Security Alert: Daixin Ransomware Targets Healthcare

November 08, 2022 : Institutions need to be conscious of ransomware and data extortion extortions that relate to a cybercrime group called Daixin Team, especially targeting the healthcare sector.

So warns, a joint U.S. government cybersecurity advisory published Friday cautions that the group’s operations appear to have started in June.

Daixin Team vigorously targets U.S. businesses, particularly in the healthcare and public health arena, according to the joint alert from the Department of Health and Human Services and FBI, Cybersecurity, Infrastructure Security Agency.

The criminals extorts targets by encrypting numerous kinds of data, “including electronic health records services, imaging services, diagnostics services, and intranet services.” It regularly robs personally identifiable and patient health information and threatens to leak the data unless the victim pays up.

On September 1, Texas-based OakBend Medical Center, which has three hospitals, 274 beds, and 450 staff physicians in the Houston area, was attacked by the crminals for which Daixin claimed credit. Daixin claims to have withdrew 3.5 gigabytes of data, including 1.2 million records, patient and worker data, and Social Security numbers.

The medical hub reported struggling to get systems back online two weeks after the invasion. In an October 11 update, OakBend said it had obtained reports that some patients and employees had been “getting emails sent by third parties regarding the recent ransomware attack,” which proposes stolen data might already be getting used for phishing attacks.

The alert observes CISA Director Jen Easterly calling on technology vendors to stop coddling customers over multifactor authentication last week. Rather, she urged them to “forcefully nudge” customers into embracing robust multifactor methods, such as hardware fobs, as a default since they make it much more challenging for remote attackers to hack a network.

The advice from the alert would harden systems against any adversary, Daixin contained. They are:

  • Secure all operating systems, software, and firmware are revamped with the latest updates or security fixes.
  • Install phishing-resistant multifactor authentication for as many assistance as possible.
  • Constantly train employees to recognize and report phishing endeavors.

Daixin’s crypto-locking code arises to be based on Babuk Locker source code, which was snitched in September 2021 and used by other cybercrime teams.

The group’s ransomware can encrypt diverse file types, including servers running VMware’s ESXi hypervisor.

The joint alert comments Daixin uses several common ransomware group tactics, including robbing VPN credentials – later utilized to gain initial entry to a victim – via phishing emails with a antagonistic attachment. In at least one case, the attackers manipulated a known vulnerability in a VPN server to gain a primary foothold. In another incident, they used earlier compromised credentials to gain access, including to VMware ESXi servers.

Admission to the VPN server is just the first step. Daixin actors push laterally across networks via secure shell and remote desktop protocol, the joint alert alerts. “The actors have leveraged confidential accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the domain.”