U.S. government agencies are warning of a cybercrime group called Daixin Team that has launched ransomware attacks against the healthcare and public health sector since at least June. The group has relied on double extortion tactics, both deploying ransomware and threatening to release sensitive patient data and personal identifiable information (PII) if the ransom is not paid.
The group typically uses security weaknesses around virtual private network (VPN) servers as an initial access vector. In one instance, the actors used an unpatched flaw in a victim’s VPN server, while in another case they used credentials - compromised via a phishing attack - in order to access a legacy VPN server that did not have multi-factor authentication (MFA) enabled. After this initial access, the actors have then leveraged remote service session hijacking (via Secure Shell and RDP) to move laterally and targeted ESXi servers in order to reset their account passwords for persistence.
“Daixin actors have sought to gain privileged account access through credential dumping and pass the hash,” according to the security advisory recently released by the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS). “The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware on those servers.”
The threat actors have also relied on various tools for data exfiltration, including an open-source program called Rclone (used for managing files on cloud storage) and a reverse proxy tool called Ngrok (used for proxying internal services to a Ngrok domain).
Previous analyses have found that the ransomware used by Daixin actors is based on the Babuk Locker source code, which was leaked on a Russian-speaking underground forum in September 2021. The FBI said that the ransomware specifically targets ESXi servers and encrypts files (with the extensions .vmdk, .vmem, .vswp, .vmsd, .vmx and .vmsn) before deploying a ransom note. CISA and the FBI said that healthcare facilities should take a number of protective measures to help prevent such attacks, such as installing available updates across devices, requiring MFA and training employees to report phishing attacks.
The healthcare industry has been a top target for cyberattacks, making up for 25 percent of ransomware complaints as of October across 16 critical infrastructure sectors, according to the FBI Crime Complaint Center (IC3). Allan Liska, intelligence analyst with Recorded Future, said the recent advisory from the FBI and CISA shows the increased attention that governments are paying to the wave of ransomware attacks against the healthcare sector.
“Daixin themselves aren’t that interesting in terms of technique, but their focus on the healthcare sector, especially their willingness to steal and leak patient data, makes them troublesome to deal with,” said Liska. “I think it is interesting that we are starting to see some level of specialization in ransomware. Groups like Pysa, Vice Society and Daixin, which are otherwise second- or third-tier groups in terms of total number of attacks, are overrepresented in healthcare.”
Security issues pose a unique threat for the healthcare sector. Some ransomware incidents have impacted the efficiency of healthcare processes, with hospitals being forced to divert patients away from their emergency departments or reschedule appointments and surgeries, for instance. The types of data at stake in healthcare-specific cyberattacks is also potentially extra sensitive, ranging from data about medical conditions to PII. CommonSpirit Health, the second-largest non-profit hospital chain in the U.S., found its systems pushed offline after a ransomware attack in early October, for instance, causing delays in surgeries and patient care.
"So far this year, eighteen U.S. health systems operating a total 278 hospitals have been impacted by ransomware, resulting in PHI leaking and, more importantly, patient care to be disrupted," said Brett Callow, threat analyst with Emsisoft. "Additionally, hundreds of other health non-hospital healthcare providers have been impacted. Unfortunately, there's no quick and easy fix to the problem, which means providers will continue to be attacked by for-profit cybercriminals for the foreseeable future."