Health Department Warns of Hackers Targeting IT Help Desk

As reported by Bleeping Computer, the U.S. Department of Health and Human Services (HHS) has issued an alert concerning a sophisticated wave of social engineering attacks targeting the IT infrastructure of the Healthcare and Public Health (HPH) sector. These attacks, as detailed by the Health Sector Cybersecurity Coordination Center (HC3), represent a marked escalation in cybercriminal tactics, aiming to compromise organizational systems by manipulating internal IT help desks into enrolling attacker-controlled devices into multi-factor authentication (MFA) protocols.

The way that these cyber attacks are executed involves posing as organization employees—specifically from financial departments—leveraging stolen identification details such as corporate IDs and social security numbers. These credentials are utilized to authenticate their false identities, convincing IT helpdesk personnel to register a new device under the guise of replacing a supposedly broken smartphone. This manipulation not only breaches the organization's security perimeter but also facilitates unauthorized access to sensitive financial channels and data.

This method of attack enables cybercriminals to redirect financial transactions, specifically through business email compromise (BEC) tactics, and alter Automated Clearing House (ACH) payment instructions. These alterations reroute legitimate payments to U.S. bank accounts under the control of the attackers, who subsequently transfer the funds to offshore accounts. Further complicating detection efforts, these individuals employ sophisticated techniques such as domain cloning and the impersonation of high-ranking financial officers within the targeted organizations.

An increasingly prevalent tool in these cybercriminal activities is AI voice cloning technology. This technology adds a layer of authenticity to fraudulent communications, significantly complicating the remote verification process. A global study indicates that approximately 25% of individuals have either directly experienced or know someone who has been targeted by an AI voice impersonation scam, highlighting the growing prevalence of this tactic.

In response to these sophisticated threats, we recommend ten main protocols, to learn more about what the HHS recommends, read Bleeping Computer's article.

1. Layered Verification Process: Instead of relying on single pieces of information like SSNs, implement a layered verification process. This could involve multiple questions only the real user could answer, such as recent transaction details, specific interactions with IT or HR departments, or unique personal details not commonly shared or found in public records.
2. Biometric Verification: For phone-based verification, consider integrating voice recognition technology that can identify AI voice replications as part of the identity verification process. For web or app-based support systems, implement fingerprint or facial recognition technologies, ensuring that such biometric data is securely stored and encrypted.
3. Behavioral Biometrics: Utilize behavioral biometrics in the IT Help Desk’s authentication processes. This can include analyzing the way a user types, their mouse movements, or how they interact with systems. Such patterns are unique and difficult for attackers to mimic, even with stolen personal information.
4. Dynamic Knowledge-Based Authentication (KBA): Move beyond static KBA questions (e.g., mother's maiden name, SSN) and implement dynamic KBA, where questions are generated based on the user's past interactions with the system or obscure facts not easily obtained by others.
5. Time-based One-Time Password (TOTP) Verification: Require a TOTP from the user as part of the verification process. This requires the user to have a pre-registered device that generates a temporary code, adding an additional layer of security beyond knowledge of personal details.
6. Encryption of Sensitive Information: Ensure that all sensitive information, including SSNs, is encrypted both at rest and in transit. Access to such information should be highly restricted and logged for audit purposes.
7. Out-of-Band Authentication (OOBA): For requests involving significant changes or sensitive information access, use OOBA. This method involves contacting the user through a separate communication channel (e.g., sending a verification code to a pre-registered phone number or email) to confirm the request.
8. AI and Machine Learning for Anomaly Detection: Implement AI-driven security systems that continuously learn from user behavior patterns and can detect anomalies that may indicate fraud, such as an unusual request pattern or access from a suspicious location.
9. Secure User Behavior Analytics (UBA): Employ UBA tools to monitor and analyze user behavior for signs of potential compromise or impersonation. This can help in identifying unusual requests or access patterns indicative of social engineering attempts.
10. Regular Audits and User Access Reviews: Conduct regular audits of user access rights and verification procedures to identify and remediate any weaknesses. Additionally, perform periodic reviews of users’ access levels to ensure they are appropriate and that no unauthorized changes have been made.
11. Education and Awareness Campaigns: Continuously educate employees about the sophistication of social engineering attacks, emphasizing the importance of not relying solely on personal information for identity verification. Include real-world examples of attacks and training on how to handle suspicious requests.
12. Mandating In-Person Verification for Critical Requests: Although not ideal, instituting a policy where critical requests—especially those involving significant account changes, access to sensitive systems, or modifications to financial details—require in-person verification can serve as a cornerstone in the defense against sophisticated social engineering attacks.

The escalation of social engineering attacks targeting IT Help Desks within the Healthcare and Public Health sector highlights what has always been the most critical vulnerability in our digital defenses—human error. The sophistication of these attacks, leveraging stolen personal information to breach multi-factor authentication systems, represents a significant threat to organizational security, and the recommendations outlined, from advanced verification protocols to the stringent requirement of in-person verification for critical requests, aim to secure this sector against these threats. By adopting a multifaceted approach that combines technological advancements with rigorous human oversight, healthcare organizations can enhance their resilience against the cunning of cyber criminals.