A relatively new data extortion and ransomware gang known as Daixin team is actively targeting U.S. healthcare organizations, prompting a warning from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).
Daixin Team first appeared on the radar in June 2022, with the group predominantly conducting data extortion and ransomware attacks on organizations in the health and public health sector (HPH). The attacks have seen data encrypted, prevented access to electronic health records, and caused major disruption to healthcare services, including diagnostics, imaging, and postponed appointments. In the #StopRansomware: Daixin Team – Alert, the observed tactics, techniques, and procedures used by Daixin team have been shared along with indicators of Compromise (IoCs) and several suggested mitigations to make it harder for attacks to succeed.
Daixin Team gains access to healthcare networks, conducts reconnaissance, and identifies and exfiltrates data of interest, which is used as leverage to extort money from victims. The group seeks to establish communications with victims directly and advises them not to work with ransomware remediation firms. If contact is not made within 5 days of the attack, the group threatens to publicly release the stolen data.
Daixin Team is known to gain access to the networks of victims by exploiting vulnerabilities in VPN servers, often using compromised VPN credentials for accounts that do not have multi-factor authentication enabled. In some attacks, the group has obtained VPN credentials through phishing emails with malicious attachments. Once access is gained, they move laterally within networks using Secure Shell (SSH) and Remote Desktop Protocol (RDP), escalate privileges through credential dumping and pass the hash, exfiltrate data – including using tools such as Rclone and Ngrok – then deploy their ransomware payload, which is believed to be based on publicly-released Babuk Locker ransomware code.
In some attacks, privileged accounts have been used to gain access to VMware vCenter Server, and account passwords have been reset for ESXi servers. SSH was then used to connect to the ESXi servers, where ransomware was deployed.
The FBI, CISA, and the HHS have shared several mitigations that can help healthcare organizations protect against Daixin Team attacks. These measures include:
- Patching promptly and keeping software up to date
- Implementing phishing-resistant multi-factor authentication
- Securing or disabling Remote Desktop Protocol
- Turning off SSH and network device management interfaces such as Telnet, Winbox, and HTTP for wide area networks (WANs)
- Securing passwords with strong encryption
- Implementing and enforcing multi-layer network segmentation
- Limiting access to data through public key infrastructure and digital certificates to authenticate connections to devices
- Securing ePHI at collection points using encryption
- Ensuring compliance with the HIPAA Security Rule with respect to ePHI
The post Government Issues Warning to Healthcare Organizations About Daixin Team Extortion and Ransomware Attacks appeared first on HIPAA Journal.