TLDR:
- Health Sector Cybersecurity Coordination Center warns of social engineering attacks targeting IT help desks
- Threat actors are manipulating IT staff to gain access to organizations’ systems and divert legitimate payments
The Health Sector Cybersecurity Coordination Center has issued a sector alert warning about social engineering attacks targeting IT help desks. Threat actors are using phone calls from local area codes claiming to be revenue cycle or administrator employees to manipulate IT staff into providing access to systems and ultimately divert legitimate payments to attacker-controlled U.S. bank accounts. This tactic involves the threat actor providing sensitive information for identity verification, such as Social Security numbers and corporate ID numbers, obtained from professional networking sites and data breaches.
HC3 recommends user awareness training and increased security policies and procedures to improve identity verification with help desk requests. They also suggest implementing help desk policies such as requiring callbacks for password resets, contacting supervisors for verification, monitoring for suspicious changes, and revalidating all users with access to payer websites. Some hospitals have even implemented procedures that require employees to appear in person at the IT help desk for requests, and various MFA abuse mitigations for users of Entra ID have been outlined.
Social engineering attacks, like the ones targeting IT help desks, are becoming increasingly sophisticated with the use of AI voice impersonation techniques. These attacks can lead to ransomware incidents that disrupt hospitals and lead to organizations paying large ransoms. It is crucial for organizations to train their workforce to operate out of skepticism and doubt anything they can’t verify as legitimate, including voicemails, text messages, and phone calls.