Newsletter
A recent incident has pushed the widely used remote access tool, ScreenConnect, into the spotlight. The healthcare sector, a commonly targeted field, found itself facing a significant threat. Threat actors have successfully compromised ScreenConnect to exploit multiple Windows Server instances. Huntress, a prominent cybersecurity company, sounded the alarm after detecting unauthorized access within the healthcare sector. They unearthed evidence pointing to internal reconnaissance and preparation for additional malicious activities against healthcare organizations.
ScreenConnect, a tool for remote computer access and control, is popular in various sectors, including healthcare. It’s used for technical support and remotely managing systems. However, the recent breach highlights the potential dangers if ScreenConnect falls into the wrong hands. Any cyberattack targeting healthcare systems puts massive amounts of customer data at risk.
The investigation of this cybersecurity incident reveals targeted exploitation of a local ScreenConnect session hosted within an organization’s network to gain initial access to the victims network. The ScreenConnect session was hosted locally by Transaction Data Systems, now known as Outcomes. The attackers, possibly with an insider’s understanding, took additional steps. Next, they not only breached the local ScreenConnect session but also strategically installed supplementary tools, such as other instances of ScreenConnect and AnyDesk. This move ensured sustained access and control over the compromised systems over an extended period.
Huntress’s investigations of the situation unveiled a total of four instances of ScreenConnect across two distinct attack endpoints. What adds a layer of intrigue is that these endpoints belonged to entirely different organizations within the healthcare sector. They identified one ScreenConnect instance, labeled as Instance B, present on both endpoints. Additionally, the exploit involved two Windows server systems.
Two endpoints, one in pharmaceuticals and the other in healthcare, shared the same malicious ScreenConnect instance
By analyzing server logs, Huntress determined that ScreenConnect Instance B actively downloaded a payload. Huntress states, “The payload, test.xml, consists of C# code forking the publicly available nps project for detection evasion and process execution. As designed, the payload attempts to load a Metasploit Meterpreter instance in memory, but antimalware protections on the system identified and attempted to terminate execution. However, this does not appear to have succeeded, as additional processes were observed being launched via the Printer Spooler service, spoolsv.exe.”
This instance served as the channel for the attackers to carry out multiple actions like installing more tools, running commands, and moving files. Notably, the threat actors linked the malicious ScreenConnect instance to a domain associated with Transaction Data Systems. This suggests a potential compromise or misuse of the remote management tools associated with Transaction Data Systems.
This linkage raises critical questions. Does it indicate a complete compromise of Transaction Data Systems? Did the attackers obtain employee credentials, or is another mechanism at play? As organizations rely on remote access tools for efficiency, securing these tools against potential compromise becomes more critical than ever.