Skip to main content
ScreenConnect Breach in Healthcare: Unveiling Cyber Risks & Huntress-Enhanced Defense Strategy
November 15, 2023 at 5:00 AM

Breaking Down the Incident

Recent events have unveiled a critical breach in the U.S. healthcare sector, primarily through the misuse of ScreenConnect, a remote access tool. Central to these attacks is Transaction Data Systems (TDS), a notable player in pharmacy management systems.

Unraveling the Attack Strategy

The period from October 28 to November 8, 2023, marked a strategic onslaught by cybercriminals. Our colleagues at Huntress Systems, a front-runner in cybersecurity, discovered the use of a deceptive payload, text.xml. This payload, containing C# code, cleverly loaded the Metasploit attack payload Meterpreter, bypassing traditional detection methods by avoiding PowerShell. The attackers also manipulated the Printer Spooler service to initiate further malicious activities.

Scope of the Breach

The attack targeted entities operating on Windows Server 2019 within the healthcare and pharmaceutical sectors. The cybercriminals employed ScreenConnect to orchestrate a series of operations including payload installation, command execution, file transfer, and setting up AnyDesk for ongoing access.

The TDS Connection

A significant aspect of this attack was its link to the ‘rs.tdsclinical[.]com’ domain associated with TDS. However, the exact nature of TDS's involvement remains uncertain - whether it was a direct breach, a case of compromised credentials, or another exploitation method. Despite Huntress Systems’ proactive efforts to alert TDS, now rebranded as ‘Outcomes’, there has been no response.

Expert Opinion and Preparedness

As a cybersecurity experts, I must emphasize that this incident highlights the escalating threat landscape in the healthcare sector. The exploitation of widely-used tools like ScreenConnect can lead to significant vulnerabilities. It's imperative for MSPs and MSSPs to not only enforce robust cybersecurity measures and vigilant network monitoring but also to have backup tools ready for immediate deployment in similar scenarios. Our partnership with Huntress Systems reinforces our commitment to staying at the forefront of cybersecurity resilience.

Stay Informed, Stay Secure

In this ever-evolving digital age, staying one step ahead in cybersecurity is not just a recommendation, but a necessity.

ConnectWise's Update

ConnectWise revealed that the breach was through an outdated, unmanaged instance of ScreenConnect, highlighting the critical need for regular software updates and active management for optimal security.