Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

HHS HC3: Beware of Lapsus$, Email Marketing-Related Threats

Authorities Warn Healthcare, Public Health Sectors of Latest Concerns
HHS HC3: Beware of Lapsus$, Email Marketing-Related Threats

Federal authorities are warning the healthcare and public health sector of potential threats involving Lapsus$ - including those related to the extortion group's recent hack of identity management vendor Okta - and also of possible phishing attacks arising out of a recent breach experienced by email marketing services provider Mailchimp.

See Also: Ponemon Report: The Impact of Ransomware on Patient Safety and the Value of Cybersecurity Benchmarking

The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, in two separate advisories issued on April 7 warns of attack threats to the sector by Lapsus$ and also by potential phishing campaigns leveraged by "legitimate" email marketing platforms, such as Mailchimp.

Lapsus$ Threats

HC3 in its threat brief warns the healthcare and public health sector that hacking group Lapsus$ relies on "bribery and non-ransomware extortion" in its attacks, which involve exfiltration and destruction of data in on-premises and cloud systems.

The group claims to behind recent attacks on several companies, including identity management services provider Okta, as well as Microsoft, Nvidia and Ubisoft (see: Lapsus$ Teens Out on Bail, Due Back in Court April 29).

The group's attack on Okta is of particular concern for healthcare and public sector entities, HC3 says. "HC3 is aware of healthcare organizations that were compromised in this attack. It is a managed service provider attack, which are often used as part of cyberattacks on the health sector," the advisory warns.

On March 25, London police announced that they had arrested and charged seven alleged members of Lapsus$, including two teenagers. The teens were released on bail for an undisclosed sum and are due back in court on April 29.

"When comparing Lapsus$ motivations and tactics to health sector operations, the health sector is within their scope of targeting," HC3 writes. The group steals data for extortion purposes and targets managed service providers, and their operations are global, HC3 warns. "They look for targets of opportunity."

Despite law enforcement authorities pressuring the Lapsus$ group and arresting some alleged members, operations are expected to continue, with other members likely continuing under the Lapsus$ banner or as part of another group, HC3 says.

"The geographic diversity of this group will make them especially difficult to permanently quash. The diversity of their tactics, and their lack of reliance on specific malware variants, make them very difficult to detect or stop," HC3 writes.

"They have already compromised healthcare organizations and have no reason to stop."

Healthcare sector entities attacked by Lapsus$ includes the Brazilian Ministry of Health. Lapsus$ defaced its website in December, HC3 says (see: Portugal's Major News Websites Remain Offline After Attacks).

Unpredictable Threat

In part because Lapsus$ may be exploited by teens, the threats posed by the group are volatile and especially difficult to predict compared with other cybercriminal gangs, some experts say.

"Ransomware gangs or other financially motivated cybercriminals typically follow a fairly standard process aimed at extracting money from the target," says Brett Callow, a threat analyst at security vendor Emsisoft.

"In other words, they’re predictable, which means organizations can plan for incidents. That’s obviously not the case with Lapsus$, and providers may find themselves dealing with situations that aren’t covered by their playbooks. "

Defenses and Mitigations

To help protect against Lapsus$ attacks, HC3 advises healthcare and public sector entities to take several measures, including:

  • Requiring multifactor authentication for all users;
  • Leveraging authentication options such as OAuth or SAML for virtual private networks;
  • Implementing zero trust as applicable across the enterprise;
  • Deploying network segmentation, including keeping sensitive data protected from internet exposure;
  • Ensuring that critical data is backed up;
  • Providing social engineering awareness and testing for employees.

Mailchimp Breach Advisory

HHS HC3 in its alert about Mailchimp says that on April 4, the email marketing platform vendor confirmed a breach affecting one of the company’s internal tools used by its customer support and account administration teams.

"Although Mailchimp deactivated the compromised employee accounts after learning of the breach, the threat actors were able to view around 300 Mailchimp user accounts and obtain audience data from 102 of them, according to the company's CISO," HC3 says.

The threat actors were also able to access application programming interface keys for an undisclosed number of customers, which would allow them to create custom email campaigns such as phishing campaigns and send them to mailing lists without accessing the Mailchimp customer portal, according to HC3.

"While HC3 is currently only aware of a phishing campaign abusing this unauthorized access to send fake data breach notification emails to users in the cryptocurrency and finance sectors - which was reportedly executed with exceptional sophistication and planning - the healthcare and public health sector should remain cautious of suspicious emails originating from legitimate email marketing platforms such as Mailchimp," the advisory says.

The Mailchimp data breach came to light when cryptocurrency hardware wallet provider Trezor launched a recent investigation after customers said they had received sophisticated phishing emails that contained their registered Trezor email addresses. The investigation revealed a data breach at its third-party email marketing firm Mailchimp, which it says likely leaked email addresses of Trezor customers (see: Targeted Mailchimp Breach Affects Trezor Crypto Customers).

In its advisory, HC3 reminds the healthcare and public sector that advanced persistent threat groups have previously leveraged legitimate mass-mailing services in malicious email campaigns to target a wide variety of organizations and industry verticals.

Mitigation Measures

To help mitigate threats involving the Mailchimp incident, user awareness around phishing and social engineering scams is critical, especially in campaigns in which emails originate from a legitimate sender, HC3 says.

Additional mitigations include implementing anti-malware and network intrusion prevention systems and restricting web-based content that may not be necessary for business operations.

"Anti-spoofing and email authentication mechanisms can also be implemented to filter messages based on validity checks of the sender domain - using Sender Policy Framework or SPF - and integrity of messages - using domain keys identified mail, or DKIM," HC3 says.

"Enabling these mechanisms within an organization - through policies such as domain-based message authentication, reporting and conformance, or DMARC - may enable recipients - intra-org and cross-domain - to perform similar message filtering and validation."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.