Health Sector Warned About Ongoing Credential Harvesting Campaigns
The Health Sector Cybersecurity Coordination Center (HC3) has issued an updated Analyst Note about credential harvesting, which includes a warning about an active credential harvesting campaign targeting grantees in the health sector. The cybersecurity Cofense has also issued an alert about a credential harvesting campaign spoofing the email security companies Proofpoint, Mimecast, and Virtru.
Credential harvesting is a term covering the collection of login credentials – usernames and passwords – by malicious actors, either for use in future cyberattacks or to sell on or trade with other threat actors. The theft of the credentials of a single user can have far-reaching consequences. One only needs to look at the February 2024 ransomware attack on Change Healthcare to see the huge harm that can be caused.
The ransomware attack on Change Healthcare saw an affiliate of the BlackCat ransomware group steal an estimated 100 million healthcare records. The credentials of a low-level customer support employee were obtained by a ransomware affiliate. The credentials had been posted on a Telegram group chat that advertised stolen credentials. The credentials were used by the ransomware affiliate to access a Citrix portal, through which the employee – or in this case the threat actor – could access limited Change Healthcare applications. They were not administrative credentials, but they provided the necessary access. The affiliate escalated privileges, moved laterally within the network, stole data, and deployed ransomware that caused massive disruption to healthcare organizations throughout the United States.
Credential harvesting can involve a variety of techniques, one of the most common of which is phishing. According to a recent report from SlashNext, credential phishing attacks increased by 703% in the second half of 2024. Phishing involves messages that appear legitimate but trick an individual into disclosing their credentials, often by impersonating a trusted entity and tricking the user into visiting a malicious web page where they are asked to log in. The campaign identified by Cofense involved the use of highly convincing emails spoofing Proofpoint that included embedded hyperlinks or HTML attachments that redirected the user to spoofed login pages. The emails spoofing Mimecast also used email attachments spoofing the email security company, and the emails spoofing Virtru used embedded links to Google Docs, closely matching Virtru’s branding and legitimate content.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Malware, such as keyloggers, is used to harvest credentials and is commonly distributed in phishing emails, spoofed websites, and fake and pirated software. Keyloggers can record keystrokes as they are typed on a keyboard, and many other types of malware have credential harvesting capabilities. Social engineering is often used, such as impersonating members of the IT helpdesk or an authority figure to trick employees into disclosing their credentials. Campaigns have been conducted on IT helpdesk staff, tricking them into performing password resets and registering new devices to receive multi-factor authentication codes.
Healthcare organizations are prime targets for hackers as they store large volumes of sensitive data and require constant access to systems and data. Stolen credentials provide easy access to their networks, leading to data theft and ransomware attacks. The updated HC3 Analyst Note on credential harvesting details the most effective defense measures and mitigations to combat credential harvesting. These include educating the workforce about threats, implementing multi-factor authentication on accounts to prevent stolen credentials from granting access to accounts, email filtering software to block email-based attacks, and effective monitoring through real-time, comprehensive analysis to identify unauthorized access using stolen credentials.
