Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

US Healthcare Organizations Warned of ‘Daixin Team’ Ransomware Attacks

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a joint alert on a new cybercrime group targeting organizations in the healthcare sector.

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a joint alert on a new cybercrime group targeting organizations in the healthcare sector.

Called Daixin Team, the threat actor has been active since at least June 2022, targeting organizations in the US with ransomware based on leaked Babuk source code, and also engaging in data theft and extortion.

The group has been observed compromising victims’ networks to deploy ransomware on servers responsible for healthcare services, such as diagnostics, electronic health records, imaging, and intranet services.

Additionally, Daixin Team has been stealing patient health information (PHI) and personally identifiable information (PII) from the compromised systems and used it as leverage to extort victims into paying a ransom.

The group has been targeting virtual private network (VPN) servers for initial access into victim networks, including via unpatched vulnerabilities and previously obtained credentials.

Next, the adversary would use Secure Shell (SSH) and Remote Desktop Protocol (RDP) for lateral movement and would employ credential dumping and pass-the-hash to gain access to privileged accounts.

Using the privileged access, Daixin Team would then connect to VMware vCenter Server to reset passwords for the deployed ESXi servers, and then connect to these servers via SSH to deploy ransomware.

The threat actor has been using various tools for data exfiltration, including the Rclone open-source cloud storage management tool and the Ngrok reverse proxy utility.

In their joint alert, the FBI, CISA, and HHS are encouraging organizations to keep all software and operating systems up to date, to employ multi-factor authentication and strong password policies, implement network segmentation, limit the use of RDP, disable SSH, securely store PII and PHI, implement logging and network monitoring, and use antimalware software.

Related: FBI: 649 Ransomware Attacks Reported on Critical Infrastructure Organizations in 2021

Related: US: North Korean Hackers Targeting Healthcare Sector With Maui Ransomware

Related: The Psychology of Ransomware Response

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.