Huntress, the cybersecurity company, has recently reported a troubling series of cyberattacks targeting healthcare organizations.
In these incidents, nefarious actors exploit vulnerabilities to gain unauthorized access to computer systems, prompting heightened concerns about the security of sensitive data.
This is particularly alarming in the healthcare industry, where the integrity of patient information is of paramount importance.
The tool of choice for these attackers is ScreenConnect, a remote access program widely used by businesses for legitimate system management.
However, in this instance, cybercriminals have exploited its functionalities to compromise the security of healthcare organizations.
The primary vulnerability stemmed from a flaw in Transaction Data Systems, a provider of pharmacy software.
Huntress’ investigation uncovered four instances of the ScreenConnect program being illicitly employed across two different businesses.
This parallels discovering the same fingerprint at multiple crime scenes, strongly suggesting that a cohesive group of assailants is orchestrating these events.
The linchpin in these incidents is a ScreenConnect instance referred to as “Instance B,” accessed through an account named “[redacted 1].”
Breaking down the Incidents
| Incident | Location | Date | Actions Taken and Noteworthy Details |
|---|---|---|---|
| Endpoint 1 | Pharmaceutical Field | Aug 9 – Oct 31, 2023 | Installed tools, deployed “test.xml” payload. ScreenConnect instance B (rs.tdsclinical[.]com) |
| Endpoint 2 | Healthcare Field | Nov 8, 2022 – Ongoing | Installed ScreenConnect, launched malicious programs. ScreenConnect instance B (common with Endpoint 1) |
| Common Link | Transaction Data Systems (Outcomes) | N/A | Linked to both Endpoint 1 and 2. Uncertainty about Transaction Data Systems’ involvement |
Healthcare institutions, tasked with the responsibility of securing medical records, face the challenge of fortifying their defenses against cyber threats. Hacks of this nature have the potential not only to expose vital data but also to disrupt essential healthcare services.
