Jump to content
  • US govt warns of Daixin Team targeting health orgs with ransomware

    alf9872000

    • 319 views
    • 3 minutes
     Share


    • 319 views
    • 3 minutes

    CISA, the FBI, and the Department of Health and Human Services (HHS) warned that a cybercrime group known as Daixin Team is actively targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.

     

    The federal agencies also shared indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) in a joint advisory issued today to help security professionals detect and block attacks using this ransomware strain.

     

    "The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022," the advisory revealed.

     

    Since June, Daixin Team attackers have been linked to multiple health sector ransomware incidents where they've encrypted systems used for many healthcare services, including electronic health records storage, diagnostics, imaging services, and intranet services.

     

    They're also known for stealing patient health information (PHI) and personal identifiable information (PII) and using it for double extortion to pressure victims into paying ransoms under the threat of releasing the stolen information online.

     

    The ransomware gang gains access to targets' networks by exploiting known vulnerabilities in the organizations' VPN servers or with the help of compromised VPN credentials belonging to accounts with multi-factor authentication (MFA) toggled off.

     

    Once in, they use Remote Desktop Protocol (RDP) and Secure Shell (SSH) to move laterally through the victim's networks.

     

    Daixin_ransom_note.png

    Daixin Team ransom note (CISA/FBI/HHS)

     

    To deploy the ransomware payloads, they escalate privileges using various methods, such as credential dumping.

     

    This privileged access is also used to "gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment" with the same goal of encrypting the systems using ransomware.

     

    "According to third-party reporting, the Daixin Team's ransomware is based on leaked Babuk Locker source code," the federal agencies added

     

    "This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written to /vmfs/volumes/." 

     

    Before encrypting their victims' devices, they use Rclone or Ngrok to exfiltrate stolen data to dedicated virtual private servers (VPS).

     

    U.S. health organizations are advised to take the following measures to defend against Daixin Team's attacks:

    • Install updates for operating systems, software, and firmware as soon as they are released.
    • Enable phishing-resistant MFA for as many services as possible.
    • Train employees to recognize and report phishing attempts.

     

    In August, CISA and the FBI also warned that attackers known for mainly targeting the healthcare and medical industries with Zeppelin ransomware might encrypt files multiple times, making file recovery more tedious.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...