Alerte de sécurité - Ransomware Daixin Team

Alerte de la CISA pour le gang de ransomware Daixin Team

Several US agencies, including CISA, have issued a security alert about a group of cybercriminals named Daixin Team who are behind many computer attacks! This gang favors attacks on health facilities and has already claimed several victims in the United States.

As a reminder, the CISA (Cybersecurity & Infrastructure Security Agency) is the United States government agency in charge of cybersecurity issues, in the same spirit as ANSSI in France. This security alert is issued by the CISA, but also the FBI, as well as the health agency HHS (Health and Human Services).

The Daixin Team gang is a ransomware group that applies the principle of double extortion: data is encrypted, but also exfiltrated. In the alert bulletin, one can read:Daixin Team is a ransomware and data extortion group that has targeted the hospital sector with ransomware and data extortion operations since at least June 2022.

Over the past 4 months, this group of cybercriminals has been associated with several cyberattacks, including the one against the OakBend Medical Center. This attack took place September 1, 2022 and during which the pirates were able exfiltrate 3.5 GB of data corresponding to 1 million records with patient and employee information.

To compromise infrastructure, hackers typically rely on VPN access. The latter serves as the initial access. To obtain this access, either they exploit a vulnerability present in the VPN box (e.g. an outdated firewall on which VPN access is configured), or they rely on a phishing campaign to steal credentials. In the report, it is specified that the MFA was not activated on the VPN access.

After gaining initial access, attackers move to other hosts on the compromised network using RDP and SSH protocols. The CISA clarifies:Hackers exploited privileged accounts to access VMware vCenter Server and reset account passwords for ESXi servers in the environment. Hackers then used SSH to connect to accessible ESXi servers and deploy the ransomware to those servers. “. It turns out that the ransomware used by the Daixin Team would be based on the source code of Babuk. All files with .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn extensions stored under “/vmfs/volumes/” are encrypted by the ransomware.

To exfiltrate data, cybercriminals use theoutil open source Rclone. Moreover, the CISA specifies that the presence of Rclone on the server is an indicator of compromise.

This alert issued by the American agencies shows that it is not only in France that health establishments are targeted by cybercriminals. Hoping that the Daixin Team group does not have in mind to attack the French entities.



#Alerte #CISA #pour #gang #ransomware #Daixin #Team

Leave a Comment

Your email address will not be published. Required fields are marked *