The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a joint alert on a new cybercrime group targeting organizations in the healthcare sector.
Called Daixin Team, the threat actor has been active since at least June 2022, targeting organizations in the US with ransomware based on leaked Babuk source code in September 2021, and also engaging in data theft and extortion. It has been used as a foundation for a number of file-encrypting malware families such as Rook, Night Sky, Pandora, and Cheerscrypt. As to mitigation, it is recommended that organizations apply the latest software updates, enforce multi-factor authentication, implement network segmentation, and maintain periodic offline backups.
See: https://redskyalliance.org/xindustry/ransomware-in-use-to-disguise-cyberespionage
The group has been observed compromising victims’ networks to deploy ransomware on servers responsible for healthcare services, such as diagnostics, electronic health records, imaging, and intranet services. Daixin Team has been stealing patient health information (PHI) and personally identifiable information (PII) from the compromised systems and used it as leverage to extort victims into paying a ransom.
The group has been targeting virtual private network (VPN) servers for initial access into victim networks, including via unpatched vulnerabilities and previously obtained credentials. The adversary would use Secure Shell (SSH) and Remote Desktop Protocol (RDP) for lateral movement and would employ credential dumping and pass-the-hash to gain access to privileged accounts. The next steps are gaining privileges using techniques, such as credential dumping. Using the privileged access, Daixin Team would then connect to VMware vCenter Server to reset passwords for the deployed ESXi servers, and then connect to these servers via SSH to deploy ransomware.
The threat actor has been using various tools for data exfiltration, including the Rclone open-source cloud storage management tool and the Ngrok reverse proxy utility.
In their joint alert, the FBI, CISA, and HHS are encouraging organizations to keep all software and operating systems up to date, to employ multi-factor authentication and strong password policies, implement network segmentation, limit the use of RDP, disable SSH, securely store PII and PHI, implement logging and network monitoring, and use antimalware software.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
.pdf article: TR-22-304-003.pdf
Comments