Phishing, Risk Assessments/Management

H-ISAC warns actors abusing RTLO in phishing campaign against health care

Nurses work outside of the room of a coronavirus patient on April 8, 2020, at MedStar St. Mary’s Hospital in Leonardtown, Md. Threat actors are targeting the health care sector with a phishing attack leveraging RTLO Unicode, warns a H-ISAC alert. (Win McNamee/Getty Images)

A recent Health Information Sharing and Analysis Center (H-ISAC) alert warns that threat actors are targeting the health care sector with phishing attacks that leverage legitimate right-to-left override (RTLO) Unicode to appear benign and evade detection.

RTLO is a special character in the unicode encoding system, which enables the exchange of data for all types of language and covers all characters in all global writing systems, including technical symbols, punctuation, and other characters.

Although the RLO character was designed to support languages written from right to left, attackers have long since abused the mechanism to hide malicious files that masquerade as harmless documents. RTLO abuse has been used by threat actors for more than a decade. 

H-ISAC has observed an uptick in these attacks against the health care sector, which hides phishing emails that contain the Cobalt Strike tool.

Providers are being urged to review the provided indicators of compromise to better defend the enterprise network, particularly as “this type of attack cannot be easily mitigated with preventative controls since it is based on the abuse of system features.”

In the attacks against the sector, the actors are sending malicious files that are either targeted to a specific user or sent through larger campaigns. The obfuscation and masquerade tactics make it so htm and htm/eml files appear as .wav, .mp3, or .PDF attachments.

H-ISAC researchers have also observed phishing emails that contain htm files masquerading as .pdf files, which actually contain an obfuscated JavaScript with a base64 encoded string tied to an internet address that may not be blocked by commercial security products or the email platform itself.

The observed subject lines include references to passwords expiring today, employee benefits, recorded calls, payment instructions, the receipt of audio recordings, missed call notifications, and other standard messages employers may send to the workforce.

The H-ISAC alert contains a complete list of email addresses the actors have used in these RTLO campaigns, as well as a list of indicators of compromise to support administrators in finding and blocking these emails from the network.

Fortunately, no successful compromises have been reported.

To detect these attacks, system administrators will need to look for common formats of RTLO characters that may be included within filenames. Analysis tools will also need to be reviewed as some may not interpret the RTLO character and may instead print the true name of the file contained in emails.

Health care administrators should view the alert as critical, given that insiders are consistently named as the largest threat to providers. Data has also confirmed that of the security incidents reported to the Department of Health and Human Services, 40% are tied to email.

Particularly as these messages can evade detection from security tools and appear as standard workforce messages, security leaders should consider the alert an opportunity to inform staff members of the ongoing threat to prevent falling victim.

Previous guidance from Microsoft, The National Institute of Standards and Technology (NIST), and The Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) can also support health care entities in bolstering email defenses, implementing tactical crisis response measures, and training exercises for staff. 

The insights include education and outreach considerations, prevention techniques, detection and response measures, workforce support, necessary vulnerability and patch management policies, email filtering solutions, and recommendations for implementation of multi-factor or two-factor authentication, among other key security mitigations.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.