Cybersecurity Alert: Daixin Team Targets U.S. Healthcare Sector with Ransomware Attacks
Recent warnings from U.S. cybersecurity and intelligence agencies have highlighted alarming activities linked to a cybercriminal group known as the Daixin Team. This group, specializing in ransomware and data extortion, has zeroed in on the healthcare sector since at least June 2022. The announcement was jointly issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).
The advisory reveals that the Daixin Team has been involved in multiple ransomware incidents over the past four months, affecting numerous organizations within the Healthcare and Public Health (HPH) sector. Their tactics include encrypting servers associated with electronic health records and vital medical diagnostic services. In addition, they have employed double extortion strategies, which involve exfiltrating personally identifiable information (PII) and patient health information (PHI) to leverage ransom demands from their victims.
A notable incident occurred on September 1, 2022, when the Daixin Team launched an attack against OakBend Medical Center. The group claimed to have stolen approximately 3.5GB of sensitive data, including over one million records containing patient and employee details. The breach included names, genders, dates of birth, Social Security numbers, and appointment specifics, which were later posted on their data leak site, as reported by DataBreaches.net.
Following the breach, OakBend Medical Center alerted its affected customers, stating that third-party entities had been sending emails regarding the cyber incident. The facility also committed to informing impacted patients directly and offered complimentary credit monitoring services for a period of 18 months.
The attackers have been noted for their initial access methods, often exploiting unpatched vulnerabilities and compromised credentials gained through phishing schemes. Upon infiltrating the targeted networks, the Daixin Team conducts lateral movements using remote desktop protocol (RDP) and secure shell (SSH) connections. They have exploited privileged accounts to access VMware vCenter Server, allowing them to reset passwords and deploy ransomware across accessible servers.
The ransomware employed by the Daixin Team is derived from a strain known as Babuk, which surfaced in September 2021. This ransomware has served as a blueprint for various malware families, including Rook and Night Sky, illustrating an evolving threat landscape in the cybersecurity domain.
To fortify against such attacks, organizations are advised to apply the latest software updates, enforce multi-factor authentication, implement network segmentation strategies, and maintain rigorous offline backup practices. The tactical methods employed by the Daixin Team align with several phases of the MITRE ATT&CK framework, particularly those involving initial access, privilege escalation, and lateral movement—a clear reminder of the persistent and evolving risks businesses in the healthcare sector face today.
The need for vigilance is paramount as the Daixin Team continues to exploit vulnerabilities within the healthcare infrastructure. Business owners are urged to stay informed and proactive in enhancing their cybersecurity posture amid these rising threats.
