Threat Actors Abuse ScreenConnect Access to Target Healthcare

January 23, 2024 - The Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert to warn healthcare organizations of recent threat actor activity involving the abuse of ScreenConnect, a widely used remote access tool.

According to security researchers, between October 28 and November 8, 2023, a threat actor exploited a locally hosted instance of ScreenConnect to gain access to victim organizations. After gaining initial access, the threat actor continued their attack by installing additional remote access tools, such as AnyDesk, in order to maintain persistent system access.

“The impact of potential unauthorized access on both federal and private industry victims, many of which rely on this tool, would be a concerning development for the healthcare sector,” HC3 stated.

Following this incident, a cybersecurity firm found evidence of network reconnaissance in preparation for attack escalation and identified endpoints from one pharmaceutical firm and one healthcare provider.

“On November 14, the vendor of ScreenConnect confirmed that the threat actor gained access via an unmanaged on-prem instance that had not been updated since 2019, going against recommended best practices,” the alert continued.

“The impact, while still unknown, could be substantial, as the threat actor leveraged local ScreenConnect instances used by a pharmacy supply chain and management systems solution provider that is present in all 50 states.”

At this time, it is unclear if either organization suffered a breach or if the threat actor was able to compromise account credentials.

HC3 provided detailed indicators of compromise (IOCs) and payload information to help defenders recognize signs of compromise. Since the compromised endpoints operated on an unmanaged instance of a Windows Server 2019 system, researchers recommended that organizations safeguard their infrastructure. Endpoint monitoring and proactive threat hunting are other crucial mitigation efforts that healthcare organizations should take.

“Pharmacies and other healthcare organizations that may be clients of the pharmacy supply chain and management systems solution provider should immediately examine their systems and networks for the above IOCs. Any discovery of these should be taken seriously and investigated promptly,” the alert concluded.

“Given the potential implications of such a breach in the HPH sector, particularly regarding patient data, privacy, and availability of critical services, a comprehensive response is essential. The full extent of this incident is still unknown and is being investigated to determine its potential wider impact. While no attribution is presently known, organizations can still take proactive steps to protect themselves and mitigate against potential future incidents.”