Security Staff Acquisition & Development, Email security, Threat Management

Threat group weaponizes employee trust with impersonation of healthcare software solutions

Workers gather at a computer in a testing lab  in Indianapolis, Indiana. The healthcare sector is being targeted by a threat group posing as software vendors. (Photo by Jon Cherry/Getty Images)

The Zeon threat group is impersonating software solutions and targeting the healthcare sector, weaponizing the trust that is often inherent to the healthcare workforce and capitalizing on security failures.

A recent alert to Health-ISAC members shows the targeted attacks began on Oct. 19 and were sent to 35,000 addresses, with another 480,000 addresses reached on Oct. 20 and 21. On Sept. 26, another member-alert warned the Roy/Zeon threat group was impersonating a Health-ISAC member by using fake invoices to lure victims to a malicious call center. 

“The bad guys are continuously becoming innovative and creative,” said Errol Weiss, Health-ISAC’s chief security officer, in an exclusive interview with SC Media. This new Zeon campaign is “where it's really gotten bad, where there are no evil links, no evil attachments; it's just all text, and they're able to craft something that scares people and it makes them do things they wouldn't ordinarily do.”

In short, the tactic is "social engineering at its finest; psychological warfare,” he added, declining to name the specific vendors used in the campaigns. “They're getting people into a mindset where they're very vulnerable, and then they're doing dumb things.”

Weiss is referring to the latest Zeon Group campaign, which is successfully targeting the healthcare sector in force. The group is one of three to rise from the ashes after the dissolution of Conti. All three created their own versions of the BazarCall spear-phishing attacks, a targeted callback phishing tactic where nefarious actors dupe victims with fake subscription service offers.

These calls were actually “used by the operators to silently install malware and exfiltrate data once access is obtained,” according to an August New Jersey Cybersecurity & Communications alert.

Once employees call the phone number, they’re being walked-through an installation of “legitimate remote access tools, and then the bad guys have access to your computer,” Weiss explained.

By June, Zeon was impersonating a range of brands that targeted a range of sectors, including insurance and tech, and others with high annual revenue, but not healthcare specifically. The group soon pivoted again, impersonating “legitimate healthcare organizations delivering software solutions focused on patient data,” according to the Health-ISAC member alert.

“The first wave identified impersonating legitimate healthcare software occurred in late September,” Health-ISAC warned. These campaigns proved effective and informed the continued targeting of the healthcare sector.

Specifically, the group began contacting employees of targeted organizations and achieved unauthorized access via the Zoho remote access tool. The following day, advanced intelligence confirmed the Zeon campaigns on Oct. 21, when the group began leveraging two Microsoft Exchange remote code execution (RCE) vulnerabilities (CVE-2022-41040 and CVE-2022-41082).

The Zeon group is relying on big brands and healthcare insurance companies mentioned by third-party providers. Weiss stressed that the templates used by Zeon are highly creative, with a range of keywords to “mix things up and avoid spam detection filters.” So the tens of thousands of messages sent out are all different, but also the same nefarious attempt.

“Roy/Zeon’s attack manifests in the weaponization of ZoHo, Anydesk, Cobalt Strike, or RMM Software. This presumes constant communication with C2 from the infected network. Tracking abnormal signaling can assist in identifying the beacon,” according to the alert.

Proactive recommendations

The risk to healthcare is high given the sheer volume of workforce members. Temporary and contract workers may come in, but not receive the same proper training and awareness before they start, Weiss noted. Organizations that rely on a specific timeframe for training may overlook this demographic.

“Lots of bad things can happen in those first 90 days,” said Weiss. Entities should be taking a stricter approach like the banking and finance sectors, where email service is seen as an entitlement and “not automatically turned on for everybody.”

"They're completely evading all of the defenses that we've put in place," he added. "The only thing that we have to rely on now is awareness."

The Health-ISAC bulletin encourages entities to revisit phishing campaigns, particularly centered on the phishing attempts masquerading as legitimate healthcare software suites to help users recognize the possible phishing lures, which are hard to detect without previous knowledge.

“Special emphasis” should be placed on network investigation tools typical of exfiltration-centric groups, including “Cobalt Strike sessions opened, Metasploit, and, most importantly, customized PowerShell commands,” the alert warns.

The group relies on “extensive lateral movement” to find the most important data, which requires “action and monitoring for network segmentation, network hierarchy, and abnormal in-network behavior.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.