The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Government Issues Warning to Healthcare Organizations About Daixin Team Extortion and Ransomware Attacks

Posted By on Oct 24, 2022

A relatively new data extortion and ransomware gang known as Daixin team is actively targeting U.S. healthcare organizations, prompting a warning from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).

Daixin Team first appeared on the radar in June 2022, with the group predominantly conducting data extortion and ransomware attacks on organizations in the health and public health sector (HPH). The attacks have seen data encrypted, prevented access to electronic health records, and caused major disruption to healthcare services, including diagnostics, imaging, and postponed appointments. In the #StopRansomware: Daixin Team – Alert, the observed tactics, techniques, and procedures used by Daixin team have been shared along with indicators of Compromise (IoCs) and several suggested mitigations to make it harder for attacks to succeed.

Daixin Team gains access to healthcare networks, conducts reconnaissance, and identifies and exfiltrates data of interest, which is used as leverage to extort money from victims.  The group seeks to establish communications with victims directly and advises them not to work with ransomware remediation firms. If contact is not made within 5 days of the attack, the group threatens to publicly release the stolen data.

Daixin Team is known to gain access to the networks of victims by exploiting vulnerabilities in VPN servers, often using compromised VPN credentials for accounts that do not have multi-factor authentication enabled. In some attacks, the group has obtained VPN credentials through phishing emails with malicious attachments. Once access is gained, they move laterally within networks using Secure Shell (SSH) and Remote Desktop Protocol (RDP), escalate privileges through credential dumping and pass the hash, exfiltrate data – including using tools such as Rclone and Ngrok – then deploy their ransomware payload, which is believed to be based on publicly-released Babuk Locker ransomware code.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In some attacks, privileged accounts have been used to gain access to VMware vCenter Server, and account passwords have been reset for ESXi servers. SSH was then used to connect to the ESXi servers, where ransomware was deployed.

The FBI, CISA, and the HHS have shared several mitigations that can help healthcare organizations protect against Daixin Team attacks. These measures include:

  • Patching promptly and keeping software up to date
  • Implementing phishing-resistant multi-factor authentication
  • Securing or disabling Remote Desktop Protocol
  • Turning off SSH and network device management interfaces such as Telnet, Winbox, and HTTP for wide area networks (WANs)
  • Securing passwords with strong encryption
  • Implementing and enforcing multi-layer network segmentation
  • Limiting access to data through public key infrastructure and digital certificates to authenticate connections to devices
  • Securing ePHI at collection points using encryption
  • Ensuring compliance with the HIPAA Security Rule with respect to ePHI

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist