Increased Social Engineering attacks targeting the IT Helpdesk

As per the latest sector alert published by The U.S. Health and Human Services, in coordination with its Health Sector Cybersecurity Coordination Center, advises on having user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests. The threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goal which is to gain initial access to target organizations.

Tactics, Techniques, and Procedures used by threat actors

As per the HC3 April 3^rd alert social engineering is being used across the Healthcare and Public Health (HPH) sector to gain unauthorized access to systems. Threat actors are employing sophisticated social engineering techniques to target an organization’s IT help desk with phone calls from an area code local to the target organization, claiming to be an employee in a financial role (specifically in revenue cycle or administrator roles).

The threat actor can provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details. These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches.

The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in multi-factor authentication (MFA) to gain access to corporate resources.

After gaining access, the threat actor specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts. Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.

The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single-letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).

Rise in Spearphishing voice

What is Spearphishing?

Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary.

Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (impersonation) and/or creating a sense of urgency or alarm for the recipient.

Scattered Spider is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns, Scattered Spider has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools

They have used several techniques to exploit such as Account Discovery: Cloud Account, Account Discovery: Email Account, Account Manipulation: Additional Cloud Roles, Account Manipulation: Device Registration, Account Manipulation: Additional Cloud Credentials, Data from Cloud Storage, Data from Information Repositories: Sharepoint, Exploit Public-Facing Application, External Remote Services, Gather Victim Identity Information: Credentials, Impersonation, Ingress Tool Transfer, Modify Cloud Compute Infrastructure: Create Cloud Instance, Multi-Factor Authentication Request Generation, Network Service Discovery, Obtain Capabilities: Tool, OS Credential Dumping: DCSync, Permission Groups Discovery: Cloud Groups, Phishing: Spearphishing Voice, Phishing for Information: Spearphishing Voice, Phishing for Information: Spearphishing Service, Protocol Tunneling, Proxy, Remote Access Software, Remote Services: Cloud Services, Valid Accounts: Cloud Accounts, Web Service, Windows Management Instrumentation

How can organizations protect against Spearphishing Voice?

Healthcare organizations and service providers need to implement various detection methods,  policies, and procedures to validate the users requesting a password reset or mobile device enrollment.

Helpdesk agents need to employ atmost judgement as the adversary will employ manipulation techniques to bypass the call-back authentication or verification process in place.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

• Enable  logging of events, messaging, and other artifacts provided by third-party services ( ex: metrics, errors, and/or alerts )
• Monitor the events and alerts 24X7X365 using Security Operation Center (SOC)
• Ensure to use of security systems that can tag events from NDR, EDR, SIEM to MITRE ATT&CK framework and are able to predict the later movement quickly

Users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identity of callers.

• Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
• Periodic security awareness training and tabletop exercises can help users understand the impact and mitigation procedures.
• Reviewing process and having escalation procedures for confirming incoming requests through an independent platform like a phone call or in-person, to reduce risk.

Benefits of an MSSP

Managed Security Services (MSS) are crucial in today's digital landscape to help organizations protect their sensitive information, critical systems, and overall digital assets from an ever-evolving landscape of cyber threats. Cyberattacks are increasing in complexity and sophistication.  Here are some reasons why organizations need Managed Security Services:

Expertise and Specialization:

‍ Cybersecurity is a complex and rapidly evolving field. Managed Security Service Providers (MSSPs) are dedicated to staying up to date with the latest threats, vulnerabilities, and defense strategies. They employ a team of skilled cybersecurity professionals with specialized knowledge and experience in handling various security challenges.

24/7 Monitoring and Response:

Cyber threats can occur at any time, day or night. MSSPs offer continuous monitoring of an organization's networks and systems. This 24/7 monitoring ensures that potential threats are identified and addressed in real-time, reducing the risk of data breaches and minimizing downtime.

Advanced Tools and Technologies:

MSSPs utilize advanced security tools, technologies, and threat intelligence platforms that might be cost-prohibitive for individual organizations to implement and manage on their own. This allows organizations to benefit from cutting-edge security solutions without the need for significant upfront investments.

Scalability:

As organizations grow, their security needs also evolve. MSSPs offer scalability, allowing organizations to easily adjust the level of security services based on their changing requirements without having to invest in new infrastructure or hire additional personnel.

Cost Efficiency:

Building an in-house cybersecurity team and infrastructure can be expensive. It requires recruiting, training, and retaining skilled cybersecurity professionals, as well as investing in hardware, software, and ongoing maintenance. MSSPs offer a more cost-effective solution, as organizations pay for the services they need without the overhead of managing an internal security team.

