Hackers are gearing up to launch attacks against various healthcare organizations in the United States by exploiting hacked access to a popular remote desktop tool called ScreenConnect, which is owned by Transaction Data Systems (TDS). TDS is a pharmacy supply chain and management systems solution provider with offices in all 50 states in the US.
Researchers from the managed security platform Huntress have discovered that the attackers accessed the ScreenConnect instance and used it to drop malware onto endpoints belonging to two different organizations in the pharmaceutical and healthcare sectors. Both organizations had Windows Server 2019 systems in common.
The researchers found that the threat actor took several steps to ensure persistent access to the environments, including installing additional remote access tools. Between October 28 and November 8, 2023, the attackers were observed dropping a payload titled text.xml to both endpoints. This file carried a C# code that loaded the Meterpreter malware via the Metasploit dropper. Additionally, the researchers spotted additional processes launched via the Printer Spooler service and an attempt to create new user accounts.
As of now, the researchers have not been able to determine whether the hackers exploited a vulnerability or obtained valid login credentials to access TDS’s systems. They also noted that the attacks are likely still ongoing, despite attempts to reach out to the company. Last summer, TDS became Outcomes One following a merger.
There has been no new information shared by the company on its blog, newsroom, LinkedIn, or X accounts, but the article will be updated if the company shares new information.
