The federal government has issued a warning to the healthcare sector about the threat of cyberattacks by Iranian threat actors. Iranian state-sponsored actors lack the sophisticated technical capabilities of Russian and Chinese threat actors, but still pose a significant threat to the sector. The threat actors mostly use social engineering in their attacks to gain access to healthcare networks and are known to conduct sophisticated spear-phishing campaigns.
Spear phishing campaigns often involve healthcare-related lures with the threat actors using fake personas and social media platforms to interact with their targets, often impersonating doctors, researchers, and think tanks to trick targets into disclosing their credentials or downloading and installing malware. The Tortoiseshell Facebook campaign saw threat actors claim to be recruiters in hospitality, medicine, journalism, NGOs, and aviation. Fake accounts were used to trick targets into opening malware-infected files or to lure them onto phishing URLs to steal credentials. The threat actors often use LinkedIn for contacting targets and sending fake job offers headhunting individuals of interest. Popular online platforms such as Google, Microsoft, and Yahoo are also impersonated to steal credentials.
One notable campaign involved the impersonation of the Director of Research at the Foreign Policy Research Institute (FRPI), with the email appearing to CC the Director of Global Attitudes Research at the Pew Research Center. The emails sought input for an article about Iraq’s position in the world. Spear phishing emails can be realistic and convincing and may involve multiple messages to engage targets in conversation to build trust before tricking them into installing malware or disclosing their credentials. Considerable time and effort are put into creating convincing social media profiles and Internet footprints to make the scams seem more credible and to survive attempts to verify the authenticity of the profile and request.
While spear phishing is the most common initial access vector, the Iranian state-sponsored hacking group known as Pioneer Kitten (aka NC757, Parisite, & Fox Kitten) is known to exploit vulnerabilities in VPNs and other network appliances, such as CVE-2020-5902 (BIG-IP), CVE-2019-19781 (Citrix), & CVE-2019-11510 (Pulse Connect Secure). Other vulnerabilities exploited for initial access include the Log4j vulnerabilities, the Microsoft Exchange ProxyShell and other Exchange vulnerabilities, and Fortinet FortiOS vulnerabilities. One attack that was thwarted involved exploiting a vulnerability in a Fortigate appliance to gain access to the environmental control networks of a U.S. children’s hospital.
Iranian threat actors are known to conduct attacks to gain access to sensitive personally identifiable information; however, the attacks tend to be more destructive than other state-sponsored hacking groups. Cyberattacks often exploit cyber vulnerabilities to attack Iran’s adversaries to retaliate for sanctions while minimizing the risk of retaliation. Attacks have been conducted where websites have been defaced, DDoS attacks employed to damage reputations, and the country is infamous for using wiper malware in attacks. Once access is gained to networks, the threat actors move laterally and are known to install a PowerShell backdoor called POWERSTATS for persistence.
Improving resilience to attacks requires a focus on anti-phishing strategies such as implementing a robust email security solution, multi-factor authentication, and engaging in end-user training., Employees should receive regular training and be taught how to recognize and report phishing and social engineering attacks. Reviews should be conducted of all internet-accessible systems, vulnerabilities should be patched promptly, networks segmented to limit the ability of the threat actors to move laterally, user accounts should be regularly audited, especially those with administrative privileges. and strong passwords should also be set to improve resilience to brute force attacks. Further mitigations have been suggested by the Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center in its threat brief.
The post Healthcare Sector Warned About Cyberattacks by Iranian State-Sponsored Threat Actors appeared first on HIPAA Journal.