Federal authorities are warning of attacks on healthcare sector firms that use ConnectWise’s remote access tool ScreenConnect. Hackers compromised a locally hosted version of the tool used by a large national pharmacy supply chain and managed services provider in 2023.
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in an alert Monday warned pharmacies and other healthcare organizations to “immediately examine their systems and networks” for indicators of compromise potentially involving ScreenConnect.
…
Defending Against This Exploit
Because the endpoints compromised in the ScreenConnect incident operated on an unmanaged instance of a Windows Server 2019 system, organizations using the software should take concerted steps to safeguard their infrastructure, HHS warned.
“…You can’t layer defenses unless you know what you have to defend.”
Ashley Leonard, CEO at security firm Syxsense, offered a similar assessment of the ScreenConnect compromise. “The initial access vector was an unmanaged, unpatched, on-premises server that was hosting a local version of ScreenConnect,” he said.
“Unfortunately, as much as the IT and security communities reiterate the need for active management of assets – workstations, servers, applications, etc. – this continues to be difficult for organizations.
“With more distributed IT environments and remote workforces, assets can be easily forgotten, Leonard said. He added that organizations across the healthcare ecosystem – as well as other sectors – need to look more closely at their inventory and asset management.
