A new cyberattack campaign is targeting the pharmacy supply chain in the United States, using a remote access tool called ScreenConnect to compromise endpoints and deliver malicious payloads. The attackers are exploiting a vulnerability in the ScreenConnect software that is used by Transaction Data Systems (TDS), a company that provides pharmacy management systems and services to thousands of pharmacies across the country.
The attack was discovered by researchers from Huntress, a managed security platform that monitors and protects endpoints from cyber threats. Huntress observed the attack on two different healthcare organizations, one in the pharmaceutical sector and the other in the healthcare sector. Both organizations had a ScreenConnect instance running on a Windows Server 2019 system, which was accessed by the attackers.
The attackers used ScreenConnect to download a file named text.xml, which contained C# code that executed the Meterpreter payload, a component of the Metasploit framework that allows remote control of the compromised system. The attackers used a technique called non-PowerShell to evade detection by antivirus and other security solutions.
The attackers also used the Printer Spooler service, a Windows service that manages printing tasks, to launch additional processes on the system. The Printer Spooler service has been known to be vulnerable to several exploits in the past, such as the PrintNightmare and the SpoolSample vulnerabilities.
The attackers used the Meterpreter payload to perform various actions on the compromised system, such as executing commands, transferring files, and installing AnyDesk, another remote access tool that can provide persistent access to the system. The attackers also attempted to create a new user account on the system, presumably to maintain their access in case ScreenConnect or AnyDesk were removed or disabled.
The researchers from Huntress traced the ScreenConnect instance to a domain name associated with TDS, rs tdsclinical com. TDS is a leading provider of pharmacy supply chain and management systems in the US, serving over 8,000 pharmacies in all 50 states. TDS offers various solutions, such as Rx30, Computer-Rx, Enhanced Medication Services, and Pharm Assess, to help pharmacies optimize their operations, improve patient care, and increase profitability.
The researchers from Huntress notified TDS and the affected organizations about the attack and provided them with mitigation steps and recommendations. They also advised other organizations that use ScreenConnect or similar remote access tools to check their systems for signs of compromise and to apply the latest security patches and updates. They also warned that the attack could be part of a larger campaign that targets other sectors or regions, and urged the security community to share any relevant information or indicators of compromise.