Hackers plan to escalate attacks on multiple healthcare organizations in the United States by leveraging compromised access to an instance of ScreenConnect, a popular remote desktop tool belonging to Transaction Data Systems (TDS).
TDS is a provider of pharmacy supply chain and management systems solutions, with offices in all 50 US states. At this point, the researchers of the managed security platform Huntress, doesn’t know exactly how the attackers gained access to the instance. They do know that they have used this access to drop malware on endpoints of two different organizations: one in the pharmaceutical sector and the other in healthcare.
The only thing they have in common, the researchers point out, is the ScreenConnect instance, as both endpoints are a Windows Server 2019 system.
Pending malware
“The threat actor then took several steps, including installing additional remote access tools, such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments,” the researchers said in their report.
Between October 28 and November 8, 2023, the attackers were observed dropping a payload called text.xml to both endpoints. The file contained C# code that loaded the Meterpreter malware via the Metasploit dropper. The researchers also discovered additional processes launched through the Printer Spooler service, as well as an attempt to create new user accounts.
At the time of writing, researchers could not determine whether the hackers exploited a hole (or a zero-day) to gain access to TDS’s systems, or whether they had somehow obtained valid login credentials. The attacks are likely still ongoing, the researchers concluded, adding that they attempted to contact the company several times without success. Last summer, TDS became Outcomes One after a merger.
There was nothing on the company’s blog, newsroom, LinkedIn and X accounts, but we will update the article if the company shares new information in a timely manner.