The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a joint alert on a new cybercrime group targeting organizations in the healthcare sector.
Called Daixin Team, the threat actor has been active since at least June 2022, targeting organizations in the US with ransomware based on leaked Babuk source code, and also engaging in data theft and extortion.
The group has been observed compromising victims’ networks to deploy ransomware on servers responsible for healthcare services, such as diagnostics, electronic health records, imaging, and intranet services.
Additionally, Daixin Team has been stealing patient health information (PHI) and personally identifiable information (PII) from the compromised systems and used it as leverage to extort victims into paying a ransom.
The group has been targeting virtual private network (VPN) servers for initial access into victim networks, including via unpatched vulnerabilities and previously obtained credentials.
Next, the adversary would use Secure Shell (SSH) and Remote Desktop Protocol (RDP) for lateral movement and would employ credential dumping and pass-the-hash to gain access to privileged accounts.
Using the privileged access, Daixin Team would then connect to VMware vCenter Server to reset passwords for the deployed ESXi servers, and then connect to these servers via SSH to deploy ransomware.
The threat actor has been using various tools for data exfiltration, including the Rclone open-source cloud storage management tool and the Ngrok reverse proxy utility.
In their joint alert, the FBI, CISA, and HHS are encouraging organizations to keep all software and operating systems up to date, to employ multi-factor authentication and strong password policies, implement network segmentation, limit the use of RDP, disable SSH, securely store PII and PHI, implement logging and network monitoring, and use antimalware software.