[ad_1]
CISA, FBI, and the Department of Health and Human Services (HHS) have warned that a cybercriminal group known as the Daixin Team is actively targeting the U.S. Health and Public Health (HPH) sector with ransomware attacks. .
Federal agencies also released a joint advisory issued today to help security professionals detect and block attacks using this ransomware strain, including indicators of compromise (IOCs) and tactics, techniques, and I shared the procedure (TTP).
“Daixin Team is a ransomware and data extortion group that has been targeting the HPH sector with ransomware and data extortion operations since at least June 2022,” the advisory revealed.
Since June, the Daixin Team attackers have been linked to multiple healthcare sector ransomware incidents that encrypted systems used for many healthcare services, including electronic medical record storage, diagnostics, imaging services, and intranet services. I’m here.
It also steals patient health information (PHI) and personally identifiable information (PII) and uses it in double extortion to pressure victims into paying a ransom by threatening to publish the stolen information online. Also known for hanging.
Ransomware gangs exploit known vulnerabilities in an organization’s VPN servers or leverage compromised VPN credentials belonging to accounts with multi-factor authentication (MFA) turned off to gain access to targeted networks. To do.
Once inside, it uses Remote Desktop Protocol (RDP) and Secure Shell (SSH) to traverse the victim’s network.
Various methods such as credential dumping are used to elevate privileges in order to deploy ransomware payloads.
This privileged access is also used to “gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment” for the same purpose of encrypting systems with ransomware .
“According to third-party reports, the Daixin team’s ransomware is based on the leaked Babuk Locker source code,” the agency added.
“This third-party report and FBI analysis indicate that the ransomware targets ESXi servers and encrypts files in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, .vmsn. Ransom note is also written to /vmfs/volumes/.”
Use Rclone or Ngrok to exfiltrate the stolen data to a dedicated Virtual Private Server (VPS) before encrypting the victim’s device.
US health authorities recommend the following measures to defend against Daixin Team attacks:
- Install operating system, software, and firmware updates as soon as they are released.
- Enable phishing-resistant MFA on as many services as possible.
- Train your employees to recognize and report phishing attempts.
In August, CISA and the FBI reported that attackers known to primarily target the healthcare and medical industries with Zeppelin ransomware could encrypt files multiple times, making file recovery more cumbersome. warned that there is
[ad_2]
Source link
