The Healthcare Cybersecurity and Communications Integration Center (HC3) has released a sector alert raising concerns regarding the potential for unauthorized access to systems within the Healthcare and Public Health (HPH) sector. This alert is attributed to threat actors exploiting the remote access tool ScreenConnect, which poses a substantial threat to both federal and private industry victims, with a particular emphasis on the healthcare sector’s vulnerabilities. The alert aims to provide a comprehensive overview of the issue, offering insights into the technical aspects, indicators of compromise (IOCs), and recommended mitigations necessary for detecting and safeguarding against potential cyberattacks.
Between the period of October 28 and November 8, 2023, an unidentified threat actor strategically abused a locally hosted instance of ScreenConnect, leveraging it as a means for initial access to victim organizations entrenched within the healthcare sector. The attacker executed a series of meticulous steps, involving the installation of additional remote access tools like ScreenConnect or AnyDesk instances. This strategic move ensured persistent access to the targeted environment, heightening concerns about the potential magnitude of the impact. The threat actor specifically targeted a pharmacy supply chain and management systems solution provider with a nationwide presence across all 50 states. The attacks showcased uniform tactics, techniques, and procedures (TTPs), indicating a consistent actor orchestrating all observed incidents. The compromised endpoints operated on a Windows Server 2019 system, belonging to both a pharmaceutical firm and a healthcare provider. ScreenConnect was a key part of the compromise, facilitating the installation of additional payloads, execution of commands, file transfers, and the installation of AnyDesk. The threat actors even attempted to create a new user account to ensure persistent access to the compromised systems.
The sector alert meticulously outlines indicators of compromise (IOCs), including specific IP addresses linked to malicious ScreenConnect instances and AnyDesk installations. To counter potential intrusions by threat actors, the alert recommends proactive defense and mitigation measures, including improved endpoint monitoring, the protection of cybersecurity frameworks, and proactive threat hunting strategies. Urging prompt action, pharmacies, and healthcare organizations affiliated with the impacted pharmacy supply chain and management systems solution provider are strongly advised to scrutinize their systems for IOCs. The urgency stems from the potential implications for patient data, privacy, and the critical services provided by the healthcare industry, emphasizing the need for a comprehensive and immediate response.
While the full extent of the incident remains under investigation, the alert advocates for proactive measures to protect defenses against potential future incidents. Cybersecurity professionals recommend a comprehensive approach, including staff education and training, a meticulous assessment of enterprise risk, and the development of a cybersecurity roadmap. The alert emphasizes the importance of prioritizing security and utilizing available resources, such as the Cyber Hygiene Vulnerability Scanning services offered by the Cybersecurity & Infrastructure Security Agency (CISA). As stated in the alert, “Pharmacies and other healthcare organizations that may be clients of the pharmacy supply chain and management systems solution provider should immediately examine their systems and networks for the above IOCs. Any discovery of these should be taken seriously and investigated promptly.” Given the potential implications of such a breach in the HPH sector, particularly regarding patient data, privacy, and the availability of critical services, a comprehensive response is needed. Maintaining awareness, assessing vulnerabilities, and equipping staff with the necessary tools and resources remain a priority for preventing cyberattacks within the healthcare industry in the face of ongoing threats.