Several domestic intelligencCyberattack group ‘Daixin Team’ takes aim at the Healthcare Industry services in the United States have stated that The Daixin Team ransomware and data extortion group is deemed a threat to the healthcare sector. Among these intelligence bodies are The Federal Bureau of Investigation (FBI) Cybersecurity and Infrastructure Security Agency (CISA). The Daixin team has carried out many attacks against the healthcare industry dating back to at least June of this year. The team has used ransomware specifically to encrypt servers that are crucial to the delivery of healthcare, including EHR systems, diagnostic tools, and imaging services. Furthermore, the gang has a history of stealing protected health information (PHI) and holding it hostage.
In a CSA release detailing the matter, an advisory stated: “Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server [T1190]… The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment [T1598.002]”
Actors from Daixin can move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP) once they acquire access to the servers they compromise. The advisory mentioned Babuk Locker source code is likely the foundation of the Daixin Team’s malware and the full release includes illustrations of typical Daixin ransom notes, in addition to comprehensive indicators of compromise (IOCs). Since the attack, the healthcare industry has been advised to act and attempt to prevent Daixin Team operations by CISA, FBI, and HHS. The bodies believe healthcare entities should prioritize fixing known vulnerabilities, VPN servers, remote access software, and virtual machine software. The federal bodies also encouraged the industry to protect and monitor RDP, as well as to mandate phishing-resistant multifactor authentication (MFA) in all services that are feasible. The advise reminded healthcare businesses to secure PHI in accordance with HIPAA requirements alongside their network segmentation and strict data access management procedures. Finally, the advisory provided in-depth instructions for anticipating, avoiding, and responding to ransomware incidents. In this section, the requirement t for healthcare entities need to create user training programs, keep cyber incident response plans current, and make sure that all backup data is protected is mentioned.