Hackers breach healthcare orgs via ScreenConnect remote access

Security researchers are warning that hackers have been are targeting multiple healthcare organizations in the U.S. by abusing the ScreenConnect remote access tool.

Threat actors are leveraging local ScreenConnect instances used by Transaction Data Systems (TDS), a pharmacy supply chain and management systems solution provider present in all 50 states.

Researchers at managed security platform Huntress spotted the attacks and report seeing them on endpoints from two distinct healthcare organizations and activity indicating network reconnaissance in preparation of attack escalation.

“The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments” - Huntress

The observed intrusions were observed between October 28 and November 8, 2023, and they are likely still happening.

Attack details

Huntress reports that the attacks feature similar tactics, techniques, and procedures (TTPs). These include downloading of a payload named text.xml, indicating that the same actor is behind all observed incidents.

The .XML contains C# code that loads the Metasploit attack payload Meterpreter into the system memory, using non-PowerShell to evade detection.

According to Huntress, additional processes were observed being launched using the Printer Spooler service.

The compromised endpoints operate on a Windows Server 2019 system, belonging to two distinct organizations - one in the pharmaceutical sector and the other in healthcare, the common link between them being a ScreenConnect instance.

The remote access tool was used to install additional payloads, to execute commands, transfer files, and to install AnyDesk. The hackers also tried to create new user account for persistent access. 

Researchers determined that the ScreenConnect instance was be tied to the ‘rs.tdsclinical[.]com’ domain associated with TDS.

At this time, it is unclear if TDS suffered a breach, if the credentials to one of their accounts were compromised, or if the attackers exploit a different mechanism.

Huntress made multiple attempts to notify TDS, now known as ‘Outcomes’, following a merger last summer, but the company did not reply back.