U.S. cybersecurity and intelligence organizations published a joint advisory warning of attacks by a cybercrime group called Daixin Team primarily targeting the healthcare industry. “The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022,” stated the agencies. The Department of Health and Human Services (HHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) all released the alert on Friday.
Over the previous four months, the gang has been connected to several ransomware incidents in the Healthcare and Public Health (HPH) industry, encrypting servers related to electronic health records, diagnostics, imaging, and intranet services. The group is alleged to have exfiltrated Patient Health Information (PHI) and Personal Identifiable Information (PII) through a double extortion scheme. One of those targets was OakBend Medical Center on September 1, 2022. The organization claimed to have stolen about 3.5GB of data, including more than one million patient and employee records. According to DataBreaches.net, it also released a sample of 2,000 patient records on its data leak website. These records contained names, genders, dates of birth, Social Security Numbers (SSNs), addresses, and other appointment information. On October 11, 2022, it informed its clients of emails received by “third parties” about the cyberattack, claiming that it was directly telling the patients who had been harmed. The organization also offered free credit monitoring services for 18 months.
According to the advisory, Virtual Private Network (VPN) servers are used in these attacks to gain initial access to targeted networks, often exploiting unpatched security vulnerabilities and compromised credentials obtained via phishing emails. After establishing a foothold, the Daixin Team has been seen moving laterally via Secure Shell (SSH) and remote desktop protocol (RDP), then gaining elevated privileges using techniques like credential dumps. “The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware on those servers,” stated the U.S. government. The Daixin Team’s ransomware is based on another strain called Babuk. Organizations are advised to implement multi-factor authentication, create network segmentation, apply the most recent software upgrades, and keep regular offline backups.