FBI warning: This ransomware group is focusing on poorly protected VPN servers


The FBI and different companies are warning of an increase in Daixin Staff ransomware and information extortion assaults on healthcare suppliers.  

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Safety Company (CISA), and Division of Well being and Human Companies (HHS) has issued a joint warning about Daixin Staff exercise towards the healthcare and public well being sector since June 2022.  

The group has used ransomware to encrypt servers offering providers for digital well being data, diagnostics, imaging, and intranet. They’ve additionally exfiltrated private identifiable data and affected person well being data. 

The companies are warning well being suppliers to safe VPN servers as this was how the group gained entry to earlier targets, together with exploiting an unpatched flaw within the sufferer’s VPN server. In one other confirmed case, the actors used beforehand compromised credentials to entry a legacy VPN server the place multi-factor authentication (MFA) was not enabled. The actors are believed to have acquired the VPN credentials by a phishing electronic mail with a malicious attachment. 

Additionally: Ransomware: Why it is nonetheless a giant risk, and the place the gangs are going subsequent

After accessing the VPN, the group used distant protocols SSH and RDP to maneuver laterally, then sought privileged accounts by credential dumping and ‘move the hash’, the place attackers use stolen password hashes to maneuver laterally.      

The actors have additionally used privileged accounts to entry VMware vCenter Server and reset account passwords for ESXi servers within the setting. Then they use SSH to connect with accessible ESXi servers and deploy ransomware on these servers, in response to the advisory. 

The Daixin group additionally exfiltrated information from sufferer methods.

Amongst a number of mitigations, the advisory says organizations should prioritize patching VPN servers, remote-access software program, virtual-machine software program, and CISA’s known-exploited vulnerabilities. It additionally recommends locking down RDP and turning off SSH, in addition to Telnet, Winbox, and HTTP for wide-area networks, and securing them with sturdy passwords and encryption when enabled. Organizations must also require MFA for as many providers as potential. 

As a result of lives can depend upon these methods, suppliers within the sector are routinely focused by cyber criminals. The FBI’s Web Crime Grievance Heart (IC3) information signifies the well being sector accounts for 25% of ransomware complaints of sufferer experiences throughout all 16 crucial infrastructure sectors. 

Additionally, in IC3’s 2021 annual report, the HPH Sector accounted for 148 ransomware experiences. It was the most important supply of ransomware complaints throughout the 649 ransomware experiences made that yr throughout 14 crucial infrastructure sectors.

Supply hyperlink