Remote access tool hacked by criminals to access healthcare providers

News
By Sead Fadilpašić
published

Attack hijacking ScreenConnect is still ongoing, the researchers warn

Cyberattack
(Image credit: Future)

Hackers are set to escalate attacks against multiple healthcare organizations in the United States by utilizing hacked access to an instance of ScreenConnect, a popular remote desktop tool, belonging to Transaction Data Systems (TDS).

TDS is a pharmacy supply chain and management systems solution provider with offices in all 50 states in the US. At this point, the researchers, from managed security platform Huntress, don’t know exactly how the attackers accessed the instance. They do know that they used this access to drop malware to endpoints belonging to two distinct organizations: one in the pharmaceutical sector and the other in healthcare. 

The only thing they have in common, the researchers stressed, is the ScreenConnect instance, as both endpoints are a Windows Server 2019 system.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

In anticipation of malware

“The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments,” the researchers said in their report.

Between October 28 and November 8 2023, the attackers were observed dropping a payload titled text.xml to both endpoints. The file carried a C# code that loads the Meterpreter malware via the Metasploit dropper. The researchers also spotted additional processes launched via the Printer Spooler service, as well as an attempt to create new user accounts. 

At press time, the researchers couldn’t yet determine if the hackers exploited a hole (or a zero-day) to access TDS’s systems, or if they somehow obtained valid login credentials. The attacks are likely still ongoing, the researchers concluded, adding that they tried to reach out to the company on multiple occasions, to no avail. Last summer, following a merger, TDS became Outcomes One.

There was nothing on the company’s blog, newsroom, LinkedIn, and X accounts, but we will update the article if the company shares new information on time.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.