Social Engineering Campaign Targets Hospital IT Helpdesks
Warnings have been issued by the American Hospital Association (AHA) and the Health Sector Cybersecurity Coordination Center (HC3) about a social engineering campaign that targets IT helpdesk at U.S. hospitals. According to the AHA, the campaign uses the stolen identities of revenue cycle employees or employees in other sensitive financial roles. The threat actor contacts the IT helpdesk and uses stolen personally identifiable information to answer security questions posed by IT helpdesk staff. Once the threat actor has navigated the questions, they request a password reset and ask to enroll a new device, often with a local area code, to receive multi-factor authentication (MFA) codes.
Once the new device has been enrolled, the threat actor logs into the user’s account and successfully passes the MFA check, the MFA code is sent to the newly registered device. The AHA warns that these attacks can also bypass phishing-resistant MFA. The main purpose of the campaign appears to be to divert legitimate payments. Once access has been gained to an employee’s email account, payment instructions are changed with payment processors, resulting in fraudulent payments to U.S. bank accounts. Access may also be used to install malware on the network.
HC3 is aware of this social engineering campaign and said IT helpdesks are told that the user has broken their phone so they cannot receive any MFA codes. The helpdesk is provided with the last four digits of the target employee’s social security number (SSN), corporate ID number, and demographic details to pass security checks. HC3 suggests the information is likely to have been obtained from publicly available sources such as professional networking sites and/or past data breaches. The tactics in the campaign mirror those used by a threat group known as Scattered Spider (UNC3944). Scattered Spider claimed responsibility for a similar campaign targeting the hospitality and entertainment industry, which led to BlackCat ransomware being used to encrypt files on the network. Ransomware is not believed to have been used in the campaign targeting the healthcare sector and it is unclear which threat group is behind the campaign.
The AHA was first made aware of the campaign in January 2024 and issued a warning to hospitals. The warning has now been reissued due to an uptick in incidents. “The risk posed by this innovative and sophisticated scheme can be mitigated by ensuring strict IT help desk security protocols, which at a minimum require a call back to the number on record for the employee requesting password resets and enrollment of new devices,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Organizations may also want to contact the supervisor on record of the employee making such a request. In addition, a video call with the requesting employee might be initiated and a screenshot of the employee presenting a valid government-issued ID be captured and preserved.” One large health system has changed its policies and procedures following a successful attack and now requires employees to visit the IT helpdesk in person in order to change their password or register a new device.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
You can view the HC3 alert and recommended mitigations here.
