Incident Report

Sneaky ScreenConnect Scheme Targets Healthcare

By

By

Access Point Consulting

Overview

A targeted cyber-attack involving the abuse of the ScreenConnect remote access tool has been identified, impacting multiple healthcare organizations in the U.S. Notably, the threat actors exploited local ScreenConnect instances affiliated with Transaction Data Systems (TDS), a comprehensive pharmacy supply chain and management systems provider. The attacks were detected between October 28 and November 8, 2023, with ongoing activity raising concerns. The assailants, identified by Huntress, a managed security research organization, demonstrated advanced tactics, installing additional tools like AnyDesk to maintain persistent access.

The attackers first downloaded a payload named text.xml, indicative of a unified modus operandi. This payload, laden with C# code, discreetly loaded the Metasploit attack payload Meterpreter into system memory, evading detection using non-PowerShell techniques. Further, processes were launched through the Printer Spooler service, with compromised endpoints operating on Windows Server 2019.

The common thread among the affected organizations was the presence of a ScreenConnect instance tied to the 'rs.tdsclinical[.]com' domain associated with TDS. The remote access tool facilitated the installation of additional payloads, command execution, file transfers, and attempted creation of new user accounts for sustained access.

Response and Recovery

Huntress observed the installation of additional tools and attempts to create user accounts. TDS, now 'Outcomes,' after a recent merger, has been notified but has not responded. Clarity on the effectiveness of TDS's incident response plan is pending, as they’ve made no effort to contact the Huntress research team regarding this incident. It is unknown if stakeholders have been informed about this incident, which may cause reputational damage and compromise the trust of customers.

Recommendations

There is an ever-present need for the Healthcare industry to be proactive about cybersecurity measures, collaborative threat intelligence sharing, and swift incident response. Healthcare and pharmaceutical executives must prioritize a comprehensive review of their organization's security posture to prevent future incidents of a similar nature.

Specifically, immediate actions to enhance the security of ScreenConnect instances must be taken. Scrutinizing and securing remote access tools, conducting thorough reviews of security protocols and incident response plans, enhancing employee training to recognize and report potential security threats, and utilizing a team of experts that proactively hunt for threats within an organization’s systems.

Resources

CyberWatch

April 2, 2025

Scott "Monty" Montgomery (Island) | Navigating CMMC compliance for organizations of every size

Scott Montgomery, known as Monty, joined the CyberWatch Expert Series podcast to discuss his extensive background in cybersecurity, particularly in building and designing network security tools for high-assurance environments like the Department of Defense (DoD) and the intelligence community. His experience includes significant tenure at McAfee (now Trellix), which led him to his current role at Island, where he focuses on innovative approaches to cybersecurity compliance.

Find out more
March 19, 2025

Michael Sviben (DomainGuard) | Defending against phishing and building proactive security awareness

Cybersecurity threats evolve rapidly, and one tactic consistently rises above the rest: phishing. In this episode of CyberWatch, Michael Sviben, co-founder of DomainGuard, discusses why phishing remains so effective, how businesses and individuals become targets, and what you can do to stay vigilant.

Find out more
March 5, 2025

David Habib (Brightspot) | Building a culture of cybersecurity awareness

Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.

Find out more