The United States Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a joint alert about a new cybercrime group targeting organizations in the security industry. health.
Called Daixin Teamthe threat actor has been active since at least June 2022, targeting organizations in the United States with leaked ransomware Babouk source codeand also engaging in data theft and extortion.
The group has been observed to compromise victims’ networks to deploy ransomware on servers responsible for health services, such as diagnostic, electronic health records, imaging and intranet services.
Additionally, the Daixin team stole Patient Health Information (PHI) and Personally Identifiable Information (PII) from the compromised systems and used them as leverage to extort the victims to pay a ransom.
The group targeted virtual private network (VPN) servers for initial access to victim networks, including via unpatched vulnerabilities and previously obtained credentials.
Then the adversary would use Secure Shell (SSH) and Remote Desktop Protocol (RDP) for lateral movement and use credential flushing and hash passing to gain access to privileged accounts.
Using privileged access, the Daixin team would then connect to VMware vCenter Server to reset the passwords of the deployed ESXi servers, and then connect to those servers via SSH to deploy the ransomware.
The threat actor uses various tools for data exfiltration, including the open source cloud storage management tool Rclone and the reverse proxy utility Ngrok.
In their joint alert, the FBI, CISA and HHS encourage organizations to keep all software and operating systems up-to-date, use multi-factor authentication and strong password policies, implement network, limit the use of RDP, disable SSH, securely store PII and PHI, implement network logging and monitoring, and use anti-malware software.