4 Sophisticated Phishing Campaigns Impacting the Healthcare Sector

October 02, 2020 - Hackers have leveraged the COVID-19 public health crisis to improve the sophistication and increase the frequency of attacks. Specifically, email phishing that targets enterprise organizations dominate the threat landscape, with the healthcare sector among the most targeted amid the public health crisis. 

In the last year, Microsoft blocked 13 billion malicious and suspicious emails, of which 1 billion were URLs set up with the explicit purpose of phishing credential attacks. And as threat actors continue to hone their methods, these attacks have become increasingly harder to detect. 

Indeed, previous data from IRONSCALES found healthcare recipients are the biggest target for credential theft attempts through social engineering attempts and spoofed login pages. During the first half of 2020, researchers identified over 50,000 fake login pages for 200 prominent brands. 

“The operation, commonly known as credential theft, is simple: target unsuspecting recipients with an email spoofing a trusted brand and persuade them via social engineering to insert their legitimate credentials, such as a username and password, into a fake login page either embedded within the body of an email or built into a phishing website,” researchers explained at the time. 

To make matters worse, Proofpoint found that ransomware attacks delivered via phishing campaigns are on the rise, showing similarities to 2018 attack methods. In total, hackers sent as many as 350,000 emails using this method each day, per campaign. 

READ MORE: CISA Alerts to Phishing Campaign Spoofing COVID-19 Loan Relief Site

As a concerning number of healthcare providers have fallen victim to these types of attacks in recent months, it’s crucial for organizations to understand current threat methods to educate staff and employ technology to defend against these attacks. And most importantly, implementing multi-factor authentication is shown to block 99.9 percent of automated attacks. 

Overlay Tactic Aimed at Employee Credential Theft

One of the newest phishing campaigns was spotted in the wild by Cofense leverages message quarantine phishing, or emails that imitate messages sent from an organization’s technical support team. The hackers disguise these emails as sent from the company’s email service. 

Entities should look out for messages that claim several emails have failed to process properly and has blocked them from being delivered to the inbox. The employee is asked to review the messages to confirm the validity, with some messages stating some are being held for deletion to evoke urgency. 

“This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails,” researchers explained at the time. “Potential loss of important documents or emails could make the employee more inclined to interact with this email.” 

If the user clicks the malicious link in the email, they’re sent to a login page that appears to belong to the targeted company. In reality, the site is a fake login panel that covers the legitimate site and designed to put the employee at ease – thus, heightening the risk the employee will input their credentials. 

Hidden Text or Zero Font

READ MORE: BEC Phishing Campaigns Bypass MFA, Target Office 365 Executive Accounts

Hackers are also sending phishing campaigns that employ hidden text, or what’s known as zero font, which allows these malicious emails to bypass email security controls to deliver the messages to the victim’s inbox, according to Inky Technology. 

Zero font is the method of hiding malicious embedded text within an email. The majority of email platforms use HTML, which makes sites more secure but challenge email software when determining what the user will see when opening a delivered email. 

Hackers are taking advantage of HTML complexity by applying the zero font technique in the new campaign, which Inky Technology researchers observed being sent to users in the pharmaceutical, electrical utility, and cloud managed service sectors.  

The threat actors insert invisible font into the embedded code, which appears as gibberish text when examined. But by using yellow text set to zero, hackers can hide these malicious emails from mail protection software. To the user, the emails appear legitimate because the malicious code is hidden in the backend and designed to confuse the email software. 

“Attackers can embed text into their emails that is both invisible to end users and visible — and confusing — to the machines that automatically scan the mail looking for signs of malicious intent or branding,” researchers wrote at the time. “If the software is looking for brand-indicative text like ‘Office 365’, it won’t find a match.”   

READ MORE: Microsoft Sues, Now Controls COVID-19 Phishing Campaign Domains

“This tactic therefore prevents legacy mail protection systems from classifying this mail as appearing to be from Microsoft,” they added. Since it doesn’t know it appears to be from Microsoft, it doesn’t require the mail to be from a Microsoft-controlled mail server. So it sails right through, ending up in the victim’s inbox.” 

Given the highly sophisticated nature of these attacks, traditional email security tools will most likely not be able to detect this scheme. 

Agent Tesla RAT Malware Delivered Via COVID-19 Phishing Campaign

Months after the public health emergency was announced, hackers were found still preying on COVID-19 fears and delivering the notorious Agent Tesla remote access trojan (RAT) malware in targeted phishing attacks offering personal protective equipment (PPE), according to Area 1 Security. 

The campaign began in May 2020, with its hackers developing a range of iterations but maintaining the email body text. Agent Tesla is adaptable, able to avoid detection, and is known as a stealthy platform for hackers. 

The latest phishing campaign employs malicious email attachments containing the RAT and disguised as messages that offer face masks and forehead thermometers from a mask production business. The hackers use convincing lures to entice users and are able to bypass legacy vendors to increase the probability of the emails making it to the inbox. 

Further, the threat actors are phishing in 10-day cycles to avoid detection and are continuous modifying their tactics, techniques, and procedures before launching a new round of attacks. 

“Various tiers are available for purchase that provide additional licenses and different functionality,” researchers explained, at the time. “However, in typical internet fashion, there is a torrent available on Russian websites.”  

“For the initial file, the attacker uses a 32-bit Windows executable to ensure that the malware can be executed on common Windows devices,” they added. “This file is a trojan, appearing as a benign application but containing hidden, malicious functionality. This initial phase determines if it is in a malware analysis environment so the program can decide whether to proceed with the attack or go to sleep.” 

There are some recommended mitigation techniques for entities: educating employees on this technique, employing policies that treat unsolicited emails as potential threats until a security review, and ensuring executable files can’t be opened by the user. 

Area 1 also stressed that organizations should not rely on email gateways, cloud email suites, and traditional anti-virus tools, which cannot protect against the Agent Tesla campaign. 

North Korean Hackers Deploying KONNI RAT Malware

North Korean hackers are also leveraging phishing campaigns to deploy their RAT malware known as KONNI. In these campaigns, the malware is delivered in Microsoft Word documents that contain a malicious Visual Basic Application (VBA) macro code, the Department of Homeland Security warned. 

The malware is commonly delivered via spear-phishing campaigns, both highly targeted and personal compared to more traditional phishing methods focused more on volume. Given the tailored nature of the attack method, these phishing emails are more difficult to detect even for the most tech-savvy user. 

The malware’s code is able to change the color of the font from light grey to black to trick the user into enabling the contents of the malicious email. The code can also determine the version of the Windows operating system, along with executing the command line to download additional files. 

If successful, KONNI allows a hacker to steal data, capture keystrokes, take screenshots, and launch malicious code. It’s also been observed using the File Transfer Protocol to exfiltrate reconnaissance data from the victim’s system. DHS also found the hackers may repeat the targeting of victims. 

“Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator,” DHS officials explained, at the time. “It also incorporates a built-in function to decode base64-encoded files.”  

“The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection,” they added. “The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.” 

Patch management is critical to mitigating KONNI phishing attacks, while user permissions should be restricted from installing and running unwanted software. Administrators should also not add users to the local administrators’ group unless it’s required for their role.