Focus on Core Business Activities:

Managing cybersecurity internally can be resource-intensive and distract organizations from their core business objectives. By outsourcing security to MSSPs, organizations can free up their internal resources to focus on strategic initiatives that drive growth and innovation.

Compliance and Regulations:

Many industries are subject to strict regulatory requirements regarding data protection and cybersecurity. MSSPs have experience in navigating these compliance frameworks and can help organizations ensure that they meet the necessary standards.

Rapid Incident Response:

In the event of a security incident or breach, MSSPs have established incident response protocols and teams ready to mitigate the damage and guide the organization through the recovery process.

Risk Management:

MSSPs provide organizations with a comprehensive understanding of their security posture and vulnerabilities. This enables organizations to make informed decisions about risk mitigation strategies and allocate resources effectively.

Threat Intelligence:

‍ MSSPs gather threat intelligence from a wide range of sources, allowing them to identify emerging threats and trends. This proactive approach helps organizations stay ahead of potential attacks and adapt their security measures accordingly.

In summary, Managed Security Services offer organizations the advantage of specialized expertise, round-the-clock protection, advanced tools, scalability, cost savings, and the ability to focus on core business activities. As cyber threats become more sophisticated and prevalent, many organizations find that partnering with MSSPs is a strategic way to enhance their overall cybersecurity posture.

Monthly Cybersecurity Vulnerability Bulletin

‍
In May 2023, the vulnerabilities list released includes the monthly Patch Tuesday
vulnerabilities released by several vendors on the second Tuesday of each month,
along with mitigation steps and patches. Vulnerabilities for May are from Microsoft,
Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, and MOVEit.
A vulnerability is given the classification as a zero-day if it is actively exploited with
no fix available or is publicly disclosed. Fortuna Cysec and all security agencies
strongly recommends patching all vulnerabilities, with special consideration to the
risk management posture of the organization.

‍
MOVEit Transfer Critical Vulnerability

‍
A critical vulnerability was discovered in Progress/IPswitch’s MOVEit Transfer
software. MOVEit is a managed file transfer software that encrypts files and uses
secure File Transfer Protocols to transfer data with automation, analytics and
failover options. Tracked as CVE-2023-34362, this vulnerability could lead to
escalated privileges and potential unauthorized access to the environment. It is
recommended that all MOVEit Transfer software users protect their MOVEit Transfer
environment by taking immediate action following Progress’ remediation guidance,
which can be viewed by clicking here.

‍
Department Of Homeland Security/Cybersecurity & Infrastructure Security
Agency

‍
The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure
Security Agency (CISA) added a total of 19 vulnerabilities in May to their Known
Exploited Vulnerabilities Catalog.
This effort is driven by Binding Operational Directive (BOD) 22-01: Reducing the
Significant Risk of Known Exploited Vulnerabilities, which established the Known
Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant
risk to the U.S. federal enterprise.
Vulnerabilities that are entered into this catalog are required to be patched by their
associated deadline by all U.S. executive agencies. While these requirements do not
extend to the private sector, It is recommended that all entities review
vulnerabilities in this catalog and consider prioritizing them as part of their risk
mitigation plan. The full database can be found here.

‍
Microsoft

‍
Microsoft issued security updates to fix 38 vulnerabilities and two actively exploited
zero-day vulnerabilities in May. Six of these vulnerabilities have been classified as
'Critical,' which is one of the most severe types of vulnerabilities, as they allow
remote code execution. The number of bugs in each vulnerability category is listed
as follows:

