Security Alert: Daixin Ransomware Targets HealthcareCybercrime Gang Wields Phishing Emails and Proficiency for VMware Environments
Beware ransomware and data extortion shakedowns that trace to a cybercrime group called Daixin Team, which is especially targeting the healthcare sector.
See Also: 2022 Unit 42 Incident Response Report
So warns a warns a joint U.S. government cybersecurity advisory issued Friday, which notes that the group's operations appear to have begun in June.
Daixin Team actively targets U.S. businesses, predominantly in the healthcare and public health sector, according to the joint alert from the FBI, Cybersecurity and Infrastructure Security Agency and Department of Health and Human Services.
The gang extorts victims by encrypting numerous types of data, "including electronic health records services, diagnostics services, imaging services, and intranet services." It regularly steals personally identifiable information and patient health information and threatens to release the data unless the victim pays up.
On Sept. 1, Texas-based OakBend Medical Center, which has three hospitals, 274 beds and 450 staff physicians across the Houston region, was hit by an attack for which Daixin claimed credit. Daixin claims to have exfiltrated 3.5 gigabytes of data, including 1.2 million records containing patient and employee data, including Social Security numbers (see: Texas Hospital Still Struggling Through Ransomware Attack).
Two weeks after the attack, the medical center reported that it was struggling to get systems back online. In an Oct. 11 update, OakBend said it had received reports that some patients and employees had been "receiving emails sent by third parties regarding the recent ransomware attack," which suggests stolen data might already be getting used for phishing attacks.
The alert follows CISA Director Jen Easterly last week calling on technology vendors to cease coddling customers over multifactor authentication. Instead, she urged them to "forcefully nudge" customers into adopting strong multifactor approaches, such as hardware fobs, as a default since they make it much more difficult for remote attackers to hack a network.
The recommendations from the alert would harden systems against any adversary, Daixin included. They are:
- Ensure all operating systems, software and firmware are updated with the latest updates or security fixes.
- Deploy phishing-resistant multifactor authentication for as many services as possible.
- Continuously train employees to recognize and report phishing attempts.
Daixin's crypto-locking code appears to be based on Babuk Locker source code, which was leaked in September 2021 and has been used by other cybercrime gangs (see: Rook Uses Babuk's Leaked Code in Kazakh Bank Attacks).
The group's ransomware has the ability to encrypt a range of file types included servers running VMware's ESXi hypervisor.
The joint alert says Daixin uses a number of common ransomware group tactics, including stealing VPN credentials - later used to gain initial access to a victim - via phishing emails that have a malicious attachment. In at least one case, the attackers exploited a known vulnerability in a VPN server to gain an initial foothold, and in another incident they apparently used previously compromised credentials to gain access, including to VMware ESXi servers.
Access to the VPN server is just a first step. Daixin actors move laterally across networks via secure shell and remote desktop protocol, the joint alert warns. "The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment" (see: Why Are We So Stupid About Passwords? SSH and RDP Edition).