The FBI and other agencies are warning of a rise in Daixin Team ransomware and data extortion attacks on healthcare providers.  

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) has issued a joint warning about Daixin Team activity against the healthcare and public health sector since June 2022.  

The group has used ransomware to encrypt servers providing services for electronic health records, diagnostics, imaging, and intranet. They have also exfiltrated personal identifiable information and patient health information. 

Privacy

• How to delete yourself from internet search results and hide your identity online
• The best browsers for privacy
• Samsung's smartphone 'Repair Mode' stops technicians from viewing your photos
• Are period tracking apps safe?

The agencies are warning health providers to secure VPN servers as this was how the group gained access to previous targets, including exploiting an unpatched flaw in the victim's VPN server. In another confirmed case, the actors used previously compromised credentials to access a legacy VPN server where multi-factor authentication (MFA) was not enabled. The actors are believed to have acquired the VPN credentials through a phishing email with a malicious attachment. 

Also:Ransomware: Why it's still a big threat, and where the gangs are going next

After accessing the VPN, the group used remote protocols SSH and RDP to move laterally, then sought privileged accounts through credential dumping and 'pass the hash', where attackers use stolen password hashes to move laterally.      

The actors have also used privileged accounts to access VMware vCenter Server and reset account passwords for ESXi servers in the environment. Then they use SSH to connect to accessible ESXi servers and deploy ransomware on those servers, according to the advisory. 

The Daixin group also exfiltrated data from victim systems.

Among several mitigations, the advisory says organizations must prioritize patching VPN servers, remote-access software, virtual-machine software, and CISA's known-exploited vulnerabilities. It also recommends locking down RDP and turning off SSH, as well as Telnet, Winbox, and HTTP for wide-area networks, and securing them with strong passwords and encryption when enabled. Organizations should also require MFA for as many services as possible. 

Because lives can depend on these systems, providers in the sector are routinely targeted by cyber criminals. The FBI's Internet Crime Complaint Center (IC3) data indicates the health sector accounts for 25% of ransomware complaints of victim reports across all 16 critical infrastructure sectors. 

Also, in IC3's 2021 annual report, the HPH Sector accounted for 148 ransomware reports. It was the largest source of ransomware complaints within the 649 ransomware reports made that year across 14 critical infrastructure sectors.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next