• 8 Elevation of Privilege Vulnerabilities
• 4 Security Feature Bypass Vulnerabilities
• 12 Remote Code Execution Vulnerabilities
• 8 Information Disclosure Vulnerabilities
• 5 Denial of Service Vulnerabilities
• 1 Spoofing Vulnerability
May’s Patch Tuesday had the lowest number of resolved vulnerabilities for Microsoft,
with only thirty-eight vulnerabilities fixed; this is not including eleven Microsoft Edge
vulnerabilities fixed on May 5th.
May’s Patch Tuesday addressed three zero-day vulnerabilities, with two exploited in
attacks and one publicly disclosed. Additional information on the two actively
exploited zero-day vulnerabilities is as follows:
• CVE-2023-29336 – This is a Win32k Elevation of Privilege vulnerability with a CVSS
score of 7.8.  Microsoft has fixed this privilege elevation vulnerability in the Win32k
Kernel driver that elevates privileges to SYSTEM, which is Windows' highest user
privilege level. A threat actor who successfully exploits this vulnerability could gain
SYSTEM privileges.
• CVE-2023-24932 – This is a Secure Boot Security Feature Bypass vulnerability with
a CVSS score of 6.2. Microsoft has fixed this Secure Boot bypass that is weaponized
by the BlackLotus UEFI bootkit to exploit CVE-2022-21894 (aka Baton Drop), which
was resolved in January 2022.
Microsoft also released an update for one publicly disclosed zero-day that was not
actively exploited. This is tracked as CVE-2023-29325 and is a Windows OLE Remote
Code Execution vulnerability. According to Microsoft, “In an email attack scenario,
an attacker could exploit the vulnerability by sending the specially crafted email to
the victim.”
For a complete list of Microsoft vulnerabilities released in May and their rating, click
here, and for all security updates, click here. It is recommended that all users follow
Microsoft’s guidance, which is to refer to Microsoft's Security Response Center and
apply the necessary updates and patches immediately, as these vulnerabilities can
adversely impact the entities

‍
Google/Android

‍
Google released security updates in May for Android devices with fixes for over 47
vulnerabilities. While there were no critical flaws addressed, there were high and
moderate severity flaws, with the worst vulnerability potentially leading to privilege
escalation if a threat actor is able to gain physical access to a target’s device. Every
month, security updates are released in two parts. The first part of the update
arrived as the 2023-05-01 security patch level, and 16 vulnerabilities were resolved
in the Android System and Framework. The second part of Android’s security update
arrived on devices as the 2023-05-05 security patch level. This security update

included fixes for 29 vendor-specific vulnerabilities, and two Pixel-specific flaws were
addressed as well. One of Android’s most notable security updates released this
month was a patch for a high-severity vulnerability exploited as a zero-day to install
commercial spyware on compromised devices. Tracked as CVE-2023-0266, this flaw
is a use-after-free weakness in the Linux  Kernel sound subsystem that may result in
privilege escalation without requiring user interaction. Google also released Chrome
version 101.0.4951.64 for Windows, Linux, and Mac. This version addresses
vulnerabilities that a threat actor could exploit to take control of a compromised
system. It is recommended all users follow CISA’s guidance to review the Chrome
Release Note and apply the necessary update. It is also recommended users refer to
the Android and Google service mitigations section for a summary of the mitigations
provided by Android security platform and Google Play Protect, which improve the
security of the Android platform. It is imperative that health sector employees keep
their devices updated and apply patches immediately, and those who use older
devices follow previous guidance to prevent their devices from being compromised.
All Android and Google service mitigations along with security information on
vulnerabilities affecting Android devices can be viewed by clicking here.

‍
Apple

‍
This month, CISA ordered federal agencies to address three recently patched zero-
day flaws affecting Apple’s iPhones, Macs, and iPads based on evidence of active
exploitation. The vulnerabilities found in the WebKit browser engine are tracked as
CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. If successful with
exploitation, threat actors have the ability to escape the browser sandbox, access
sensitive information on a compromised device, and achieve arbitrary code
execution.
According to CISA: “These types of vulnerabilities are frequent attack vectors for
malicious cyber actors and pose significant risks to the federal enterprise.” It is
recommended all users and administrators follow CISA’s guidance which
“encourages users and administrators to review the following advisories and apply
the necessary updates”:
• Apple Multiple Products WebKit Sandbox Escape Vulnerability (CVE-2023-32409)
• Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability (CVE-2023-
28204)
• Apple Multiple Products WebKit Use-After-Free Vulnerability (CVE-2023-32373)
For the first time ever, Apple released a Rapid Security Response to owners of the
devices running iOS 16.4.1 or later, iPadOS 16.4.1 or later, or macOS Ventura 13.3.1
or later. Apple Rapid Security Response was released about a year ago, and is a
security-focused feature that makes user devices automatically install security
patches as they are made available. For a complete list of the latest Apple security
and software updates, click here. It is recommended all users install updates and
apply patches immediately. It is worth noting that after a software update is
installed for iOS, iPadOS, tvOS, and watchOS, it cannot be downgraded to the
previous version.

