threat actor looks for login information related to payer websites and submits a form to make ACH changes to payer accounts.
– Once access has been gained to employee email accounts, the attackers send instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts, with funds then being transferred to overseas accounts.
– The recent campaign against healthcare entities did not employ ransomware, but utilized spear-phishing voice techniques and employee impersonation tactics.
Potential mitigations for such attacks include:
– Implementing callbacks to the phone number on record for the employee requesting the enrollment of a new device and requiring a password reset.
– Monitoring for suspicious ACH changes and requiring verification of these requests by the supervisor of the employee.
– Training users to identify and report social engineering and spear-phishing attempts, as well as being suspicious of and verifying the identity of callers.
– Organizations using Entra ID are advised to prevent MFA abuse by enforcing the use of Microsoft Authenticator with number matching, removing SMS as the second verification factor, creating conditional access policies, and blocking external access to Microsoft Azure and Microsoft 365 administration features.
Additionally, it’s important for organizations to stay informed about related cybersecurity developments and threats, and to consider measures such as those outlined in the related articles and sanctions provided in the meeting notes for further insight and potential action.
Let me know if you need further assistance!