The federal government is alerting about potential attacks on healthcare businesses that are utilizing ConnectWise’s remote access tool, ScreenConnect. In 2023, cybercriminals breached a locally hosted version of this tool, utilized by a significant nationwide pharmacy supply chain and managed service provider.
The Health Sector Cybersecurity Coordination Center of the Health and Human Services Department issued an alert on Monday. It urged pharmacies and other healthcare entities to promptly inspect their systems and networks for signs of potential breaches possibly linked to ScreenConnect.
While HHS HC3 didn’t disclose the identity of the pharmacy supply chain and management service provider affected by the ScreenConnect breach, they did allude to a report published last November by the security company, Huntress.
Huntress informed the Information Security Media Group about an incident that impacted a self-hosted version of ScreenConnect. This version was in use by Transaction Data Systems, a pharmacy supply chain and managed services company, which has recently combined with Florida’s Outcomes. This corporation offers products and services, including Rx30 and ComputerRx pharmacy management software, which are popular among healthcare organizations throughout the U.S., as stated by HHS.
The Outcomes website indicates that the firm offers assistance to over 48,000 local, group and supermarket pharmacies.
The Department of Health and Human Services (HHS) disclosed that malicious entities managed to infiltrate the company’s IT infrastructure using an outdated, locally hosted version of ScreenConnect, which hadn’t seen any updates since 2019.
“HHS cautioned that the effects, though still uncertain, might be significant.”
The breach at Outcomes has paved the way for hackers to exploit the company’s ScreenConnect system, using it as a base for launching unrelated attacks against the hosting company’s clients and users. This was stated by Chris Henderson, the Senior Director of Threat Operations at Huntress, the cybersecurity agency that discovered the attacks, in a conversation with ISMG.
Outcomes utilized a self-hosted variant of ScreenConnect, as opposed to a cloud-based one overseen by ConnectWise, the creators of the software, as stated by Henderson.
“Going the self-hosting route isn’t without its dangers: Make certain that you’ve implemented the necessary safeguards to avoid any breaches,” he advised.
Henderson conveyed that Huntress has identified two malevolent uses of ScreenConnect. One way involves an exploitation of the trial version. In this scenario, the cyber intruder gets a trial version of ScreenConnect and manipulates it as their remote access instrument. The second method is known as instance compromise, where the invaders breach an already established version of ScreenConnect and subsequently use it as their method for remote access.
“The misuse of remote access trials in the attack sequence is not exclusive to the healthcare industry. We’ve observed this kind of action in all the sectors we safeguard,” he commented.
Henderson mentioned that software used for remote observation and control is a frequent target for cyber attacks. This is primarily because it’s commonly used for legitimate purposes, which often leads security systems to overlook these breaches.
Presently, Huntress is unsure about the full scope of possible breaches linked to Outcomes’ ScreenConnect. “We don’t have any information about the direct effects this might have had on Outcome’s clients and users, since we didn’t participate in their internal incident response. Our insights are based on our own clients’ systems,” Henderson commented.
Details of the Cyber Attack
During the period from October 28 to November 8, 2023, Huntress detected an unidentified cybercriminal manipulating a local version of ScreenConnect. This was employed by Outcomes as their first line of defense in accessing the systems of targeted organizations.
“Once the intruder gained entry, they carried out a series of actions, which encompassed the incorporation of extra remote access instruments like ScreenConnect or AnyDesk instances, aiming to maintain ongoing access to the system,” was the warning issued by HHS HC3.
In its analysis, Huntress reported that it had detected aggressive cyber activities targeting two separate health-related entities – a drug manufacturing company and a healthcare service provider, both utilizing Outcomes. The report also highlighted evidence of network probing, pointing towards a potential for increased threat levels.
“HHS alerted that the assaults showcased analogous strategies, methods, and practices, such as the downloading of a payload dubbed test.xml. This suggests that a single individual was responsible for all the recorded occurrences.”
“HHS stated that the hackers employed the remote access tool for multiple purposes such as the installation of extra payloads, executing commands, transferring files, and setting up AnyDesk. They also attempted to establish a new user account for continuous access.”
The HHS alert remains ambiguous about whether Outcomes underwent a security violation, whether the access details for one of its accounts were jeopardized, or whether the invaders leveraged a separate method.
On November 14, ConnectWise, the company behind ScreenConnect, verified that a cyber attacker had infiltrated their system through an on-site installation that hadn’t been updated since 2019, as reported by HHS.
Both ConnectWise and Outcomes did not promptly reply to the inquiries made by ISMG.
Until now, Huntress has been unsuccessful in pinpointing the culprits behind the cyberattacks.
“Henderson informed ISMG that while they couldn’t pinpoint the specific threat group responsible for this incident, they did notice that the CUBA Ransomware group was displaying comparable tactics, techniques, and procedures during that period.”
“Although we can’t pinpoint who executed this assault, it certainly illustrates that there are groups out there who understand the necessary techniques to carry out such attacks and they are implementing these techniques on a large scale,” he commented.
Discussing these cyber assaults in the healthcare sector, the overarching theme is that these cybercriminals are predominantly motivated by monetary benefits. Their usual modus operandi involves making profits through coercion or ransom demands,” noted Henderson. “Even though they may end up accessing private health data, it’s usually just a component of their larger plan to intensify the pressure.”
Guarding Against This Vulnerability
The compromised endpoints in the ScreenConnect occurrence were functioning on an uncontrolled version of Windows Server 2019 system. Hence, the HHS has issued a cautionary statement urging organizations utilizing this software to take deliberate measures to protect their infrastructure.
“HHS emphasized that, at the very least, measures such as advanced endpoint surveillance, solid cybersecurity structures, and active threat detection should be employed to lessen the risk of possible intrusions by threat actors.”
Henderson highlighted that the ScreenConnect vulnerabilities Huntress has discovered in various industries often share similar traits. “A lot of the ScreenConnect breaches we’ve observed originate from social engineering,” he stated. “Workers should regularly be reminded of the signs of a social engineering assault: a sudden rush, alarm, a lure of financial gain, or forcefulness,” he added.
“He further emphasized the significance of fortifying your security measures with detection features. These features should be capable of not only identifying the implementation of such technologies but also tracking the subsequent steps undertaken following the initial breach.”
“If you’re not making use of ScreenConnect in your setup, prevent its installation. However, the effectiveness of these detection features heavily relies on a robust base of precise system and software inventories. If you’re unsure about what’s on your network and its operational software, that’s your starting point. Understanding what you need to protect is essential before you can begin to build layers of defense.”
The chief executive officer of cybersecurity company Syxsense, Ashley Leonard, also shared a similar evaluation about the ScreenConnect breach. According to Leonard, the primary point of breach was a server on-site, hosting a local version of ScreenConnect, which was not properly managed or updated.
Regrettably, despite the constant emphasis by IT and security experts on the importance of proactive asset management – including workstations, servers, applications, and so forth – organizations still find this a challenging task.
Leonard pointed out that in today’s increasingly dispersed IT landscapes and remote working teams, it’s simple for assets to be overlooked. He suggested that entities in the healthcare system, along with other industries, should pay more attention to their stock and asset handling.
