The bad news is that cybercriminals are targeting healthcare and public health with sophisticated social engineering tactics. The good news is that you can fight back and weaken their attacks with the right defensive strategies. You have the power to defend your systems.
The Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) released a joint Cybersecurity Advisory (CSA or Advisory) last week to publicize known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used in a social engineering campaign targeting healthcare, public health entities, and providers. The Advisory also includes some essential mitigation strategies to undercut the criminals.
Social Engineering Defined
Social engineering has many definitions, but this one from Wikipedia is one of the best (slightly paraphrased).
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It is a confidence trick for information gathering, fraud, or system access. It differs from a traditional “con” because it is often one of the many steps in a more complex fraud scheme. It has also been defined as “any act that influences a person to take an action that may or may not be in their best interests.
Social engineering on the internet has been around for a long time. For the past thirty years, as email, texting, and the countless other ways people communicate electronically have skyrocketed, so have the techniques to steal data and credentials. The healthcare sector is a prime target because the protected health information (PHI) it holds is so valuable on the black market.
The Advisory notes that hackers are using phishing schemes to steal login credentials for initial access and divert automated clearinghouse (ACH) payments to US-controlled bank accounts. Healthcare organizations are attractive targets for threat actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.
The Techniques Described
The recent phishing techniques described in the Advisory include:
- voice communications to obtain login information from healthcare networks, clinics, and healthcare providers.
- disabling or modifying multi-factor authentication (MFA) mechanisms to maintain access to compromised accounts
- stealing money through extortion, social engineering, and technical theft
- patching the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts
- impersonating a trusted person or organization to persuade and trick a target into performing some action on their behalf
Mitigation Techniques That Can Stop Crime
The FBI and HHS encourage healthcare organizations to implement their mitigation recommendations to reduce the likelihood and impact of social engineering incidents.
- Implement multi-factor authentication (MFA) for every account. While privileged accounts and remote access systems are critical, ensuring complete coverage across SaaS solutions is also essential. Enabling MFA for corporate communications platforms (as with all other accounts) provides vital defense against these types of attacks and, in many cases, can prevent them.
- Train IT Help Desk employees on this vulnerability. MFA bypasses should not be allowed for anyone calling the Help Desk.
- Reduce the threat of malicious actors using remote access tools by:
- Auditing remote access tools on your network to identify currently used and/or authorized software.
- Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable.
- Using security software to detect instances of remote access software being loaded only in memory.
- Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
- Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
- Applying recommendations in the Guide to Securing Remote Access Software.
- Organizations are urged to check phone call logs to identify if they have been in contact with any of the above-listed phone numbers. If contact was made, the organization should assess what access the UA was given and whether the UA was successful in accessing sensitive information.
The FBI and HHS also recommend that healthcare cybersecurity staff read the complete Mitigation Guide: Healthcare and Public Health (HPH) Sector and reference the HPH Cybersecurity Performance Goals, which provide tailored best practices for combating pervasive cyber threats in healthcare.
Specifically, the FBI and HHS recommend:
- Email Security: Reduce risk from common email-based threats, such as email spoofing, phishing, and fraud.
- Multifactor Authentication: Add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly accessible from the Internet.
- Basic Cybersecurity Training: Ensure organizational users learn and perform more secure behaviors.
- Centralized Log Collection: This method collects necessary telemetry from security log data sources within an organization’s network, maximizing visibility, cost-effectiveness, and faster incident response.