FBI warning: This ransomware group is targeting poorly protected VPN servers

Attackers are using VPN servers to gain access, and then SSH and RDP to spread through networks.

The FBI and other agencies are warning of a rise in Daixin Team ransomware and data extortion attacks on healthcare providers.  

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) has issued a joint warning about Daixin Team activity against the healthcare and public health sector since June 2022.  

The group has used ransomware to encrypt servers providing services for electronic health records, diagnostics, imaging, and intranet. They have also exfiltrated personal identifiable information and patient health information.

The agencies are warning health providers to secure VPN servers as this was how the group gained access to previous targets, including exploiting an unpatched flaw in the victim's VPN server. In another confirmed case, the actors used previously compromised credentials to access a legacy VPN server where multi-factor authentication (MFA) was not enabled. The actors are believed to have acquired the VPN credentials through a phishing email with a malicious attachment. 

After accessing the VPN, the group used remote protocols SSH and RDP to move laterally, then sought privileged accounts through credential dumping and 'pass the hash', where attackers use stolen password hashes to move laterally.      

The actors have also used privileged accounts to access VMware vCenter Server and reset account passwords for ESXi servers in the environment. Then they use SSH to connect to accessible ESXi servers and deploy ransomware on those servers, according to the advisory. 

The Daixin group also exfiltrated data from victim systems.

Among several mitigations, the advisory says organizations must prioritize patching VPN servers, remote-access software, virtual-machine software, and CISA's known-exploited vulnerabilities. It also recommends locking down RDP and turning off SSH, as well as Telnet, Winbox, and HTTP for wide-area networks, and securing them with strong passwords and encryption when enabled. Organizations should also require MFA for as many services as possible. 

Because lives can depend on these systems, providers in the sector are routinely targeted by cyber criminals. The FBI's Internet Crime Complaint Center (IC3) data indicates the health sector accounts for 25% of ransomware complaints of victim reports across all 16 critical infrastructure sectors. 

Also, in IC3's 2021 annual report, the HPH Sector accounted for 148 ransomware reports. It was the largest source of ransomware complaints within the 649 ransomware reports made that year across 14 critical infrastructure sectors.

Source: ZdNet