Alert: This ransomware preys on healthcare orgs via weak-ass VPN servers

Federal agencies are warning of a threat group called Daixin Team that is using ransomware and data extortion tactics to target US healthcare organizations.

In a recent advisory, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Department of Health and Human Services (HHS) said the group has attacked multiple entities since at least June, deploying ransomware to encrypt data on servers used for a range of services, including electronic health records (EHRs), diagnostic, imaging, and intranet services.

Daixin Team also has exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release it if the demanded amount isn't paid.

The threat group gains initial access through VPN servers, the agencies wrote.

"In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization's VPN server. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled."

The Daixin Team acquired the VPN credentials through a phishing email that included a malicious attachment. Once in the VPN server, the cybercriminals move laterally through the network via Secure Shell (SSH) and Remote Desktop Protocol (RDP) and have tried to get privileged account access through credential dumping and pass-the-hash tactics.

The privileged accounts allowed the attackers to get into VMware vCenter Servers to reset account passwords for ESXi servers and then deploy ransomware on them, according to the agencies.

They noted that third-party reports link Daixin Team's ransomware with source code of the Babuk Locker malware that was leaked last year.

"In addition to deploying ransomware, Daixin actors have exfiltrated data from victim systems," they wrote. "In one confirmed compromise, the actors used Rclone – an open source program to manage files on cloud storage – to exfiltrate data to a dedicated virtual private server (VPS). In another compromise, the actors used Ngrok – a reverse proxy tool for proxying an internal service out onto an Ngrok domain – for data exfiltration."

Healthcare facilities have become a favorite public sector target of ransomware and extortion operators, which isn't surprising given the amount of sensitive data they hold, the number of connected devices they operate, and the fact that disruption to critical care could pressure organizations to pay the ransom. According to cybersecurity firm Emsisoft, at least 68 healthcare providers that between them operate 1,203 sites were affected by ransomware in 2021.

• Could you not? BlackByte ransomware slinger twists the knife with data stealer
• Good news, URSNIF no longer a banking trojan. Bad news, it's now a backdoor
• Health insurer's infosec incident diagnosis goes from 'take a chill pill' to emergency ward
• Millennials, Gen Z actually suck at workplace security

One of those victims was Scripps Health, which runs five hospitals among the 24 locations they operate. The organization said the attack could cost them as much as $112.7 million.

Risk and financial advisory company Kroll said that in the second quarter of this year, healthcare overtook professional services as the top sector targeted by cyberattacks, of which 33 percent were ransomware operations. It also was common to see double-extortion attacks.

In the first quarter, healthcare accounted for 11 percent of cyberattacks, according to Kroll. That jumped to 21 percent the next quarter.

Darren Williams, founder and CEO of Blackfog, told The Register that healthcare is consistently in the top three of targeted sectors by ransomware operators.

"Unfortunately, the sector is often a soft target as they have lower levels of protection in place and a general lack of cybersecurity investment," said Williams, whose company protects against ransomware and data exfiltration.

"We know that virtually all ransomware attacks now focus on data exfiltration. The problem we have is that organizations continue to rely on existing defensive technologies that simply aren't up to the job of preventing these attacks."

HHS warned in an advisory earlier this year that the Hive ransomware group also was targeting healthcare facilities.

One hit this year was OakBend Medical Center in Texas. Daixin Team took credit for the September 1 attack, which led to the shutdown of the medical center's communications and IT systems.

The attackers also exfiltrated internal data, saying they stole more than a million records that included names, dates of birth, Social Security numbers, and information on patient treatment. Daixin Team threatened to leak the information if the ransom wasn't paid.

In an update on October 11, OakBend wrote that some patients have said they are being contacted via email by "third parties" about the cyberattack and cautioned that all information and updates about the situation is coming from the organization on its website or direct mail. It added that there is still an ongoing investigation to determine which data was compromised.

The federal agencies laid out steps for mitigating attacks by Daixin Team including keeping operating systems, software, and firmware updated, requiring MFA as much as possible, securing and monitoring RDP, turning off SSH, and implementing network segmentation. ®