US advisory warns of Daixin hackers targeting healthcare sector with ransomware, data extortion operations

U.S. cybersecurity agencies and the Department of Health and Human Services (HHS) published a joint cybersecurity advisory (CSA) outlining threats from the Daixin cybercrime group. The group is actively targeting U.S. businesses, predominantly across the healthcare and public health (HPH) organizations deploying ransomware and/or exfiltrating personal/patient information and threatening to release the information if a ransom is not paid. 

The advisory provides technical details and proposes certain actions to take, in order to mitigate cyber threats from ransomware. It also laid down some recommended mitigations to protect against Daixin hackers and related malicious activity including installing software updates, prioritizing patching known exploited vulnerabilities, requiring multi-factor authentication (MFA), and securing and monitoring remote desktop protocol (RDP), if used.

The Daixin Team is a ransomware and data extortion group that has targeted the HPH sector with ransomware and data extortion operations since at least June this year, the advisory released Friday by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the HHS, said. 

Since then, Daixin Team cybercrime hackers have caused ransomware incidents at multiple HPH sector organizations where they have deployed ransomware to encrypt servers responsible for healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services, and/or exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.  

The advisory said that Daixin hackers have gained initial access to victims through virtual private network (VPN) servers. “In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server that did not have multi-factor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment.” 

After obtaining access to the victim’s VPN server, Daixin hackers move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP), the advisory revealed. “Daixin actors have sought to gain privileged account access through credential dumping and pass the hash. The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware on those servers,” it adds.

Apart from deploying ransomware, Daixin hackers have exfiltrated data from victim systems. In one confirmed compromise, the actors used Rclone—an open-source program to manage files on cloud storage—to exfiltrate data to a dedicated virtual private server (VPS). In another compromise, the actors used Ngrok—a reverse proxy tool for proxying an internal service out onto a Ngrok domain—for data exfiltration, the advisory disclosed.

Cybercrime hackers have been found to routinely target HPH sector organizations with ransomware, the advisory said. “As of October 2022, per FBI Internet Crime Complaint Center (IC3) data, specifically victim reports across all 16 critical infrastructure sectors, the HPH Sector accounts for 25 percent of ransomware complaints.” According to an IC3 annual report in 2021, 649 ransomware reports were made across 14 critical infrastructure sectors, with the HPH sector accounting for the most reports at 148. 

In order to protect against Daixin and related malicious activity, the agencies urge HPH sector organizations to install updates for operating systems, software, and firmware as soon as they are released, and prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities. Additionally, these organizations must consider leveraging a centralized patch management system to automate and expedite the process. They also must adopt phishing-resistant MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.

The advisory covering the Daixin hackers also called upon the sector to turn off SSH (Secure Shell) and other network device management interfaces such as Telnet, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled. It also suggested implementing and enforcing multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer, while limiting access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system.

The advisory also recommends that the HPH sector maintain offline backups of data, and regularly test backup and restoration. Additionally, organizations must create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident.

To mitigate and prevent ransomware, the cybersecurity advisory covering the Daixin hackers suggests that organizations in the HPH sector restrict Server Message Block (SMB) protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB, review the security posture of third-party vendors and those interconnected with the organization, ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity, and implement listing policies for applications and remote access that only allow systems to execute known and permitted programs. 

The advisory also suggests opening document readers in protected viewing modes to help prevent active content from running and implementing user training programs and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. It also suggests reinforcing the appropriate user response to phishing and spearphishing emails.

The U.S. administration has confirmed that the communications, water, and healthcare sectors are looking at new cybersecurity standards. The CISA said last week that it will focus on water, education, and health sectors over the next year, as the cybersecurity agency plans to concentrate more of its attention on critical infrastructure sectors that adversaries target due to the essential services they provide but which don’t have the assets to defend themselves.

Earlier this month, the Biden-Harris administration announced a ‘relentless focus’ on improving the nation’s cyber defenses, building a comprehensive approach to ‘lock our digital doors’ and carry out aggressive action to strengthen and safeguard its cybersecurity.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.