Hackers are ramping up their attacks on various healthcare organizations in the United States by exploiting hacked access to a popular remote desktop tool owned by Transaction Data Systems (TDS), a pharmacy supply chain and management systems solution provider with offices in all 50 states in the US. According to researchers from managed security platform Huntress, the attackers used this access to drop malware to endpoints belonging to two separate organizations in the pharmaceutical and healthcare sectors. Both endpoints run on a Windows Server 2019 system, making the ScreenConnect instance the common factor.
The attackers took several steps to ensure persistent access to the environments, including installing additional remote access tools such as ScreenConnect or AnyDesk instances. Between October 28 and November 8, 2023, the attackers dropped a payload titled text.xml to both endpoints, carrying a C# code that loads the Meterpreter malware via the Metasploit dropper. Additionally, the researchers observed additional processes launched via the Printer Spooler service, as well as an attempt to create new user accounts.
As of now, it is unclear how the hackers accessed TDS’s systems, whether they exploited a vulnerability, or obtained valid login credentials. Despite attempts to reach out to the company, the attacks are believed to be ongoing. Following a merger, TDS became Outcomes One last summer. No new information has been shared by the company on its blog, newsroom, LinkedIn, or other platforms. This article will be updated if any new information is provided by the company.
I have over 10 years of experience in the cryptocurrency industry and I have been on the list of the top authors on LinkedIn for the past 5 years.