Increased Social Engineering attacks targeting the IT Helpdesk
As per the latest sector alert published by The U.S. Health and Human Services, in coordination with its Health Sector Cybersecurity Coordination Center, advises on having user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests. The threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goal which is to gain initial access to target organizations.
Tactics, Techniques, and Procedures used by threat actors
As per the HC3 April 3rd alert social engineering is being used across the Healthcare and Public Health (HPH) sector to gain unauthorized access to systems. Threat actors are employing sophisticated social engineering techniques to target an organization’s IT help desk with phone calls from an area code local to the target organization, claiming to be an employee in a financial role (specifically in revenue cycle or administrator roles).
The threat actor can provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details. These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches.
The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in multi-factor authentication (MFA) to gain access to corporate resources.
After gaining access, the threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts. Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.
The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single-letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).
Rise in Spearphishing voice
What is Spearphishing?
Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary.
Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (impersonation) and/or creating a sense of urgency or alarm for the recipient.
Scattered Spider is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns, Scattered Spider has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools
They have used several techniques to exploit such as Account Discovery: Cloud Account, Account Discovery: Email Account, Account Manipulation: Additional Cloud Roles, Account Manipulation: Device Registration, Account Manipulation: Additional Cloud Credentials, Data from Cloud Storage, Data from Information Repositories: Sharepoint, Exploit Public-Facing Application, External Remote Services, Gather Victim Identity Information: Credentials, Impersonation, Ingress Tool Transfer, Modify Cloud Compute Infrastructure: Create Cloud Instance, Multi-Factor Authentication Request Generation, Network Service Discovery, Obtain Capabilities: Tool, OS Credential Dumping: DCSync, Permission Groups Discovery: Cloud Groups, Phishing: Spearphishing Voice, Phishing for Information: Spearphishing Voice, Phishing for Information: Spearphishing Service, Protocol Tunneling, Proxy, Remote Access Software, Remote Services: Cloud Services, Valid Accounts: Cloud Accounts, Web Service, Windows Management Instrumentation
How can organizations protect against Spearphishing Voice?
Healthcare organizations and service providers need to implement various detection methods, policies, and procedures to validate the users requesting a password reset or mobile device enrollment.
Helpdesk agents need to employ atmost judgement as the adversary will employ manipulation techniques to bypass the call-back authentication or verification process in place.
Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.
- Enable logging of events, messaging, and other artifacts provided by third-party services ( ex: metrics, errors, and/or alerts )
- Monitor the events and alerts 24X7X365 using Security Operation Center (SOC)
- Ensure to use of security systems that can tag events from NDR, EDR, SIEM to MITRE ATT&CK framework and are able to predict the later movement quickly
Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identity of callers.
- Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
- Periodic security awareness training and tabletop exercises can help users understand the impact and mitigation procedures.
- Reviewing process and having escalation procedures for confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk.
