3rd Party Risk Management , Application Security , Governance & Risk Management
Feds Warn Healthcare Sector of ScreenConnect Threats
HHS: Compromise at Large Pharma Software and Services Firm Puts Entities at RiskFederal authorities are warning of attacks on healthcare sector firms that use ConnectWise's remote access tool ScreenConnect. Hackers compromised a locally hosted version of the tool used by a large national pharmacy supply chain and managed services provider in 2023.
See Also: 2024 Report: Mapping Cyber Risks from the Outside
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an alert Monday warned pharmacies and other healthcare organizations to "immediately examine their systems and networks" for indicators of compromise potentially involving ScreenConnect.
Although HHS HC3 did not name the pharmacy supply chain and management services provider hit by the ScreenConnect hack, the agency's alert referred to a report issued last November by security firm Huntress.
Huntress told Information Security Media Group that the incident had involved a self-hosted version of ScreenConnect used by pharmacy supply chain and managed services firm Transaction Data Systems, which recently merged with Florida-based Outcomes. That company provides products and services such as Rx30 and ComputerRx pharmacy management software, commonly used by healthcare sector entities across the U.S., HHS said.
The Outcomes website says the company provides services that support more than 48,000 community, chain and grocery pharmacies.
HHS said threat actors gained access to the company's IT environment through a self-hosted, on-premises version of ScreenConnect that had not been updated since 2019.
"The impact, while still unknown, could be substantial," HHS warned.
The compromise at Outcomes "would allow attackers to use that company's ScreenConnect system as their own command-and-control infrastructure for attacks unrelated to the hosting company’s clients and users," Chris Henderson, senior director of threat operations at Huntress, the security firm that identified the attacks, told ISMG.
The version of ScreenConnect used by Outcomes was a self-hosted version of ScreenConnect and not a cloud-based version managed by ConnectWise, the software's maker, according to Henderson.
"Self-hosting comes with risks: Ensure you have the proper security measures in place to prevent its compromise," he said.
Henderson said Huntress has seen ScreenConnect being used maliciously in two ways. The first involves trial abuse, in which the attacker obtains a trial instance of ScreenConnect and uses that as a remote access tool, he said. The other way is an instance compromise, in which attackers compromise an existing implementation of ScreenConnect and then use it as their remote access tool.
"The abuse of remote access trials as part of the attack chain is not unique to the healthcare sector. We have seen this type of activity across every sector we protect," he said.
Remote monitoring and management software is a popular attack vector because it is used legitimately most of the time, meaning that hacks are often missed by security tools, Henderson said.
At this point, Huntress does not know the extent of other potential compromises involving Outcomes' ScreenConnect. "We are unaware of the impacts this may have directly made on Outcome's clients and users, as we were not involved in their internal incident response. Our observations are from the systems of our clients," Henderson said.
Attack Details
Huntress found that between Oct. 28 and Nov. 8, 2023, an unknown threat actor had "abused" the locally hosted instance of ScreenConnect used by Outcomes for initial access to victim organizations.
"After initial access, the attacker proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environment," HHS HC3 said in its alert
Huntress said in its report said it had identified attacks on endpoints from two distinct healthcare organizations - a pharmaceutical firm and a medical care provider that both used Outcomes - and activity indicating network reconnaissance to prepare for attack escalation.
"The attacks featured similar tactics, techniques and procedures, including the downloading of a payload named test.xml, indicating that the same actor was behind all observed incidents," HHS said in the alert.
"The remote access tool was then used to install additional payloads, to execute commands, to transfer files and to install AnyDesk. The hackers also tried to create a new user account for persistent access," HHS said.
It is still unclear if Outcomes suffered a breach, if credentials to one of its accounts were compromised, or if the attackers exploited a different mechanism, the HHS alert says.
On Nov. 14, ConnectWise, the vendor of ScreenConnect, confirmed that the threat actor had gained access via an unmanaged on-premises installation that had not been updated since 2019, HHS said.
Neither ConnectWise nor Outcomes immediately responded to ISMG's requests for comment.
So far, Huntress has not been able to identify the hackers responsible for the attacks.
"We weren't able to confirm which threat group was behind this case; however, we at least observed the CUBA Ransomware group demonstrating similar TTPs around that time," Henderson told ISMG.
"While this doesn't tell us who performed this attack, it at least shows groups are aware of the tradecraft needed to perform these types of attacks and are deploying that tradecraft at scale," he said.
"When we're talking about these attacks in healthcare, the big picture is that it's mostly about the money for these hackers. They're typically in it for financial gain, typically through extortion or ransom," Henderson said. "While they might get their hands on personal health information, it's often just a part of their strategy to crank up the pressure."
Defending Against This Exploit
Because the endpoints compromised in the ScreenConnect incident operated on an unmanaged instance of a Windows Server 2019 system, organizations using the software should take concerted steps to safeguard their infrastructure, HHS warned.
"At a minimum, that includes using enhanced endpoint monitoring, robust cybersecurity frameworks, and proactive threat hunting to mitigate potential threat actor intrusions," HHS said.
Henderson said the ScreenConnect compromises Huntress has identified across many sectors often have common characteristics. "Many of the ScreenConnect compromises we have seen start from social engineering," he said. "Employees need to have frequent reminders for the tells of a social engineering attack: an unexpected sense of urgency, fear, a promise of monetary reward, or intimidation," he said.
"Layering your defenses with detection capabilities that can detect both the installation of these technologies as well as the follow-on actions taken after the initial compromise is important," he added.
"If you are not utilizing ScreenConnect within your environment, block its installation. These detection capabilities are largely dependent on a solid foundation of accurate systems and software inventories though. If you cannot answer what is on your network and what it is running, start there. You can't layer defenses unless you know what you have to defend."
Ashley Leonard, CEO at security firm Syxsense, offered a similar assessment of the ScreenConnect compromise. "The initial access vector was an unmanaged, unpatched, on-premises server that was hosting a local version of ScreenConnect," he said.
"Unfortunately, as much as the IT and security communities reiterate the need for active management of assets - workstations, servers, applications, etc. - this continues to be difficult for organizations.
"With more distributed IT environments and remote workforces, assets can be easily forgotten, Leonard said. He added that organizations across the healthcare ecosystem - as well as other sectors - need to look more closely at their inventory and asset management.