The FBI, CISA, and Department of Health and Human Services have issued a joint warning about Daixin Team ransomware that has been targeting the healthcare and public health sector since June 2022.

The malicious group is using ransomware to encrypt servers that provide services for electronic health records, diagnostics, imaging and intranet. Daixin has also gained access to personal identifiable information and patient health information.

The agencies are warning the healthcare providers to secure their VPN servers, as that was how the malicious ransomware group accessed their targets – including exploiting an unpatched flaw in victim VPN servers. In one confirmed case, the ransomware gang used previously compromised credentials to access a legacy VPN server where multi-factor authentication was not enabled. The credentials are thought to have been acquired through a phishing email.

After successfully accessing the VPN, the group used remote protocols SSH and RDP to move laterally, then acquired privileged accounts through credential dumping and ‘pass the hash’, where attackers use stolen password hashes to move laterally.

The threats also used privileged VMware accounts to reset account passwords and ESXi servers in the environment. They then used SSH to connect to accessible ESXi servers and deployed ransomware on those servers, according to the advisory.

Daixin Team also exfiltrated data from victim systems.

According to the advisory, it is suggested that a way to mitigate these threats is to patch VPN servers, remote-access software, virtual-machine software, and CISA’s known-exploited vulnerabilities. It is also recommended to lock down RDP and turn off SSH, as well as Telnet, Winbox, and HTTP for wide-area networks. Also these should be secured with strong passwords and encryption when enabled. Organizations should also require MFA for as many services as possible.

Because of the severity and sensitive nature of the healthcare industry, it makes them a prime target for ransomware groups. Data from the FBI’s Internet Crime Complaint Center (IC3) indicated that the health sector accounts for 25% of ransomware complaints across all 16 critical infrastructure sectors.

According to IC3’s 2021 report, the healthcare sector accounted for 148 ransomware reports of a total of 649 – making it the largest source of complaints.

Story via ZDnet