Hackers are targeting multiple healthcare organizations in the United States by utilizing hacked access to an instance of ScreenConnect, a popular remote desktop tool owned by Transaction Data Systems (TDS), a pharmacy supply chain and management systems solution provider with offices in all 50 states in the US. Experts from managed security platform Huntress revealed that the hackers used this access to drop malware to endpoints belonging to two distinct organizations: one in the pharmaceutical sector and the other in healthcare. Both organizations had in common the use of Windows Server 2019 system.

“The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments,” said the researchers.

During the period between October 28 and November 8, 2023, the attackers were observed dropping a payload titled text.xml to both endpoints, carrying a C# code that loads the Meterpreter malware via the Metasploit dropper. The researchers also detected additional processes launched via the Printer Spooler service and an attempt to create new user accounts.

The researchers are still working to determine if the hackers exploited a vulnerability or somehow obtained valid login credentials. However, their attempts to reach out to TDS, now Outcomes One following a merger, have been unsuccessful. There has been no information shared by the company on their blog, newsroom, LinkedIn, and X accounts, but the article will be updated if new information is provided.