The attackers abused a locally hosted instance of a widely-used remote access tool, ScreenConnect—utilized by the company Transaction Data Systems (which recently merged with and was renamed Outcomes), the makers of Rx30 and ComputerRx software — for initial access to victim organizations. The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments.

Click for details.