Phishing Attacks are Targeting Healthcare… Again

We are now three-quarters of the way through 2020, and I think most of us can agree it’s been a doozy of a year so far. While the COVID-19 pandemic has received the lion’s share of attention over the last six months or so, there is another widespread threat that many have neglected to notice—a surge in cyberattacks. Many of these attacks have been aimed at various organizations in the healthcare industry, making an already rough situation even worse for many practices and hospitals.

For example, back in May of this year, Blackbaud (a software company that provides cloud solutions to healthcare organizations) was hit by a ransomware attack that compromised the data of 657,392 donors, potential donors and patients (of course, the attack did not compromise their cloud solutions). Just last week, a ransomware group posted stolen data to the dark web that they’d taken from three separate healthcare organizations. Then you have Samaritan Medical Center in Watertown, NY, which just got its EHR system back online after three weeks of downtime (during which they were forced to use paper records) as a result of a ransomware attack.

And things are only getting worse as we approach the final quarter of 2020, as healthcare is now facing a number of widespread phishing and spear-phishing campaigns. Here’s what you need to know to keep your practice safe and your data secure.

The Water Nue Campaign

An alert was recently issued by Trend Micro concerning a series of Business Email Compromise (BEC) campaigns they have dubbed “Water Nue.” These campaigns use phishing tactics sent via email from legitimate Office 365 accounts that have been hijacked by using an exploit to bypass multi-factor authentication (MFA). The emails mostly target financial executives and senior leaders in a company or organization, making it seem as if a file has been shared with them. Once they click on the link in the email, they are sent to a spoofed Office 365 login page. Once users log into this page, their credentials are stolen.

Since these phishing attacks employ the Office 365 accounts of real people to send emails, they are very difficult to differentiate from the real deal. As a result, these campaigns have been extremely successful. In their research, Trend Micro found that more than 1,000 companies all over the world had already been targeted.

The KONNI RAT Malware

The Cybersecurity and Infrastructure Security Agency (CISA) recently released its own alert on another phishing campaign, this one deploying a remote access trojan (RAT) malware called KONNI. These campaigns, believed to be the work of a North Korean hacking group called APT37, deliver malware by first sending out targeted spear-phishing emails with a Microsoft Word document attached. Contained within the document is malicious code that, once the attachment is opened or downloaded, makes it possible for hackers to steal data, capture keystrokes, launch further malicious code and wreak all sorts of assorted havoc (there are multiple versions of this malware that carry out different destructive functions).

This group is using researched and targeted spear-phishing in this campaign, often sending well-constructed emails with appropriate letterhead which appear to be from legitimate members of the organization. As a result, similarly to the Water Nue campaign, these emails are harder to tell apart from the real thing than the spear-phishing emails of the past (which often had telltale signs such as being riddled with typos and grainy logo images).

The Fake COVID-19 Relief Website

CISA has also released an alert that warns of yet another phishing email campaign with messages that appear as if they come from the Small Business Administration (SBA) and falsely claim to need application info for the recipient’s COVID-19 Relief Loan. These emails try to capitalize on the reader’s panic by claiming they will not receive their loans unless the application is completed. When the person clicks the link in the email, they are redirected to a spoofed webpage that appears to be the SBA login. Once they log in, their credentials are stolen (likely to be used to infiltrate the system later or to be sold on the dark web).

The Emotet Botnet

A lot of these recent phishing campaigns are likely being deployed by the infamous Emotet botnet that was first detected back in 2014. A botnet is an internet-connected network made up of infected computers that can be used to deliver various forms of attacks.

Earlier this year, Emotet appeared to stop functioning but it is now evident that the group in control of the system was simply taking a break. In early July, researchers at Malwarebytes Labs first reported they had detected that Emotet was back in operation. By July 17, 2020, an estimated 250,000 phishing emails (all loaded with various forms of malware and spyware) had already been sent by the Emotet botnet.

Be Aware. Be Calm. Be Suspicious.

To avoid becoming a victim of phishing or spear-phishing campaigns, the solution has more to do with individual behavior than technology. Having an up-to-date antivirus (AV) solution is important, of course, but even the best AV can’t catch everything. The strongest weapons you have for protecting yourself are awareness, remaining calm and being suspicious.

Awareness. Try to stay informed on new phishing campaigns, such as those we’ve discussed in this blog, so you can be on the lookout when they are identified.

Remain Calm. Never rush to open an email attachment or click on a link, even if at first glance it seems to come from someone you work with or know well.

Be Suspicious. Any email that contains links or attachments should be immediately viewed as suspicious (especially if the email is unexpected or has an urgent tone). Verify the source before clicking links or opening attachments. When in doubt, pick up the phone and call the sender to confirm.