Alert essentials:

Over the last two weeks, Fortified has seen an increase in vishing tactics against healthcare organizations.

Vishing, also called “voice phishing,” typically involves a threat actor calling the help desk, posing as a user or employee with requests to perform a password reset.

Email Team


Detailed Threat Description: 

Recently, there has been a significant increase in vishing attempts, particularly in the past few weeks. This spike makes it clear that healthcare organizations are being targeted in a planned way.

In a typical scenario, the caller impersonates an authoritative figure, such as a doctor or an executive, and immediately begins to complain about being unable to access specific applications or resources.

The ultimate goal is to pressure you to reset a password, allowing them to gain unauthorized access.

These callers can be alarmingly persuasive. They often come armed with personal details such as your birthday, address, or even the last four digits of your Social Security number. Additionally, they may attempt to manipulate the mobile device used for multi-factor authentication (MFA).

The challenge arises from the callers posing as authoritative figures and conveying urgency, which creates significant pressure. This sense of urgency can make you feel compelled to resolve the issue immediately, potentially leading to inadvertently granting them the access they’re after.

Impacts on Healthcare Organizations:

This tactic is part of the initial access in an attack chain. At best, if the initial access is obtained, it is unauthorized access to email or remote applications, resulting in a potentially disclosable event.

In a worst-case scenario, the attacker can escalate privileges, steal or exfiltrate data from the environment, and deploy a malicious payload, often leading to a ransomware outbreak. Such incidents severely threaten patient safety and operational stability.


Recommendations

Engineering recommendations:

  • Strengthen infrastructure by ensuring multi-factor authentication is in place on all external resources
  • Review firewall rules to block unnecessary inbound connections
  • Minimize access to resources like email and remote work tools unless connected to a VPN
  • Ensure endpoint detection and response tools are deployed, tuned, and monitored

Leadership / program recommendations:

  • Review procedures for password reset requests that are requested by phone
  • Review and reinforce password reset requirements such as identity verification practices
  • Consider requesting information that could not be discovered via data commonly found in data leaks for identity theft or public record
  • Establish a notification, request, or review process of phone calls placed to the help desk requesting a password reset
  • Consider not permitting verbal password resets, especially given the rise of AI-modified voices
  • Some organizations have implemented a video-teleconference requirement where visual confirmation of the requestor’s identity can be completed

 

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.


References: