A cybercrime gang known as Daixin Team has been actively targeting the U.S. Healthcare and Public Health (HPH) sector, according to a joint advisory by CISA, the FBI, and the Department of Health and Human Services (HHS).
The government agencies also provided indications of compromise (IOCs) and tactics, methods, and procedures (TTPs) to aid security experts in identifying and thwarting assaults utilising this ransomware strain.
The HPH Sector has been the target of ransomware and data extortion activities by the Daixin Team since at least June 2022, according to the report.
Mode of operation of Daixin
“Daixin actors gain initial access to victims through virtual private network (VPN) servers,” said the advisory.
“After obtaining access to the victim’s VPN server, Daixin actors move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP). Daixin actors have sought to gain privileged account access through credential dumping and pass the hash.”
In addition to deploying ransomware, Daixin actors exfiltrate data from victim systems, said the announcement.
“In one confirmed compromise, the actors used Rclone—an open-source program to manage files on cloud storage—to exfiltrate data to a dedicated virtual private server (VPS). In another compromise, the actors used Ngrok—a reverse proxy tool for proxying an internal service out onto an Ngrok domain—for data exfiltration.”
Recent victims
In September 2022, Physician’s Business Office, USA, disclosed a network hack that occurred in March and alerted 196,573 patients that their personal data and protected health information were likely stolen. PBO is a medical practice management and administrative service for healthcare providers.
The PBO disclosure came days after OakBend Medical Center, Texas, confirmed “sensitive information was breached within the hospital infrastructure.” Daixin claimed responsibility for both incidents.
Like several ransomware operators, Daixin too uses naming and shaming as an extortion tactic. In July 2022, ista International, a multinational company that manages data and processes that make buildings eco-friendly, took their systems offline following a cyber-attack.
The company initially did not disclose the possibility of a ransomware attack. However, an extortion note was promptly posted by Daixin.
“We have discovered that the attackers had, to a limited extent, also published personal data that we process on behalf of our customers in a small part of the markets in which we operate,” the company conceded in August 2022.
Damage control
Among the regular steps to mitigate a ransomware incident, the FBI-CISA alert urged to secure backups.
“Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise,” said the advisory.
It also warned against paying ransom.
“Doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the advisory said.