The Health Sector Cybersecurity Coordination Center (HC3) published a new Analyst Note regarding credential harvesting, including an alert concerning an active credential harvesting campaign that targets grantees in the healthcare industry. The cybersecurity firm Cofense also published a notification regarding a credential harvesting campaign imitating the email security firms Mimecast, Proofpoint, and Virtru.
Credential harvesting means the gathering of usernames and passwords or login information by malicious actors, who use them for future cyberattacks or sell them or exchange them with other threat actors. The stolen information of one user can have extensive effects. Just take the Change Healthcare ransomware attack in February 2024 as an example and see the massive problems that can result.
Concerning the ransomware attack on Change Healthcare, a BlackCat ransomware group affiliate stole approximately 100 million healthcare files. The ransomware affiliate obtained the credentials of a low-level customer service staff. The credentials were published on a Telegram group discussion that promoted stolen credentials. The ransomware affiliate used the credentials to gain access to a Citrix website, which the staff – or in this circumstance the threat actor – can access limited Change Healthcare programs. The credentials do not give administrative access, but they give the required access. The affiliate changed the privileges, moved laterally inside the system, stole information, and deployed ransomware that resulted in substantial disruption to healthcare companies all through the United States.
Credential harvesting can mean using various strategies, but phishing is the most often used. Based on the latest SlashNext report, credential phishing attacks went up by 703% in the 2nd half of 2024. Phishing requires email messages that look genuine and mislead a person into sharing their login information, frequently by impersonating a reputable entity and deceiving the user into going to a malicious webpage where they are requested to log in. The campaign discovered by Cofense included using very persuasive email messages spoofing Proofpoint with embedded URL links or HTML attachments that forwarded the user to spoofed account pages. The email messages spoofing Mimecast likewise employed email attachments imitating the email security firm, and the email messages spoofing Virtru utilized embedded hyperlinks to Google Docs, identical to Virtru’s branding and genuine content.
Malware, like keyloggers, is employed to collect credentials and is typically attached to phishing emails, bogus and pirated software programs, and spoofed websites. Keyloggers can capture keystrokes while they are inputted on a keyboard, and other types of malware include credential harvesting functionality. Social engineering is frequently employed, for example, impersonating staff of the IT helpdesk or an expert to mislead employees into sharing their login information. Campaigns targeting IT helpdesk employees, fooling them into executing password resets and enrolling new devices to get multi-factor authentication codes.
Healthcare companies are top targets for cybercriminals because they store substantial amounts of sensitive information and call for continuous access to networks and information. Stolen credentials give quick access to their systems, resulting in ransomware attacks and data theft. The new HC3 Analyst Note about credential harvesting discusses the most efficient security procedures and mitigations to fight credential harvesting. These include HIPAA training the employees about risks, applying multi-factor authentication to keep accounts from being accessed using stolen credentials, email filtering program to stop email-based cyberattacks, and efficient monitoring via real-time, detailed analysis to determine unauthorized access using stolen login credentials.