Remote access tool leveraged to compromise US healthcare organizations

BleepingComputer reports that numerous healthcare organizations across the U.S. have been targeted in a potentially ongoing attack campaign leveraging pharmacy supply chain and management systems provider Transaction Data Systems' ScreenConnect remote access tool implementations. Exploitation of the ScreenConnect instances was observed in the Windows Server 2019 systems of two health organizations, a pharmaceutical firm and a healthcare provider, from Oct. 28 to Nov. 8, according to a report from Huntress. Initial access obtained through ScreenConnect abuse was then used to facilitate further payload deployment, file transfers, command execution, and AnyDesk installation, as well as device persistence through a new user account. Aside from distributing the "text.xml" payload that enabled concealed loading of the Meterpreter payload, attackers also leveraged the Printer Spooler service to execute other processes. No further details as to whether Transaction Data Systems had been breached or had one of their accounts' credentials have been provided.