Threat Research

Health Care Social Engineering Campaign

admin

ReliaQuest investigated a targeted April 2024 campaign against health care organizations where attackers used social engineering with help desk staff to bypass MFA and gain access to Revenue Cycle Management (RCM) accounts, likely to alter banking routing information. The intrusions reused shared infrastructure (RDP-enabled hosts), accessed Outlook/SharePoint to obtain credentials and OTPs, and led ReliaQuest to add observed IOCs to its GreyMatter feed. #ReliaQuest #H-ISAC

Keypoints

  • Multiple April 2024 intrusions targeted health care Revenue Cycle Management (RCM) user accounts using similar infrastructure and techniques.
  • Attackers attempted VPN authentication with expired/stolen credentials, indicating prior reconnaissance and credential sourcing.
  • When MFA blocked access, adversaries socially engineered help desk staff (vishing) to reset MFA and register new MFA devices.
  • Adversaries used RDP-enabled hosting providers to pivot and match source locations to bypass location-based conditional access.
  • Compromised accounts were used to access Outlook and SharePoint, delete password-reset emails, and generate one-time passwords for banking portals.
  • ReliaQuest hunted across customer environments, added campaign IOCs to the GreyMatter feed, and recommended stricter help desk verification and device-based authentication.

MITRE Techniques

  • [T1078] Valid Accounts – Attackers attempted VPN authentication with existing/stolen credentials. (‘…using expired credentials, suggesting these login details had been obtained from prior breaches.’)
  • [T1566.004] Phishing: Vishing – Social engineering via help desk contact to request MFA resets and provide personal information for validation. (‘…contacted the organization’s help desk to request a reset of the account’s MFA…provided the last four digits of the user’s social security number, their date of birth, and their address…’)
  • [T1098] Account Manipulation – Registered a new MFA device or changed the MFA method to gain persistent account access. (‘…registered a new MFA device or changed the MFA method to authenticate successfully and then reset the account’s password to maintain persistence.’)
  • [T1021.001] Remote Services: RDP – Used RDP-enabled hosting providers to pivot and change source locations during authentication events. (‘…attacker’s infrastructure involved several different hosting providers with remote desktop protocol (RDP) enabled…’)
  • [T1090] Proxy – Pivoted through multiple hosting providers to change source IP/location and bypass location-based conditional access. (‘…changing their infrastructure to match the target organization’s location, effectively bypassing the targets’ location conditional access policies.’)
  • [T1114] Email Collection – Accessed and deleted Outlook emails and searched SharePoint for sensitive information used to access banking portals. (‘…accessed the victim’s Outlook inbox and deleted emails containing password reset notifications…then searched through the account’s emails and SharePoint for sensitive information.’)

Indicators of Compromise

  • [IP Address] Hosting/source IPs observed in campaign – 50.79[.]78, 126.208[.]87, and 4 more IPs
  • [URL] Reported source/reference – https://www.reliaquest.com/blog/health-care-social-engineering-campaign

Technical summary of the procedure: The adversary conducted targeted reconnaissance to identify RCM users and obtained credential material (expired/stolen credentials). They attempted VPN logins but were blocked by location-based conditional access and MFA. To evade these controls, the attacker pivoted across multiple RDP-enabled hosting providers to align authentication source locations with the target, then initiated social-engineering calls to help desk staff (vishing) providing PII to pass verification checks.

Upon successful social engineering, the threat actor manipulated account authentication by registering a new MFA device or changing the MFA method, then reset account passwords to maintain persistence. With account control, they accessed Outlook and SharePoint, deleted password-reset or notification emails to hide activity, searched for banking-related data, generated one-time passwords, and attempted to alter banking routing information via the victim’s banking portal.

Containment and mitigation steps included threat hunting to remove access, adding observed IOCs to threat feeds, and recommending hardening controls: stricter help desk verification (video/manager escalation), additional identity verification for identity admins and finance roles, device certificate-based VPN authentication, device- and location-based conditional access, and removing direct help desk links/phone numbers from login portals.

Read more: https://www.reliaquest.com/blog/health-care-social-engineering-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint