FBI warning: This ransomware group is targeting poorly protected VPN servers
The FBI and other agencies are warning of a rise in Daixin Team ransomware and data extortion attacks on healthcare providers.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) has issued a joint warning about Daixin Team activity against the healthcare and public health sector since June 2022.
The group has used ransomware to encrypt servers providing services for electronic health records, diagnostics, imaging, and intranet. They have also exfiltrated personal identifiable information and patient health information.
Privacy
The agencies are warning health providers to secure VPN servers as this was how the group gained access to previous targets, including exploiting an unpatched flaw in the victim's VPN server. In another confirmed case, the actors used previously compromised credentials to access a legacy VPN server where multi-factor authentication (MFA) was not enabled. The actors are believed to have acquired the VPN credentials through a phishing email with a malicious attachment.
Also: Ransomware: Why it's still a big threat, and where the gangs are going next
After accessing the VPN, the group used remote protocols SSH and RDP to move laterally, then sought privileged accounts through credential dumping and 'pass the hash', where attackers use stolen password hashes to move laterally.
The actors have also used privileged accounts to access VMware vCenter Server and reset account passwords for ESXi servers in the environment. Then they use SSH to connect to accessible ESXi servers and deploy ransomware on those servers, according to the advisory.
The Daixin group also exfiltrated data from victim systems.
Among several mitigations, the advisory says organizations must prioritize patching VPN servers, remote-access software, virtual-machine software, and CISA's known-exploited vulnerabilities. It also recommends locking down RDP and turning off SSH, as well as Telnet, Winbox, and HTTP for wide-area networks, and securing them with strong passwords and encryption when enabled. Organizations should also require MFA for as many services as possible.
Because lives can depend on these systems, providers in the sector are routinely targeted by cyber criminals. The FBI's Internet Crime Complaint Center (IC3) data indicates the health sector accounts for 25% of ransomware complaints of victim reports across all 16 critical infrastructure sectors.
Also, in IC3's 2021 annual report, the HPH Sector accounted for 148 ransomware reports. It was the largest source of ransomware complaints within the 649 ransomware reports made that year across 14 critical infrastructure sectors.