The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are warning healthcare organizations about the “Daixin Team,” a cybercrime crew targeting U.S. businesses in the healthcare sector with ransomware and data extortion campaigns since June 2022.
In a joint advisory, the federal agencies also provided tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) on the Daixin actors obtained from FBI threat response activities and third-party reporting.
Healthcare Sector Favored Targets
The Daixin Team cybercrime actors have caused ransomware incidents at multiple healthcare sector organizations, including:
- Deployed ransomware to encrypt servers responsible for healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services
- Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid
- Daixin actors gaining initial access to victims through virtual private network (VPN) servers
In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment.
Ransomware Based on Babuk Locker
The Daixin Team’s ransomware is based on leaked Babuk Locker source code. In addition to deploying ransomware, Daixin actors have exfiltrated data from victim systems.
The FBI, CISA, and HHS urge healthcare sector organizations to implement the following to protect against Daixin and related malicious activity:
- Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities.
- Require phishing-resistant MFA for as many services as possible, particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
- If you use Remote Desktop Protocol (RDP), secure and monitor it.
- Turn off SSH and other network device management interfaces such as Telnet, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
- Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
- Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.
- Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.
- Secure PII/PHI at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security.
- Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
- Protect stored data by masking the permanent account number when it is displayed and rendering it unreadable when it is stored.
- Secure the collection, storage, and processing practices for PII and PHI, per regulations such as HIPAA. Implementing HIPAA security measures can prevent the introduction of malware on the system.
- Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
- Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.