Hackers are ramping up attacks on healthcare organizations in the United States by exploiting access to ScreenConnect, a popular remote desktop tool owned by Transaction Data Systems (TDS). TDS is a pharmacy supply chain and management systems solution provider with offices in all 50 states in the US. The researchers from managed security platform Huntress are unsure of how the attackers gained access to the instance, but they do know that they used it to distribute malware to two different organizations in the pharmaceutical and healthcare sectors.

Both organizations had in common a Windows Server 2019 system and were targeted by the hackers. The attackers installed additional remote access tools to maintain persistent access to the environments, including ScreenConnect and AnyDesk instances. Between October 28 and November 8, the attackers dropped a payload carrying a C# code that loaded the Meterpreter malware via the Metasploit dropper. They also launched additional processes via the Printer Spooler service and attempted to create new user accounts.

At this time, it is unclear whether the hackers exploited a vulnerability or obtained valid login credentials to access TDS’s systems. The attacks are believed to be ongoing, and despite multiple attempts to contact the company, no response has been received. Last summer, TDS became Outcomes One after a merger, but the company has not provided any updates on the situation. We will continue to monitor and update the article as new information becomes available.