CISA's #StopRansomware Reports on Daixin Team

Category: Ransomware News | Industry: Healthcare and Public Health (HPH) | Level: Tactical | Source: CISA

The Cybersecurity and Infrastructure Security Agency (CISA) shares another edition to the agency's #StopRansomware advisory with a focus on the "Daixin Team" cybercrime group. The threat actors engage in ransomware and data extortion operations, primarily targeting the Healthcare and Public Health (HPH) sector. On a whole, the healthcare sector is a prime target for threat actors seeking to exploit poorly managed technology systems in organizations where system time is critical. As measured from data from the Federal Bureau of Investigation (FBI), "As of October 2022, per FBI Internet Crime Complaint Center (IC3) data, specifically victim reports across all 16 critical infrastructure sectors, the HPH Sector accounts for 25 percent of ransomware complaints." The Daixin Team accounts for most of the ransomware attacks in the sector, encrypting "servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services." As seen with many groups, the Daixin Team exfiltrates personal identification information (PII) as well as sensitive health records for leverage and extortion in ransom negotiations. Initial access tactics exploited by the threat group include distributing phishing emails, attacking public-facing applications, and utilizing stolen credentials. The operators would then move laterally in the compromised environment using RDP or SSH before deploying the ransomware. Additional tools and techniques used by the group include Ngrok, Rclone, and resetting account passwords for ESXi servers.

Anvilogic Use Cases:

• SSH Brute Force detection
• Ngrok Download Files
• Rclone Execution

‍