Hackers are set to escalate attacks against multiple healthcare organizations in the United States by utilizing hacked access to an instance of ScreenConnect, a popular remote desktop tool, belonging to Transaction Data Systems (TDS).
TDS is a pharmacy supply chain and management systems solution provider with offices in all 50 states in the US. At this point, the researchers, from managed security platform Huntress, don’t know exactly how the attackers accessed the instance. They do know that they used this access to drop malware to endpoints belonging to two distinct organizations: one in the pharmaceutical sector and the other in healthcare.
The only thing they have in common, the researchers stressed, is the ScreenConnect instance, as both endpoints are a Windows Server 2019 system.
In anticipation of malware
“The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments,” the researchers said in their report.
Between October 28 and November 8 2023, the attackers were observed dropping a payload titled text.xml to both endpoints. The file carried a C# code that loads the Meterpreter malware via the Metasploit dropper. The researchers also spotted additional processes launched via the Printer Spooler service, as well as an attempt to create new user accounts.
At press time, the researchers couldn’t yet determine if the hackers exploited a hole (or a zero-day) to access TDS’s systems, or if they somehow obtained valid login credentials. The attacks are likely still ongoing, the researchers concluded, adding that they tried to reach out to the company on multiple occasions, to no avail. Last summer, following a merger, TDS became Outcomes One.
There was nothing on the company’s blog, newsroom, LinkedIn, and X accounts, but we will update the article if the company shares new information on time.