Breaking Down the Incident
Recent events have unveiled a critical breach in the U.S. healthcare sector, primarily through the misuse of ScreenConnect, a remote access tool. Central to these attacks is Transaction Data Systems (TDS), a notable player in pharmacy management systems.
Unraveling the Attack Strategy
The period from October 28 to November 8, 2023, marked a strategic onslaught by cybercriminals. Our colleagues at Huntress Systems, a front-runner in cybersecurity, discovered the use of a deceptive payload, text.xml. This payload, containing C# code, cleverly loaded the Metasploit attack payload Meterpreter, bypassing traditional detection methods by avoiding PowerShell. The attackers also manipulated the Printer Spooler service to initiate further malicious activities.
Scope of the Breach
The attack targeted entities operating on Windows Server 2019 within the healthcare and pharmaceutical sectors. The cybercriminals employed ScreenConnect to orchestrate a series of operations including payload installation, command execution, file transfer, and setting up AnyDesk for ongoing access.
The TDS Connection
A significant aspect of this attack was its link to the ‘rs.tdsclinical[.]com’ domain associated with TDS. However, the exact nature of TDS's involvement remains uncertain - whether it was a direct breach, a case of compromised credentials, or another exploitation method. Despite Huntress Systems’ proactive efforts to alert TDS, now rebranded as ‘Outcomes’, there has been no response.
Expert Opinion and Preparedness
As a cybersecurity experts, I must emphasize that this incident highlights the escalating threat landscape in the healthcare sector. The exploitation of widely-used tools like ScreenConnect can lead to significant vulnerabilities. It's imperative for MSPs and MSSPs to not only enforce robust cybersecurity measures and vigilant network monitoring but also to have backup tools ready for immediate deployment in similar scenarios. Our partnership with Huntress Systems reinforces our commitment to staying at the forefront of cybersecurity resilience.
Stay Informed, Stay Secure
In this ever-evolving digital age, staying one step ahead in cybersecurity is not just a recommendation, but a necessity.
ConnectWise revealed that the breach was through an outdated, unmanaged instance of ScreenConnect, highlighting the critical need for regular software updates and active management for optimal security.