Homeland Security warns healthcare organizations of hackers using 'password spraying' tactic
Hackers are changing tactics to target healthcare organizations using “brute force” and “password spraying” in an effort to compromise user accounts and breach systems, a new report said.
In an analysis released Oct. 16, the Cybersecurity and Infrastructure Security Agency (CISA) said Iranian cybercrime cells have begun to intensify attacks against healthcare entities, using multifactor authentication scams to breach systems and maintain covert control. Some are even changing cybersecurity settings at medical practices, insurers and health systems to prolong access.
The Iranian groups also are targeting government agencies, social services, energy, engineering and more, CISA said. They may be motivated by financial gain, selling off stolen credentials to other nefarious entities.
“The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals,” CISA added.
In some of the analyzed cases, the hackers increased privilege restrictions on systems and launched malware to monitor and control activity. CISA said the attackers use remote desktop software to control computers alongside legitimate users, citing one instance where Microsoft Word was used to open PowerShell and install Microsoft’s remote desktop software, activated with the mstsc.exe command.
Technology also is sometimes deployed to “spray” passwords in a common dictionary-style brute force attack to gain access to parts of systems that are protected with logins.
CISA posted the alert to advise all industries of these tactics so they can improve security strategies. It advises groups to closely monitor for suspicious logins from unknown IP addresses, changes in usernames and passwords, and MFA codes coming from unsolicited sources. These are not only the signs of these types of attacks but also indicate bot activity. The agency said it is seeing an increasing number of bot attacks that attempt to bog down and break systems across various industries.
The full advisory from CISA can be found here.