HC3 warns healthcare help desks of ‘advanced’ social engineers

IT pros: If someone from finance calls and says their phone is busted and they need to start over with authentication, trust but verify. Actually, don’t trust; just verify.

Healthcare help desks need to be especially careful of impersonators pretending to be locked out of accounts, according to an April 3 sector alert from the Health Sector Cybersecurity Coordination Center, or HC3. The advanced social-engineering tactics bypass multi-factor authentication mechanisms.

“The threat actor…successfully convinced the IT help desk to enroll a new device in multi-factor authentication (MFA) to gain access to corporate resources,” the report read, describing one instance.

The HC3 alert laid out the observed steps of the hospital hacker:

• The adversary calls the hospital help desk, with a familiar area code, claiming to be a member of the company’s financial team and that their phone is messed up and unable to carry out MFA.
• The threat actor has the required verification—social security numbers and other demographic info, likely available through breaches and dark-web purchases.
• After convincing the help desk to enroll a new device, the social engineer targets “login information related to payer sites,” and changes the destination for fund transfers.

Cybercriminals have targeted the help desk in high-profile incidents. In October 2023, the hacking group Scattered Spider, believed to be behind the MGM Resorts ransomware attack, tricked help-desk employees into resetting passwords and gaining unauthorized access.

An August 2023 advisory from the authentication provider Okta, warned of a “consistent pattern of social engineering attacks” against customers’ IT service desk personnel, in which callers try to convince service-desk employees to reset privileged users’ MFA factors.

Roger A. Grimes, a data-driven defense evangelist at the security training platform KnowBe4, recalled previous IT experiences and strong identity-verification measures, where resets had to be approved by a phone call to a boss or coworker, or where employees had to confirm their identity by stating a number found on the back of their badge.

The HC3 alert cited healthcare org mitigations, including the requiring of callbacks to the reset-requester’s phone number on record. (“It is important to note that when attempting callbacks for verification, the threat actor may claim to be too busy to take a phone call,” the advisory read.)

As part of its alert, HC3 also recommended many mitigation practices, including:

• Enforce Microsoft Authenticator with number matching—a push notification (and random number) sent to the user’s device. (Grimes reminded readers to make sure not to approve any uninitiated requests.)
• Implement conditional-access policies that block external entry into Microsoft Azure and Microsoft 365 accounts.

Before stepping into a role as defense evangelist, Grimes installed systems and managed a healthcare environment’s help desk. In a fast-paced, high-stakes environment like a hospital, an IT pro may feel pressure to solve authentication issues quickly.

“You want to create policies and procedures that are more difficult for attackers to fake, and you want to educate the help desk and other people about these sorts of attacks and let them know that if you follow the policy, you won’t be fired,” Grimes said.