In one confirmed compromise, the actors used Rclone-an open-source program to manage files on cloud storage-to exfiltrate data to a dedicated virtual private server (VPS). In addition to deploying ransomware, Daixin actors have exfiltrated data from victim systems. Note that in the Figure 3 ransom note, Daixin actors misspell “Daixin” as “Daxin.”įigure 1: Daixin Team – Ransomware Targeted File Pathįigure 2: Daixin Team – Ransomware Targeted File Extensionsįigure 3: Example 1 of Daixin Team Ransomware Noteįigure 4: Example 2 of Daixin Team Ransomware Note ![]() Figure 3 and Figure 4 include examples of ransom notes. See Figure 1 for targeted file system path and Figure 2 for targeted file extensions list. A ransom note is also written to /vmfs/volumes/. This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions. ![]() The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware on those servers.Īccording to third-party reporting, the Daixin Team’s ransomware is based on leaked Babuk Locker source code. The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. Daixin actors have sought to gain privileged account access through credential dumping and pass the hash. Īfter obtaining access to the victim’s VPN server, Daixin actors move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP). The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server. Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.ĭaixin actors gain initial access to victims through virtual private network (VPN) servers.Deployed ransomware to encrypt servers responsible for healthcare services-including electronic health records services, diagnostics services, imaging services, and intranet services, and/or.Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have: The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. According to an IC3 annual report in 2021, 649 ransomware reports were made across 14 critical infrastructure sectors the HPH Sector accounted for the most reports at 148.As of October 2022, per FBI Internet Crime Complaint Center (IC3) data, specifically victim reports across all 16 critical infrastructure sectors, the HPH Sector accounts for 25 percent of ransomware complaints.See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.Ĭybercrime actors routinely target HPH Sector organizations with ransomware: Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. This joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and third-party reporting.ĭownload the PDF version of this report: pdf, 591 KB businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. Visit to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. Train users to recognize and report phishing attempts.Require phishing-resistant MFA for as many services as possible. ![]() Install updates for operating systems, software, and firmware as soon as they are released.Actions to take today to mitigate cyber threats from ransomware:
0 Comments
Leave a Reply. |