The US Department of Health and Human Services (HHS) has warned IT helpdesk operators in the sector of a surge in sophisticated social engineering attacks designed to divert funds to attacker bank accounts.
The notice from the HHS Office of Information Security and the Health Sector Cybersecurity Coordination Center claimed that the threat actors typically call claiming to be an employee in a financial role – spoofing their phone number to appear as if it has a local area code.
“The threat actor is able to provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details,” the alert continued.
“These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches. The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in MFA to gain access to corporate resources.”
Read more on healthcare threats: Healthcare Ransomware Attacks Cost US $78bn
Once they gain access, the threat actor redirects bank payments to accounts under their control, before transferring the money to overseas accounts.
“After gaining access, the threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts,” the alert noted.
“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled US bank accounts.”
HHS claimed that similar tactics were used by the notorious Scattered Spider threat group back in September 2023, in an ALPHV ransomware attack on a hospitality and entertainment industry organization.
The alert also warned that AI-powered voice impersonation tools could be deployed in these attacks.
It listed several mitigations for healthcare organizations to take, including:
- Enforcing Microsoft Authenticator with number matching for user authentication, and removing SMS as a MFA option
- Ensuring MFA and SSPR registration is secure by requiring users to authenticate from a trusted network location and/or ensuring device compliance
- Blocking external access to Microsoft Azure and Microsoft 365 administration features by creating a conditional access policy, which only allows access if users authenticate from a trusted network location and/or ensuring device compliance