HHS HC3: Beware of Lapsus$, Email Marketing-Related Threats

Authorities Warn Healthcare, Public Health Sectors of Latest Concerns

Federal authorities are warning the healthcare sector of potential threats involving Lapsus$, including those related to the extortion group’s recent hack of identity management vendor Okta.

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center, or HC3, in an advisory issued on April 7, warns of attack threats to the sector by Lapsus$.

Lapsus$ Threats
HC3 warns that hacking group Lapsus$ relies on “bribery and non-ransomware extortion” in its attacks, involving the exfiltration and destruction of data in on-premises and cloud systems.

The group claims to be behind recent attacks on several companies, including identity management services provider Okta, as well as Microsoft, Nvidia, and Ubisoft.

The group’s attack on Okta is of particular concern for healthcare and public sector entities, HC3 says. “HC3 is aware of healthcare organizations that were compromised in this attack. It is a managed service provider attack, which are often used as part of cyberattacks on the health sector,”. The group steals data for extortion purposes, and targets managed service providers; their operations are global. HC3 warns, “They look for targets of opportunity.”

“The geographic diversity of this group will make them especially difficult to permanently quash. The diversity of their tactics, and their lack of reliance on specific malware variants, make them very difficult to detect or stop,” HC3 writes. “They have already compromised healthcare organizations and have no reason to stop.”

Unpredictable Threat
In part, because Lapsus$ may be exploited by teens, the threats posed by the group are volatile and may be difficult to predict compared with other cybercriminal gangs. Ransomware gangs or other financially motivated cybercriminals typically follow a fairly standard process aimed at extracting money from the target. That can make them predictable, allowing organizations to plan for incidents. That appears to not be the case with Lapsus$, and providers may find themselves dealing with situations that aren’t covered by their playbooks.

Defenses and Mitigations
To help protect against Lapsus$ attacks, HC3 advises healthcare and public sector entities to take several measures, including:

  • Requiring multi-factor authentication for all users
  • Leveraging authentication options such as OAuth or SAML for virtual private networks
  • Implementing zero trust as applicable across the enterprise
  • Deploying network segmentation, including keeping sensitive data protected from internet exposure
  • Ensuring that critical data is backed up
  • Providing social engineering awareness and testing for employees.

If you have questions about IT security and the evolving threat landscape, call ITPAC today.