A joint security alert has been issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) about Daixin Team – A ransomware and data extortion group that predominantly conducts attacks on the healthcare and public health sector (HPH).
Daixin Team first started conducting ransomware and data extortion attacks in June 2022. The group targets businesses, and many of its victims have been in the HPH sector. The gang typically gains access to business networks by exploiting unpatched vulnerabilities in virtual private network (VPN) servers. The group is also known to use compromised VPN credentials for accounts that do not have multi-factor authentication enabled, commonly using phishing emails with malicious attachments.
Once access has been gained to a victim’s network, Secure Shell (SSH) and Remote Desktop Protocol (RDP) are used for lateral movement and the group elevates privileges through credential dumping and pass the hash. Privileged accounts have been used to gain access to VMware vCenter Server to reset passwords for ESXi servers, with connections to those servers made through SSH.
Like many ransomware operators, data exfiltration occurs prior to using ransomware to encrypt files. The stolen data is used as leverage to pressure victims into paying the ransom demand. After encrypting files with ransomware – the group uses a ransomware variant based on Babuk Locker ransomware code – victims are given 5 days to make contact and pay the ransom, otherwise, the group will publish the stolen data.
Healthcare victims include OakBend Medical Center in Texas, Physicians’ Spine and Rehabilitation Specialists of Georgia, and Fitzgibbon Hospital in Missouri. The attacks have caused major disruption to healthcare services, delays to diagnostics and medical imaging, and have prevented access to electronic medical records. Daixin Team claimed to have stolen the protected health information of 1.2 million patients in the attack on Oakbend Medical Center.
The alert includes several mitigations for hardening defenses, including deploying multifactor authentication that is resistant to phishing attacks, ensuring all software, operating systems, and firmware are kept up to date, providing regular security awareness training to the workforce, and securing and monitoring RDP.
The full list of recommended mitigation and IoCs are detailed in the security alert, which can be viewed here.