Mozilla

‍
Mozilla released security advisories for vulnerabilities affecting multiple Mozilla
products, including in Thunderbird, Firefox, and Firefox ESR. If successful, a threat
actor could exploit these vulnerabilities and take control of a compromised device or
system. Best Practices encourages all users to follow CISA’s guidance, which
encourages all users to review the following advisories and apply the necessary
updates:
• Firefox 113 Mozilla Foundation Security Advisory 2023-16
• Firefox ESR 102.11 Mozilla Foundation Security Advisory 2023-17
• Thunderbird 102.11 Mozilla Foundation Security Advisory 2023-18
A complete list of Mozilla’s updates, including lower severity vulnerabilities, are
available on the Mozilla Foundation Security Advisories page. It is recommended
applying the necessary updates and patches immediately and following Mozilla’s
guidance for additional support.

‍
SAP

‍
SAP released 18 new security notes and six updates to previously issued security
notes, to address vulnerabilities affecting multiple products. If successful with
launching an attack, a threat actor could exploit these vulnerabilities and take
control of a compromised device or system. This month, there were two
vulnerabilities with a severity rating of “Hot News,” which is the most severe rating.
There were also nine flaws rated as “High, 10 “Medium,” and three “Low” in
severity. A breakdown of some security notes for vulnerabilities with “Hot News”
severity rating are as follows:
• Security Note #3328495 - (CVE-2021-44151, CVE-2021-44152, CVE-2021-44153,
CVE-2021-44154, CVE-2021-44155) has a 9.8 CVSS score and ‘Hot News’ severity
rating. Multiple vulnerabilities associated with Reprise License Manager 14.2
component used with SAP 3D Visual Enterprise License Manager. Product(s)
impacted: SAP 3D Visual Enterprise License Manager, Version–15.
• Security Note #3307833 - (CVE-2023-28762) has a 9.1 CVSS score and a ‘Hot
News’ severity rating. Information Disclosure vulnerabilities in SAP BusinessObjects
Intelligence Platform.
Product(s) impacted: SAP BusinessObjects Intelligence Platform, Versions–420,430.
For a complete list of SAP’s security notes and updates for vulnerabilities released in
May, click here. It is recommended  patching immediately and following SAP’s
guidance for additional support. To fix vulnerabilities discovered in SAP products,
SAP recommends customers visit the Support Portal and apply patches to protect
their SAP landscape.

‍
Cisco

Cisco released security advisories for vulnerabilities affecting multiple Cisco
products. Two advisories were rated “Critical,” two as “High,” and 12 as “Medium.”
Additional information on the “Critical” security advisories are as follows:
• Cisco Small Business Series Switches Buffer Overflow Vulnerabilities has a CVSS
score of 9.8. A remote threat actor could exploit these vulnerabilities to cause a
denial-of-service condition or execute arbitrary code with root privileges on an
affected device. Vulnerabilities for this advisory are: CVE-2023-20024, CVE-2023-
20156, CVE-2023-20157, CVE-2023-20158, CVE-2023-20159, CVE-2023-20160,
CVE-2023-20161, CVE-2023-20162, and CVE-2023-20189.
• Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability
(CVE-2023-20126) has a CVSS score of 9.8. This is a vulnerability in the web-based
management interface of Cisco SPA112 2-Port Phone Adapters that could allow an
unauthenticated, remote threat actor to execute arbitrary code on an affected
device. This is caused by a missing authentication process within the firmware
upgrade function. If successful, a remote threat actor could exploit this vulnerability
by upgrading an affected device to a crafted version of firmware and execute
arbitrary code on the affected device with full privileges.
Currently there are no workarounds to address these vulnerabilities. For a complete
list of Cisco security advisories released in May, visit the Cisco Security Advisories
page by clicking here. Cisco also provides free software updates that address critical
and high-severity vulnerabilities listed in their security advisory.

‍
Fortinet

‍
Fortinet’s May vulnerability advisory addressed two “High, four “Medium,” and three
“Low” rated vulnerabilities across different Fortinet products, including FortiADC,
FortiNAC, FortiOS and FortiProxy. Additional information on the “High” rated
vulnerabilities for this month are as follows:
• FG-IR-22-297(CVE-2023-27999) has a CVSSv3 score of 7.6. This is an improper
neutralization of special elements used in an OS command vulnerability [CWE-78] in
FortiADC that could allow an authenticated threat actor to execute unauthorized
commands through specifically crafted arguments to existing commands.
• FG-IR-22-475 (CVE-2023-22640) has a CVSSv3 score of 7.1. This is an out-of-
bounds write vulnerability [CWE-787] in sslvpnd of FortiOS and FortiProxy that could
allow an authenticated threat actor to achieve arbitrary code execution through
specifically crafted requests.
It is recommended users follow CISA’s guidance, which encourages users and
administrators to review Fortinet’s May 2023 Vulnerability Advisories page for
additional information, and apply all recommended updates and patches
immediately. For a complete list of vulnerabilities addressed in May, click here to
view FortiGuard Labs’ Vulnerability Advisories page.
VMWare

