Daixin Team the ransomware and data extortion group Targets Healthcare Sector

November 10th, 2022 - Written By CyberLabs

The US Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services jointly issued an advisory on October 21, 2022, alerting the public to the fact that since June 2022, the cybercrime group Daixin Team has been actively targeting US businesses, primarily in the healthcare and public health sectors.

The study claims that Daixin Team uses ransomware to steal personal information and patient health data from servers hosting healthcare services, including electronic health records. If the victims do not pay their ransom, the organization says they will reveal the information. Through virtual private network servers, the threat organization first gains access to victims by exploiting security flaws that haven’t been fixed or by utilizing stolen credentials. After that, the threat actors use Secure Shell and remote desktop protocol to travel laterally, increase their privileges through credential dumps, and pass the hash. Before spreading ransomware to accessible ESXi systems, privileged accounts are used to access VMware vCenter Servers and reset account passwords.

Babuk Locker source code leaks served as the foundation for the ransomware developed by Daixin Team. The reverse proxy tool Ngrok and Rclone were also utilized by the gang to exfiltrate data to a dedicated virtual private server.

How to prevent ransomware attacks?

CISA has mentioned few steps to be Mitigating and Preventing Ransomware as follows,

Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs.
Open document readers in protected viewing modes to help prevent active content from running.
Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
Use strong passwords and avoid reusing passwords for multiple accounts. Require administrator credentials to install software.
Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
Install and regularly update antivirus and antimalware software on all hosts.
Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
Consider adding an email banner to messages coming from outside your organizations.
Disable hyperlinks in received emails.

Source

https://www.cisa.gov/uscert/ncas/alerts/aa22-294a