By The Star Staff
The FBI and the U.S. Department of Health and Human Services (HHS) have issued a Joint Cybersecurity Advisory about cyber attacks on hospitals.
“In Puerto Rico we are issuing the warning, since more than 40 hospitals have been attacked and thousands of hacking attempts are reported monthly in health institutions,” said Ramón Alejandro Pabón, a former president of the Healthcare Service Administrators Association of Puerto Rico who is currently studying for a digital transformation certification in health care at Harvard Medical School. “Fortunately, the FBI and the Department of Health and Human Services are providing us with significant support, and last night, they issued us this Joint Cybersecurity Advisory (CSA). At the local level, the call is to redouble efforts and, above all, to be alert and up to date with new modalities.”
The FBI and HHS have issued the CSA to disseminate known indicators of compromise, or IOCs, and tactics, techniques and procedures (TTPs) used in a social engineering campaign aimed at public health and health sector entities and providers.
“Threat actors are using phishing schemes to steal login credentials to gain initial access and divert Automated Clearing House (ACH) payments to controlled bank accounts in the U.S.,” Pabón said. “Healthcare organizations are attractive targets for threat actors due to their size, technological dependence, access to personal health information and the unique impacts of disruptions in patient care.”
The FBI and HHS urged organizations to implement the recommendations in the Mitigations section of the CSA that it said “are being shared with hospitals to reduce the likelihood and impact of social engineering incidents.”
“For example, a list of telephone numbers is being distributed and those numbers must be blocked and identified in the MDM (Mobile Device Manager) if someone from the company has been in contact,” the agencies said.
Pabón noted that based on previous reports of cyber attacks and forensic analysis, the FBI and HHS observed consistency in the TTPs used in cyber attacks against the healthcare sector. Unknown threat actors gained initial access to employees’ email accounts and then specifically targeted login information related to processing reimbursement payments to insurance companies, Medicare, or similar entities.
To gain initial access to victims’ networks, the threat actor acquired credentials through social engineering or phishing. In some observed cases, the threat actor called an organization’s help desk posing as an employee of the organization and triggered a password reset for the targeted employee’s organizational account.
In some cases, by manipulating help desk employees, the threat actor was able to bypass multifactor authentication. In another case, threat actors registered a phishing domain that varied by one character from the target organization’s true domain and targeted the organization’s chief financial officer. Threat actors often have personally identifiable information, or PII, of the impersonated employee obtained from data breaches, allowing the threat actor to confirm the identity of the targeted employees over the phone.
Commentaires