VMWare released three security advisories; one rated “Important” (VMSA-2023-
0009) and two rated “Moderate”(VMSA-2023-0010, VMSA-2023-0011). If successful,
a threat actor could exploit these vulnerabilities and take control of a compromised
device or system. Additional information is as follows:
• VMSA-2023-0009 - This security advisory has a maximum CVSSv3 score of 8.8 and
impacts VMware Aria Operations (formerly vRealize Operations). This update
addresses multiple Local Privilege Escalations and a Deserialization issue (CVE-
2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880).
• VMSA-2023-0010 - This security advisory has a maximum CVSSv3 score of 4.3 and
impacts NSX-T. This update addresses a cross-site scripting vulnerability (CVE-2023-
20868).
• VMSA-2023-0011 - This security advisory has a maximum CVSSv3 score of 6.1 and
impacts VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM),
and VMware Cloud Foundation (Cloud Foundation). This update addresses an
Insecure Redirect Vulnerability (CVE-2023-20884).
For a complete list of VMWare’s security advisories, click here. It is recommended
users follow VMWare’s guidance for each, and immediately apply patches listed in
the 'Fixed Version' column of the 'Response Matrix' that can be accessed by clicking
directly on the security advisory.

‍
References

‍
Android Security Bulletins
https://source.android.com/security/bulletin
Android’s May security update is rolling out now to Google Pixel phones
https://www.androidpolice.com/android-may-2023-security-google-pixel/
Android Security Bulletin—May 2023
https://source.android.com/docs/security/bulletin/2023-05-01
Apple Security Updates
https://support.apple.com/en-us/HT201222
CISA Adds Three Known Exploited Vulnerabilities to Catalog
https://www.cisa.gov/news-events/alerts/2023/05/22/cisa-adds-three-known-
exploited-vulnerabilities-catalog
Cisco phone adapters vulnerable to RCE attacks, no fix available
https://www.bleepingcomputer.com/news/security/cisco-phone-adapters-vulnerable-
to-rce-attacks-no-fix-available/
Cisco Security Advisories
https://tools.cisco.com/security/center/publicationListing.x
Cisco Security Advisories
https://sec.cloudapps.cisco.com/security/center/publicationListing.x

FortiGuard Labs PSIRT Advisories
https://www.fortiguard.com/psirt
FortiGuard Labs May 2023 Vulnerability Advisories
https://www.fortiguard.com/psirt-monthly-advisory/may-2023-vulnerability-
advisories
Google Chrome Releases: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-
desktop_10.html
Microsoft May 2023 Patch Tuesday
https://isc.sans.edu/diary/rss/29826
Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws
https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2023-patch-
tuesday-fixes-3-zero-days-38-flaws/
Microsoft's May Patch Tuesday Fixes 38 Flaws, Including 2 Exploited Zero-Day Bugs
https://thehackernews.com/2023/05/microsofts-may-patch-tuesday-fixes-38.html
Microsoft Security Response Center May 2023
https://msrc.microsoft.com/blog/2023/05/
Microsoft Security Update Guide
https://msrc.microsoft.com/update-guide
Microsoft's Security Response Center (May 2023)
https://msrc.microsoft.com/blog/2023/05/
Microsoft Patch Tuesday by Morphus Labs
https://patchtuesdaydashboard.com/
Microsoft Patch Tuesday, May 2023 Edition
https://krebsonsecurity.com/2023/05/microsoft-patch-tuesday-may-2023-edition/
MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362)
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-
31May2023
Mozilla Foundation Security Advisories
https://www.mozilla.org/en-US/security/advisories/
New Android updates fix kernel bug exploited in spyware attacks
https://www.bleepingcomputer.com/news/security/new-android-updates-fix-kernel-
bug-exploited-in-spyware-attacks/
SANS Microsoft May 2023 Patch Tuesday
https://isc.sans.edu/diary/Microsoft+May+2023+Patch+Tuesday/29826/

SAP Security Patch Day – May 2023
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
SAP Security Notes
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
VMware Security Advisories
https://www.vmware.com/security/advisories.html

‍