Chris Swagler | October 31st, 2022

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) issued a warning about the Daixin Team ransomware group targeting United States companies in the Healthcare and Public Health (HPH) Sector. The federal agencies shared in a joint advisory the indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) of threat actors to help security professionals detect and prevent attacks.

According to the joint advisory, the Daixin Team is a ransomware and data extortion group that has been targeting the HPH Sector since June 2022. The Daixin Team deploys the ransomware to encrypt servers used for numerous healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services. Additionally, the group exfiltrates personal identifiable information (PII) and patient health information (PHI), and uses the stolen data in double extortion tactics to pressure victims into paying ransom with the threat of releasing the stolen data online.

The agencies are advising health providers to secure VPN servers because it’s how the ransomware group is gaining access to previous targets, including exploiting unpatched vulnerabilities in victims’ VPN servers. The threat actors use credentials that were previously compromised to access legacy VPN servers where multi-factor authentication (MFA) was not enabled and acquired the VPN credentials using phishing emails with malicious attachments. Once obtaining access to victims’ VPN servers, the Daixin Team ransomware threat actors move laterally using Secure Shell (SSH) and Remote Desktop Protocol (RDP). They look to gain access to privileged accounts through credential dumping and “pass the hash” in which threat operators will move laterally using stolen password hashes.

Additionally, the threat actors use privileged accounts to access VMware vCenter Server and reset account passwords for ESXi services in the environment and use SSH to connect to accessible ESXi servers to deploy the ransomware on the servers. According to threat research, the ransomware is based on leaked Babuk Locker source code and targets ESXi servers to encrypt files located in /vmfs/volumes/ using extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. Additionally, the threat actors use Rclone, an open-source program that manages files on cloud storage, to exfiltrate data to a dedicated virtual private server and Ngrok, a reverse proxy tool for proxying internal servers out onto Ngrok domains to exfiltrate data.

The advisory recommends that companies prioritize patching VPN servers, remote-access software, virtual-machine software, and known exploited vulnerabilities. Additionally, companies should lock down RDP, turn off SSH along with Telnet, Winbox, and HTTP for wide-area networks, and secure them with strong passwords and encryption when enabled. Companies should consider using a centralized patch management system to automate and expedite the process. Another suggestion is to use phishing-resistant MFA for numerous services. United States health organizations are advised to install updates to operating systems, software, and firmware to defend against Daixin Team ransomware attacks and train employees to recognize and report phishing attempts.

With healthcare providers being routinely targeted by ransomware groups and other cybercriminals, it’s important for companies in the healthcare sector always remain on high alert for the current threat landscape and follow the recommendations from the joint advisory to secure their VPN servers from cyber threats. At SpearTip, our certified engineers work continuously in an investigative cycle at our 24/7/365 Security Operations Center monitoring companies’ data networks for ransomware threats, including Daixin Team, and are ready to respond to events at a moment’s notice. Our remediation experts focus on restoring companies’ operations, reclaiming their networks by isolating malware, and recovering business-critical assets. The ShadowSpear Platform, our integrable managed detection and response solution, uses comprehensive insights through visualizations and unparalleled data normalization to detect sophisticated and advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.