HC3 Warns of Threat of Unauthorized Remote Access via ScreenConnect Tool
The ScreenConnect remote access tool has been abused by a threat actor to gain access to the networks of organizations in the healthcare and public health (HPH) sector. According to a sector alert from the Health Sector Cybersecurity Coordination Center (HC3), between October 28 and November 8, 2023, an unknown threat actor abused a locally hosted ScreenConnect instance to gain remote access to victims’ networks.
Once access was gained, the threat actor installed further remote access tools including SecureConnect and AnyDesk instances to allow persistent access to victims’ networks. Researchers at the cybersecurity company Huntress identified two attacks on distinct healthcare organizations and the threat actor’s activity suggests network reconnaissance was being conducted in preparation for attack escalation.
On November 14, the vendor of ScreenConnect said the threat actor gained access to an unmanaged on-premises instance of ScreenConnect that had not been updated since 2019. The ScreenConnect vendor said the organizations affected had gone against recommended best practices. In the attack, the threat actor leveraged local ScreenConnect instances used by the pharmacy supply chain and management systems solution provider Transaction Data Systems (now Outcomes). The company makes Rx30 and ComputerRx software that is used by pharmacies in all 50 states. The Huntress researchers have not been able to determine the impact of the attack, but say it could be substantial.
HC3 has provided Indicators of Compromise (IoCs) associated with the attack and advises all clients of the pharmacy supply chain and management systems solution provider to take immediate action and examine their systems and networks for the IoCs. If any of the IoCs are identified they should be taken seriously and warrant a prompt and thorough investigation and comprehensive breach response.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to HC3, the compromised endpoints used an unmanaged instance of a Windows Server 2019 system and organizations should take concerted steps to safeguard their infrastructure. HC3 recommends implementing enhanced endpoint monitoring solutions, robust cybersecurity frameworks, and engaging n proactive threat hunting to mitigate potential threat actors’ intrusions.