Credential Harvesting Prevention and Alert Against Volt Typhoon Threat

HHS Offers Guidance on Credential Harvesting Mitigations

The Health Sector Cybersecurity Coordination Center (HC3) has given a healthcare and public health (HPH) sector advisory regarding credential harvesting, a frequent tactic employed in cyberattacks on the HPH sector by online hackers.

Though different safe ways of verifying individuals and maintaining access to accounts and information are offered, credentials like usernames, passwords, and personal data are often used. Credentials offer access to internet accounts, email systems, patient data, and system resources. When credentials are obtained, hackers will have access to the user’s privileges and manipulate the network.

Credential harvesting or stealing account details can cause data breaches. But it’s frequently the initial step in a bigger attack. If a hacker acquires access to somebody’s credentials, he can utilize them to compromise other accounts, increase their privileges, exploit vulnerabilities in the internal systems, use malware, move about inside the network, disturb admin functions, and cause program outages. This trouble in healthcare services can impact patient treatment.

Credential harvesting is most often linked to phishing, although credentials can be acquired utilizing various strategies listed below:

  • Phishing: Using deceitful messages to make users expose their login information, typically on attacker-manipulated websites
  • Brute Force Attacks: Programmed attempts employing various combinations of usernames and typically utilized passwords until the perfect combo is known.
  • Credential Stuffing: The usage of credentials acquired in one data breach to view accounts on other websites/systems where identical username/password information was employed.
  • Keylogging: Malware that logs pressed keys as they are inputted by users, which include passwords.
  • Person-in-the-Middle (PITM) Attacks: The interception of messages between two entities, harvesting sign-in credentials disclosed at the time of the verification process.

Given that there are various ways that credentials could be collected, there is no one mitigation that could safeguard against this method. Healthcare organizations should be proactive and employ several mitigations to lessen risk. Multi-factor authentication (MFA) is one essential security measure as it offers another level of authentication. In case credentials are breached, without the added authentication, account access won’t be approved. Phishing-resistant MFA gives the highest level of safety.

Credential harvesting attacks make use of email for preliminary communication with end users. Email filtering programs like spam filters will stop many of these messages and keep them from contacting users; nonetheless, even the most sophisticated email security application won’t prohibit all malicious messages. Worker safety training and awareness are thus necessary. All workforce (which includes the CEO) need to be trained regarding phishing and other credential harvesting strategies and be trained on cybersecurity guidelines.

Tracking and detection programs must be utilized to recognize suspicious sign-in attempts and suspicious user actions. Endpoint security applications can secure against malware including keyloggers. Systems must be updated to avoid vulnerability exploitation. Companies need to be certain they have incident response plans to lessen the problems brought about in case an attack becomes successful.

This is HC3’s second sector advisory issued this March on techniques utilized by malicious actors in attacks on the HPH sector. The prior alert handles email bombing, which is employed for denial-of-service attacks.

Critical Infrastructure Alerted Against Volt Typhoon Threat

The Federal Bureau of Investigation (FBI), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and worldwide partners have released a joint advisory cautioning critical infrastructure organizations against the danger of attacks executed by Chinese state-sponsored actors. The warning follows a February 2024 cybersecurity notification concerning a sophisticated persistent threat group referred to as the Volt Typhoon. It was determined that it loaded itself in the systems of numerous critical infrastructure entities, which include energy, communications, transportation, and wastewater and water systems. The intrusions are thought to be strategic, with the threat actors retaining consistent access to likely breakup or ruin critical services in case of amplified geopolitical tension or military disputes.

Volt Typhoon employs living-of-the-land tactics instead of malware to keep access to affected networks and do its activities to avoid identification. The scope of the exposures has yet to be identified but they may be substantial. Several critical infrastructure entities have gotten systems exposed and efforts are continuing to make sure the threat actors are eradicated from those systems.

The fact sheet offers guidance to heads of critical infrastructure entities to enable them to prioritize the security of critical infrastructure and features. The issuing institutions encourage leaders to identify cyber risk as a key business hazard, which is necessary for good governance and national safety measures. Leaders must allow cybersecurity teams to decide to better identify and secure against Volt Typhoon attacks and malicious cyber activities, for instance taking on cybersecurity performance targets. Cybersecurity teams need to also be prompted to properly use recognition and hardening recommendations, the employees must receive steady cybersecurity and HIPAA training and skill advancement, and companies must build and test detailed information security strategies and drive a cybersecurity culture in their company.

Leaders have likewise been instructed to safeguard their supply chains by setting up strong vendor risk management steps, doing research, picking vendors that comply with secure-by-design concepts, making certain vendors have patching plans, and confining the use of any product that breaks the rule of least privilege.

Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism.