HC3 warns healthcare sector of unauthorized access threats from ScreenConnect tool

The Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) issued on Monday a sector alert addressing the possible threat of unauthorized access to HPH (healthcare and public health) organizations from remote access tools. The alert warned that the ScreenConnect tool could be adversely affected or targeted by threat actors. The impact of potential unauthorized access on both federal and private industry victims, many of whom rely on this tool, would be a concerning development for the healthcare sector. 

The latest HC3 sector alert provides a technical overview of issues concerning the remote access tool, IOCs (indicators of compromise), and recommendations for mitigations to detect and protect against future cyberattacks. The agency identified that the probability of cyber hackers targeting the healthcare industry remains high. “Prioritizing security by maintaining awareness of the threat landscape, assessing your situation, and providing staff with tools and resources necessary to prevent a cyberattack remain the best ways forward for healthcare organizations,” it added.  

“Between October 28 and November 8, 2023, an unknown threat actor abused a locally hosted instance of a widely-used remote access tool, ScreenConnect, for initial access to victim organizations,” the HC3 alert disclosed. “After initial access, the attacker proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environment. A cybersecurity firm identified the attacks on endpoints from two distinct healthcare organizations and activity indicating network reconnaissance in preparation of attack escalation.”

Additionally, “on November 14, the vendor of ScreenConnect confirmed that the threat actor gained access via an unmanaged on-prem instance that had not been updated since 2019, going against recommended best practices,” the alert added. 

The HC3 identified that the impact, while still unknown, could be substantial, as the threat actor leveraged local ScreenConnect instances used by a pharmacy supply chain and management systems solution provider that is present in all 50 states. The attacks featured similar tactics, techniques, and procedures (TTPs), including the downloading of a payload named test[dot]xml, indicating that the same actor was behind all observed incidents. 

“The compromised endpoints operated on a Windows Server 2019 system, belonging to two distinct organizations, a pharmaceutical firm, and a healthcare provider, the common link between them being a ScreenConnect instance,” according to the alert. “The remote access tool was then used to install additional payloads, to execute commands, to transfer files, and to install AnyDesk.”

Additionally, the alert identified that the hackers also tried to create a new user account for persistent access. “It is still unclear if the pharmacy supply chain and management systems solution provider suffered a breach, if the credentials to one of their accounts were compromised, or if the attackers exploited a different mechanism.”

As the compromised endpoints operated on an unmanaged instance of a Windows Server 2019 system, the HC3 alert on the ScreenConnect tool said that “it is recommended that organizations take concerted steps to safeguard their infrastructure. At a minimum, cybersecurity researchers encourage enhanced endpoint monitoring, robust cybersecurity frameworks, and proactive threat hunting to mitigate potential threat actor intrusions.” 

The alert cautioned pharmacies and other healthcare organizations that may be clients of the pharmacy supply chain and management systems solution provider should immediately examine their systems and networks for the above IOCs. “Any discovery of these should be taken seriously and investigated promptly. Given the potential implications of such a breach in the HPH sector, particularly regarding patient data, privacy, and availability of critical services, a comprehensive response is essential.” 

It added that the full extent of this incident is still unknown and is being investigated to determine its potential wider impact. “While no attribution is presently known, organizations can still take proactive steps to protect themselves and mitigate against potential future incidents.”

The agency called upon cybersecurity teams to educate and train staff to reduce the risk of social engineering attacks via email and network access; assess enterprise risk against all potential vulnerabilities and prioritize implementing the security plan with the necessary budget, staff, and tools; and develop a cybersecurity roadmap that everyone in the healthcare organization understands.   

It added that at no cost, the CISA (Cybersecurity and Infrastructure Security Agency) also offers Cyber Hygiene Vulnerability Scanning services to federal, state, local, tribal, and territorial (SLTT) governments, as well as public and private sector critical infrastructure organizations. The service helps organizations monitor and evaluate their external network posture. 

Last month, the CISA reported on the findings of a risk and vulnerability assessment conducted for an HPH sector organization. The report outlines the activities and key findings of the assessment team, providing valuable recommendations for network defenders and software manufacturers to enhance their organizations’ and customers’ cybersecurity. The assessment was conducted in response to a request from the HPH sector organization in January, to identify vulnerabilities and areas for improvement.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.