Incident Details
Huntress has observed a troubling situation in the healthcare industry where a number of unauthorized access instances have been detected, indicating internal scouting and readiness for further malicious actions by threat actors targeting multiple healthcare entities. The perpetrators exploited a local version of ScreenConnect, a commonly used remote access tool, which was being used by Transaction Data Systems, now known as Outcomes following a recent merger, the creators of Rx30 and ComputerRx software, to gain entry into the systems of the victims. Subsequently, the attackers took various measures, including setting up additional remote access tools like ScreenConnect or AnyDesk, to ensure continuous access to the affected networks.
Incident
How Did the Breach Happen?
A security breach occurred when individuals gained unauthorized access to a version of ScreenConnect that was being hosted locally. This popular remote access tool was used by the attackers as a point of entry into the organizations they targeted.
What Data has been Compromised?
The specific details of the data impacted by this breach have not been mentioned in the information provided.
Why Did the company's Security Measures Fail?
The security measures of the company were ineffective when attackers exploited a weakness in the ScreenConnect remote access tool, enabling them to unlawfully access the victim organizations.
What Immediate Impact Did the Breach Have on the company?
The precise consequences of the security breach on the company have not been explicitly outlined in the information provided.
How could this have been prevented?
Regularly updating and patching software systems, such as remote access tools like ScreenConnect, is crucial in preventing breaches. Utilizing multi-factor authentication and routinely monitoring network activity can also aid in the identification and prevention of unauthorized access.
What have we learned from this data breach?
This incident has highlighted the significance of conducting frequent vulnerability assessments and maintaining up-to-date patch management to thwart the exploitation of identified vulnerabilities in software systems.
Summary of Coverage
Unauthorized persons were able to gain access in this incident through a self-hosted version of the ScreenConnect remote access tool. This access was exploited by the attackers to infiltrate various healthcare establishments. To avoid similar breaches in the future, it is crucial to consistently update and maintain software systems.