Posted
In recent years, healthcare providers are increasingly being targeted with coordinated, sophisticated Phishing and Business Email Compromise (BEC) campaigns. As these attacks continue to grow, security teams need tools to help save time and address the threats more effectively.
In one recent example, the Health and Human Services Health Sector Cybersecurity Coordination Center (HHS HC3) issued an alert warning about a malicious phishing campaign aggressively targeting healthcare institutions. The alert described emails that delivered an Evernote-themed lure to entice targeted recipients into downloading a trojan. Evernote is a popular app in the healthcare community for data sharing (files, notes, schedules, etc.) across phones and other devices. Users were drawn to a login prompt that was designed to harvest user credentials with pages that looked like Adobe, Microsoft, etc.
This campaign was partially effective because of the highly personalized email strategy. HHS HC3 pointed out that some emails included a subject line “(Victim Organization) (Date) Business Review” and gave the user the impression they were opening a secure email from their organization. The login, as mentioned above, was also designed to look legitimate. This convinced the user it was safe to download files once logged in. Then, users were prompted to download a malicious trojan. The trojan acted like a legitimate application or file in order to trick users into running it. Once installed, the trojan could disrupt operations within systems and networks or exfiltrate confidential data.
A main goal of this attack was to obtain access to email accounts. Not only can email accounts contain access to sensitive data, they can provide an even more convincing persona that is used to execute BEC campaigns impersonating other users to further collect credentials and potentially gain access to other systems. This stolen credential access can also be used to launch a ransomware attack. HHS HC3 warned that the stolen credentials may have been used to compromise a number of healthcare organizations and enterprises in other industries.
Healthcare has seen increasing email attacks from threat actors for a number of reasons. The size of the industry has been expanding in the US and globally, with significant revenue increases making it an appealing target for ransoms. There is high turn-over of staff, especially in entry-level positions, which makes it difficult to ensure all staff have cybersecurity training. New technologies are constantly introduced within the industry, and healthcare has experienced a rapid transition to use of connected devices, which puts stress on security teams to keep up.
ThreatConnect Can Help Protect Your Organization from Phishing and BEC Attacks
Security teams need to move fast to capitalize on information in alert communications like those issued regularly from agencies like HHS HC3. For many organizations, managing an endless number of suspicious emails to identify a legitimate threat is extremely time-consuming. The ThreatConnect Platform centralizes threat intelligence, automates key activities and enables information sharing across the internal security organization and with external partners. With ThreatConnect, teams get a single Platform to simplify the processing, categorization, and response to suspicious emails, reducing the time to remediate active threats from days to minutes.
The ThreatConnect Platform also offers workflows and low-code automation to automate the analysis and response process of reported emails. The Platform can look for indicators across file attachments, embedded links, and more and provides in-platform scoring. Indicators can be enriched with data from third-party sources and CAL™ to identify and prioritize known malicious indicators. Indicators can be automatically sent to your security tools, like secure email gateway and firewalls, to respond and block threats in real-time.
Learn How ThreatConnect Can Help Protect Email From Phishing and BEC Attacks
Request a demo meeting with us or reach out to us at sales@threatconnect.com to see how we can help automate phishing analysis and response for your organization.