The Cybersecurity and Infrastructure Security Agency (CISA) has released a new joint Cybersecurity Advisory (CSA) warning organizations against the ransomware and data extortion group Daixin Team.
Published in conjunction with the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS), the CSA said Daixin Team is actively targeting US businesses, mainly in the Healthcare and Public Health (HPH) Sector.
“The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022,” reads the advisory.
“Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations.”
According to CISA, these operations saw the deployment of ransomware to encrypt servers responsible for healthcare services as well as the exfiltration of personally identifiable information (PII) and protected health information (PHI), which was then threatened to be released if a ransom was not paid.
“Of the many high-profile cyber-attacks to make headlines in the past few years, few provoke a feeling of concern like ransomware attacks on hospitals and healthcare institutions,” Dr. Darren Williams, Blackfog CEO, told Infosecurity. “With patients’ lives on the line and a wealth of incredibly sensitive data, these organizations present a compelling target for ruthless cyber-criminals.”
The advisory explains that Daixin actors typically gained initial access to victims through virtual private network (VPN) servers, then moved laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP).
“According to third-party reporting, the Daixin Team’s ransomware is based on leaked Babuk Locker source code,” CISA explained. “In addition to deploying ransomware, Daixin actors have exfiltrated data […] from victim systems. In one confirmed compromise, the actors used Rclone.”
To protect against Daixin and related malicious activity, FBI, CISA and HHS urged HPH Sector organizations to install updates for operating systems, software and firmware as soon as they become available.
“Prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process,” CISA wrote.
The agency has also suggested the use of phishing-resistant multi-factor authentication (MFA) for as many services as possible.
A complete list of mitigations, alongside prevention measures, is available in the advisory’s original text. Its publication comes roughly a month after a report from Proofpoint linked cyber-attacks against healthcare organizations with higher increased mortality rates for patients.