Government Warns Healthcare Providers Concerning Daixin Team Extortion and Ransomware Attacks

Daixin team is a fairly new data extortion and ransomware group. It is active in attacking U.S. healthcare providers. The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) issued a warning regarding the Daixin team.

Daixin Team initially came out in June 2022. The group mainly engaged in data extortion and ransomware attacks targeting companies in the health and public health sector (HPH). Because of its attacks, data were encrypted, electronic health records access were blocked, and provision of healthcare services were disrupted resulting in postposed appointments, diagnostics, and imaging. The #StopRansomware: Daixin Team alert shared the identified tactics, techniques, and procedures that the Daixin team uses, the indicators of Compromise (IoCs) and a number of recommended mitigations to prevent these attacks.

Daixin Team acquires access to medical systems, performs reconnaissance, and identifies and extracts data of interest, which it uses for extortion of money from victims. The group warns the victims not to communicate with ransomware remediation agencies. In case there’s no response within 5 days after the attack, the attacker threatens to expose the stolen information to the public.

It is known that Daixin Team acquire access to the systems of victims by taking advantage of vulnerabilities in VPN servers, usually utilizing compromised VPN information for accounts without an enabled multi-factor authentication. In a number of attacks, the group has acquired VPN information by means of phishing emails having malicious attachments. As soon as access is acquired, they proceed laterally inside networks utilizing Secure Shell (SSH) and Remote Desktop Protocol (RDP), elevate privileges by means of credential disposal and pass the hash, extract information – such as utilizing tools like Rclone and Ngrok – then set up their ransomware payload, that is considered to be dependent on publicly-introduced Babuk Locker ransomware code.

In certain cases, privileged accounts had been used to access the VMware vCenter Server, and reset passwords for ESXi server accounts. Then, SSH had been used to link to the ESXi servers, where the attackers deployed the ransomware.

The FBI, the HHS and CISA have provided the following mitigations to guide healthcare providers to be safe against Daixin Team attacks:

  • Patching immediately and updating software regularly
  • Using phishing-proof multi-factor authentication
  • Protecting or deactivating Remote Desktop Protocol
  • Disabling SSH and network device management interfaces including
  • Winbox, Telnet, and HTTP for wide area networks (WANs)
  • Encrypting passwords
  • Using and implementing multi-layer network segmentation
  • Restricting access to information via public key infrastructure and digital certificates to validate linking to devices
  • Using encryption to protect ePHI at collection points
  • Strict HIPAA Security Rule compliance with regard to ePHI