The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a joint alert on a new cybercrime group targeting organizations in the healthcare sector.
Called Daixin Team, the threat actor has been active since at least June 2022, targeting organizations in the US with ransomware based on leaked Babuk source code, and also engaging in data theft and extortion.
The group has been observed compromising victims’ networks to deploy ransomware on servers responsible for healthcare services, such as diagnostics, electronic health records, imaging, and intranet services.
Additionally, Daixin Team has been stealing patient health information (PHI) and personally identifiable information (PII) from the compromised systems and used it as leverage to extort victims into paying a ransom.
The group has been targeting virtual private network (VPN) servers for initial access into victim networks, including via unpatched vulnerabilities and previously obtained credentials.
Next, the adversary would use Secure Shell (SSH) and Remote Desktop Protocol (RDP) for lateral movement and would employ credential dumping and pass-the-hash to gain access to privileged accounts.
Using the privileged access, Daixin Team would then connect to VMware vCenter Server to reset passwords for the deployed ESXi servers, and then connect to these servers via SSH to deploy ransomware.
The threat actor has been using various tools for data exfiltration, including the Rclone open-source cloud storage management tool and the Ngrok reverse proxy utility.
In their joint alert, the FBI, CISA, and HHS are encouraging organizations to keep all software and operating systems up to date, to employ multi-factor authentication and strong password policies, implement network segmentation, limit the use of RDP, disable SSH, securely store PII and PHI, implement logging and network monitoring, and use antimalware software.
Related: FBI: 649 Ransomware Attacks Reported on Critical Infrastructure Organizations in 2021
Related: US: North Korean Hackers Targeting Healthcare Sector With Maui Ransomware
Related: The Psychology of Ransomware Response
More from Ionut Arghire
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
Latest News
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
