- The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and Department of Health and Human Services released a joint CSA to provide information on the Daixin Team.
- The advisory states that the group is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health Sector.
- Daixin Team has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022.
The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and Department of Health and Human Services are releasing a cybersecurity advisory for network defenders to inform them about Daixin Team, a cybercrime group that is actively targeting U.S. businesses. The hacker group is mainly targeting organizations in the Healthcare and Public Health Sector, with ransomware and data extortion operations.
The joint cybersecurity advisory is a part of the #StopRansomware effort, which focuses on publishing advisories that detail various ransomware variants and ransomware threat actors. According to the advisory, the gang routinely targets HPH Sector organizations with ransomware:
- As of October 2022, per FBI Internet Crime Complaint Center (IC3) data, specifically victim reports across all 16 critical infrastructure sectors, the HPH Sector accounts for 25 percent of ransomware complaints.
- According to an IC3 annual report in 2021, 649 ransomware reports were made across 14 critical infrastructure sectors; the HPH Sector accounted for the most reports at 148.
Daixin Team’s ransomware and data extortion operations started on at least June 2022. Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have:
- Deployed ransomware to encrypt servers responsible for healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services, and/or
- Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.
Daixin actors gain initial access to victims through virtual private network servers. The gang mainly exploits unpatched vulnerabilities in the organizations’ VPN servers. In some cases, the gang also managed to compromised credentials to access a legacy VPN server that doesn’t have multifactor authentication. Daixin is believed to have acquired the VPN credentials with a phishing attack.
After the initial access, the gang moves move laterally via Secure Shell and Remote Desktop Protocol. The actors gained privileged account access through credential dumping and pass the hash. By using privileged accounts the team gained access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. Finally, used SSH to connect to accessible ESXi servers and deploy ransomware.
CISA provided a long list of mitigations, preparation, mitigation, prevention, and response methods for ransomware incidents to help organizations to protect their data. FBI, CISA, and HHS also strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. CISA said,
« The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Daixin Group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Regardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at cisa.gov/report. »