November 10, 2023 at 02:59PM
Hackers have been targeting healthcare organizations in the U.S. by abusing the ScreenConnect remote access tool. The attacks involve installing additional remote access tools to ensure persistent access to the environments. The attacks were observed between October 28 and November 8, 2023, and the same actor is behind all incidents. It is unclear if TDS, the pharmacy supply chain and management systems provider, suffered a breach or if the attackers exploited a different mechanism. TDS, now known as ‘Outcomes’, did not respond to notifications from security researchers.
Summary:
Security researchers have discovered that multiple healthcare organizations in the U.S. are being targeted by hackers who are exploiting the ScreenConnect remote access tool. The attacks involve threat actors utilizing local ScreenConnect instances used by Transaction Data Systems (TDS), a pharmacy supply chain and management systems provider present in all 50 states. The attacks were observed between October 28 and November 8, 2023, and are likely ongoing. The attacks share similar tactics, techniques, and procedures (TTPs) and are attributed to the same actor. The compromised endpoints operate on a Windows Server 2019 system and are linked by their use of the ScreenConnect instance. The hackers have used the remote access tool to install additional payloads, execute commands, transfer files, install AnyDesk, and attempt to create new user accounts for persistent access. The ScreenConnect instance is associated with the ‘rs.tdsclinical[.]com’ domain, which is connected to TDS. It is unclear whether TDS experienced a breach, if their credentials were compromised, or if another method was exploited. Researchers have tried to notify TDS, now known as ‘Outcomes’, but have not received a response.
Please note that this is a summary based on the meeting notes provided and may not be a complete or fully accurate representation of the situation.