Why did hackers want to get into the US health care systems?
Huntress has found evidence of hacker attacks on several US healthcare organizations. The cyberattack was aimed at ScreenConnect remote access systems, which are used a lot in healthcare.
As part of these attacks, the infrastructure of Transaction Data Systems (TDS), which is present in all 50 US states and gives pharmacies management and supply systems, was used. Huntress says that cybercriminals took advantage of TDS systems by setting up local copies of ScreenConnect.
Analysts from Huntress found malicious activity on the endpoints of two different healthcare organizations. Hackers added more remote access tools, such as ScreenConnect or AnyDesk, to make sure they could always get into networks in case they planned a bigger attack.
A lot of research is done on the ways that attacks are staged. In each case, the researchers found similar tactics, techniques, and procedures (TTPs). PowerShell can't find the Meterpreter payload if we use a text.xml file with C# code to load it into memory. Some extra tasks have also been started with the printing service, which has been recorded.
Criminals went after computers running Windows Server 2019 in both the pharmaceutical and healthcare fields. ScreenConnect was the technology that let them talk to each other.
At this point, we don't know if TDS is the result of a hacked account or a leak of credentials. When these things happen, uncertainty makes things more dangerous for both the medical staff and the people who are being treated.