Most health care organizations perform cybersecurity awareness training, and their staff are on the lookout for phishing emails. However, cyber attackers are getting more savvy and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them, presented by Washington Hospital Services Industry Partner Sensato.
Callback phishing attacks
Callback phishing emails are email campaigns that reference high-priced subscriptions (that the recipient never subscribed to), leading them to panic, thinking that they’ve been the victim of identity theft or fraud. There’s a phone number in the email to call for help.
Once the person calls the phone number, attackers pretend to help victims, but they are actually carrying out the attack, seemingly by walking the victim through steps to cancel the subscription. What they are doing is launching the ransomware attack.
The “specialist” on the phone appears to be helpful – even telling the victim that the email was likely “spam” – and offers additional technical support to make sure they weren’t compromised. The actions the hackers recommend are steps that carry out the attack.
See this article in bleepingcomputer.com for more details and an example of this type of phishing email. This is a useful training tool for your teams.
Sending ransomware via calendar meeting invites
Based on Sensato’s intelligence, there is a large increase in phishing attacks where attackers send meeting invitations to their victims. The meeting invite may include an attachment. The title of the meeting and the invite may appear familiar. You should use extreme caution before you accept any Microsoft Teams or other meeting invitations from any external email, including client or partner email addresses.
You should delete any invite you feel is suspicious for any reason. If the invite comes from a client, partner, colleague or a name you recognize – yet you feel it is suspicious or out of character – you should delete the invite and contact that person to see if they really sent you an invitation. Under no circumstances should you accept, decline, set a tentative response, reply or open the attachment, as this is the action that will initiate ransomware.
The takeaway is to be diligent about scrutinizing every email – even meeting notices – and don’t click if you think it’s suspicious.
Bring your own vulnerable device exploits: Finding legitimate ways to enter a system, then executing the exploit
Cyber attackers use legitimate systems and system tools to exploit known vulnerabilities to access systems. This is a prime example of attackers getting very savvy. They find existing, known vulnerabilities (all they have to-do is read industry reports), and use that as their access point.
For example, one group used a known driver security issue to enter the system and shut down the other driver security measures, giving them the ability to move around freely in the system, impacting thousands of systems.
This, “bring your own vulnerable driver” is very effective because it uses a valid certificate and gets high privilege access to systems. Read more in this article in bleepingcomputer.com that shares exactly how attackers are exploiting these vulnerabilities and what you can do about it.
The takeaway is to pay attention to reports of known vulnerabilities in software and systems you use. Always patch or keep systems updated and keep an eye out for any anomalies in your environment.
Phishing-as-a-Service (PhaaS) – yes, it’s a thing
Phishing-as-a-Service allows new threat actors to get in the business of launching their own phishing attacks. For a monthly fee, they get templates, instructions, tools and even a tracking dashboard!
A new, specific PhaaS program, called Caffeine, targets phishing campaigns for Microsoft 365. It comes with some more advanced features for the hackers to use to carry out their phishing attempts. Read more in this article from bleepingcomputer.com.
The takeaway is phishing is big business for hackers, so staying on top of their tactics is even more important now than ever before.
The Department of Health and Human Services (HHS) recently published a paper discussing how tools used to operate, maintain and secure health care systems and networks can be turned against their own infrastructure. You can access the paper here.
These are just a few examples of how cyber attackers are advancing their tactics to fool us. For a deeper dive into other ways attackers can access your network, and to understand what they do once they are there (hint: they are typically in your network for up to 197 days before they make themselves known), you can access this six-part training series that covers threats from the attacker’s perspective and gives tips for what you can do about it. Request Access to the 6-Part Training Series here.
Sensato is a Washington Hospital Services Industry Partner. The Industry Partner program connects hospitals with product and service organizations to create efficiencies, lower costs and deliver exceptional health care. For more information about Sensato or the WHS Industry Partner Program, contact Ed Phippen, edp@wsha.org, (206) 216-2556. (Cynthia Hay)