No one should take too seriously the high-minded things criminals sometimes say about how they’re restraining themselves during the pandemic, and that they’re going to avoid hitting hospitals and biomedical research organizations. If anything, attacks on such targets have increased in recent months, and phishing is the usual approach.
The goal of the phishing attacks is financial: the attackers are extortionists. Healthcare organizations are attractive targets for many reasons, among them being the importance of data availability to their work, their relatively deep pockets, and their complicated networks that present a large and varied attack surface. Health IT Security describes four recent and ongoing campaigns that afford good examples of the techniques in use against the healthcare sector.
The first of these involves message quarantine phishing. In this attack, an employee receives a message that spoofs an organization’s email service. The bogus notification says that several emails have failed to “process properly,” and that the recipient should review the quarantined messages to confirm their validity. The prospect of deletion suggests urgency.
“This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails,” researchers at Cofence explained. “Potential loss of important documents or emails could make the employee more inclined to interact with this email.” Should the user click, they’re spirited to a login page designed to harvest their credentials.
The second is a zero font attack, which conceals malicious code in ways that serve to evade security controls that would otherwise intercept them before they reached the target’s in-box. Researchers at INKY explained: “Attackers can embed text into their emails that is both invisible to end users and visible — and confusing — to the machines that automatically scan the mail looking for signs of malicious intent or branding. If the software is looking for brand-indicative text like ‘Office 365’, it won’t find a match. This tactic therefore prevents legacy mail protection systems from classifying this mail as appearing to be from Microsoft. Since it doesn’t know it appears to be from Microsoft, it doesn’t require the mail to be from a Microsoft-controlled mail server. So it sails right through, ending up in the victim’s inbox.”
The third campaign involves the venerable Agent Tesla remote access Trojan (RAT). Gangs are actively distributing the RAT in COVID-19-themed phishing emails. It’s commodity malware traded in criminal markets. “Various tiers are available for purchase that provide additional licenses and different functionality,” Area 1 researchers explained. “However, in typical internet fashion, there is a torrent available on Russian websites. For the initial file, the attacker uses a 32-bit Windows executable to ensure that the malware can be executed on common Windows devices. This file is a trojan, appearing as a benign application but containing hidden, malicious functionality. This initial phase determines if it is in a malware analysis environment so the program can decide whether to proceed with the attack or go to sleep.”
And, fourth, there are nation-state actors engaged in similar financially motivated phishing expeditions. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has warned that North Korean operators continue to use their KONNI RAT against targets in the healthcare sector. Their technique has evolved into more closely tailored spear phishing, with phishbait designed to attract specific individuals. Spearphishing tends to be more persuasive than classic indiscriminate phishing through mass-mailed spam.
While the healthcare sector is currently receiving more than its fair share of attacks, other industries also need to be on their guard. The four techniques Health IT Security described all depend upon social engineering for their success. New school security awareness training can help organizations install a proper, healthy skepticism in their personnel.
Health IT Security has the story.