Business Continuity Management / Disaster Recovery, Critical Infrastructure Security, Cybercrime

Authorities warn health care and public health sectors of latest concerns

Marianne Kolbasuk McGee (HealthInfoSec) •
April 11, 2022

Federal authorities are warning the health and public health sector of potential threats involving Lapsus$ – including those related to the recent hack by identity management provider Okta’s extortion group – and also possible phishing attacks stemming from a recent breach suffered by the email marketing service provider Mailchimp email.

See also: Third party risk: lessons on Log4j

The Ministry of Health and Human Services’ Health Sector Cybersecurity Coordination Center, or HC3, in two separate notices issued on April 7, warns of threats of attacks on the sector by Lapsus$ and also by potential phishing campaigns exploited by “legitimate” email marketing platforms, such as Mailchimp.

Threats Slip$

HC3, in its threat brief, warns the health and public health sector that hacking group Lapsus$ relies on “non-ransomware bribery and extortion” in its attacks, which involve exfiltration and destruction of data in on-premises and cloud systems.

The group claims to be behind recent attacks against several companies, including identity management service provider Okta, as well as Microsoft, Nvidia and Ubisoft (see: Lapsus$ Teens released on bail, due back in court April 29).

The group’s attack on Okta is of particular concern to healthcare and public sector entities, HC3 said. “HC3 is aware of healthcare organizations that have been compromised in this attack. This is a managed service provider attack, which is often used in cyberattacks against the healthcare industry,” warns the opinion.

On March 25, London police announced that they had arrested and charged seven suspected Lapsus$ members, including two teenagers. The teens were released on bail for an undisclosed sum and are due back in court on April 29.

“When you compare Lapsus$ motivations and tactics to health sector operations, the health sector is in their target range,” writes HC3. The group steals data for extortion and targets managed service providers, and their operations are global, warns HC3. “They are looking for targets of opportunity.”

Although law enforcement is pressuring the Lapsus$ group and arresting some suspected members, operations are expected to continue, with other members likely continuing under the Lapsus$ banner or as part of another group, said HC3.

“The geographic diversity of this group will make them particularly difficult to eliminate permanently. Their diversity of tactics and lack of confidence in specific malware variants make them very difficult to detect or stop,” writes HC3.

“They have already compromised health organizations and have no reason to stop.”

Health sector entities attacked by Lapsus$ include the Brazilian Ministry of Health. Lapsus$ defaced its website in December, according to HC3 (see: Portugal’s main news sites remain offline after attacks).

Unpredictable threat

Partly because Lapsus$ can be exploited by teenagers, the threats posed by the group are volatile and particularly difficult to predict compared to other cybercriminal gangs, according to some experts.

“Ransomware gangs or other financially motivated cybercriminals typically follow a fairly standard process to extract money from the target,” says Brett Callow, threat analyst at security vendor Emsisoft.

“In other words, they are predictable, which means that organizations can plan for incidents. This is obviously not the case with Lapsus$, and suppliers may find themselves faced with situations that are not covered by their playbooks.”

Defenses and mitigations

To help protect against Lapsus$ attacks, HC3 advises healthcare and public sector entities to take several steps, including:

• Require multi-factor authentication for all users;
• Leverage authentication options such as OAuth or SAML for virtual private networks;
• Implement zero trust, where appropriate, across the enterprise;
• Deploy network segmentation, including protecting sensitive data from Internet exposure;
• Ensure that critical data is backed up;
• Educate and test employees on social engineering.

Mailchimp Infringement Notice

HHS HC3, in its Mailchimp alert, says that on April 4, the email marketing platform provider confirmed a breach affecting one of the company’s internal tools used by its customer support and support teams. administration of accounts.

“Although Mailchimp disabled compromised employee accounts after learning of the breach, threat actors were able to view approximately 300 Mailchimp user accounts and obtain audience data from 102 of them, according to the company’s CISO,” says HC3.

Threat actors were also able to access application programming interface keys for an undisclosed number of clients, which would allow them to create personalized email campaigns such as phishing campaigns and send to mailing lists without accessing the Mailchimp customer portal, according to HC3.

“While HC3 is currently only aware of one phishing campaign abusing this unauthorized access to send fake data breach notification emails to users in the cryptocurrency and finance industries – which was allegedly executed with exceptional sophistication and planning – the healthcare and public health industry should remain wary of suspicious emails from legitimate email marketing platforms such as Mailchimp,” it said. ‘notice.

The Mailchimp data breach came to light when cryptocurrency hardware wallet provider Trezor launched a recent investigation after customers reported receiving sophisticated phishing emails containing their registered Trezor email addresses. The investigation uncovered a data breach at its third-party email marketing company Mailchimp, which it says likely leaked the email addresses of Trezor customers (see: Mailchimp Targeted Breach Affects Trezor Crypto Customers).

In its advisory, HC3 reminds the healthcare and public sectors that advanced persistent threat groups have previously leveraged legitimate direct mail services in malicious email campaigns to target a wide variety of organizations and industries. vertical.

Reduction measures

To help mitigate threats from the Mailchimp incident, educating users about phishing scams and social engineering is critical, especially in campaigns where emails come from a legitimate sender, HC3 says.

Additional mitigations include implementing anti-malware and network intrusion prevention systems and restricting web content that may not be necessary for business operations.

“Anti-spoofing and email authentication mechanisms can also be implemented to filter messages based on sender domain validity checks – using Sender Policy Framework or SPF – and message integrity – using mail-identified domain keys, or DKIM,” explains HC3.

“Enabling these mechanisms within an organization – through policies such as Domain-Based Message Authentication, Reporting, and Compliance, or DMARC – can allow recipients – intra-organization and cross-domain – perform filtering and validation of similar messages.”