Actions to take today to mitigate cyber threats from ransomware:
**Note:**This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the âDaixin Team,â a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.
This joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and third-party reporting.
Download the PDF version of this report:
Stopransomware Daixin Team (PDF, 560.58 KB )
Download the IOCs:
AA22-294A STIX (XML, 23.22 KB )
Note: This advisory uses the MITRE ATT&CKÂź for Enterprise framework, version 11. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Cybercrime actors routinely target HPH Sector organizations with ransomware:
The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have:
Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organizationâs VPN server [T1190]. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server [T1078] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment [T1598.002].
After obtaining access to the victimâs VPN server, Daixin actors move laterally via Secure Shell (SSH) [T1563.001] and Remote Desktop Protocol (RDP) [T1563.002]. Daixin actors have sought to gain privileged account access through credential dumping [T1003] and pass the hash [T1550.002]. The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords [T1098] for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware [T1486] on those servers.
According to third-party reporting, the Daixin Teamâs ransomware is based on leaked Babuk Locker source code. This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/
with the following extensions: .vmdk
, .vmem
, .vswp
, .vmsd
, .vmx
, and .vmsn
. A ransom note is also written to /vmfs/volumes/
. See Figure 1 for targeted file system path and Figure 2 for targeted file extensions list. Figure 3
and Figure 4
include examples of ransom notes. Note that in the Figure 3 ransom note, Daixin actors misspell âDaixinâ as âDaxin.â
Figure 1: Daixin Team â Ransomware Targeted File Path
Figure 2: Daixin Team â Ransomware Targeted File Extensions
Figure 3: Example 1 of Daixin Team Ransomware Note
Figure 4: Example 2 of Daixin Team Ransomware Note
In addition to deploying ransomware, Daixin actors have exfiltrated data [TA0010] from victim systems. In one confirmed compromise, the actors used Rcloneâan open-source program to manage files on cloud storageâto exfiltrate data to a dedicated virtual private server (VPS). In another compromise, the actors used Ngrokâa reverse proxy tool for proxying an internal service out onto an Ngrok domainâfor data exfiltration [T1567].
See Table 1 for all referenced threat actor tactics and techniques included in this advisory.
Table 1: Daixin Actorsâ ATT&CK Techniques for Enterprise
Reconnaissance
Technique Title
|
ID
|
Use
Phishing for Information: Spearphishing Attachment
|
|
Daixin actors have acquired the VPN credentials (later used for initial access) by a phishing email with a malicious attachment.
Initial Access
Technique Title
|
ID
|
Use
Exploit Public-Facing Application
|
|
Daixin actors exploited an unpatched vulnerability in a VPN server to gain initial access to a network.
Valid Accounts
|
|
Daixin actors use previously compromised credentials to access servers on the target network.
Persistence
Technique Title
|
ID
|
Use
Account Manipulation
|
|
Daixin actors have leveraged privileged accounts to reset account passwords for VMware ESXi servers in the compromised environment.
Credential Access
Technique Title
|
ID
|
Use
OS Credential Dumping
|
|
Daixin actors have sought to gain privileged account access through credential dumping.
Lateral Movement
Technique Title
|
ID
|
Use
Remote Service Session Hijacking: SSH Hijacking
|
|
Daixin actors use SSH and RDP to move laterally across a network.
Remote Service Session Hijacking: RDP Hijacking
|
|
Daixin actors use RDP to move laterally across a network.
Use Alternate Authentication Material: Pass the Hash
|
|
Daixin actors have sought to gain privileged account access through pass the hash.
Exfiltration
Technique Title
|
ID
|
Use
Exfiltration Over Web Service
|
|
Daixin Team members have used Ngrok for data exfiltration over web servers.
Impact
Technique Title
|
ID
|
Use
Data Encrypted for Impact
|
|
Daixin actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
See Table 2 for IOCs obtained from third-party reporting.
Table 2: Daixin Team IOCs â Rclone Associated SHA256 Hashes
File
|
SHA256
â|â
rclone-v1.59.2-windows-amd64\git-log.txt
|
9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238
rclone-v1.59.2-windows-amd64\rclone.1
|
19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD
rclone-v1.59.2-windows-amd64\rclone.exe
|
54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939
rclone-v1.59.2-windows-amd64\README.html
|
EC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF
rclone-v1.59.2-windows-amd64\README.txt
|
475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28
FBI, CISA, and HHS urge HPH Sector organizations to implement the following to protect against Daixin and related malicious activity:
If a ransomware incident occurs at your organization:
**Note:**FBI, CISA, and HHS strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Daixin Group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Regardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at cisa.gov/report.
FBI, CISA, and HHS would like to thank CrowdStrike and the Health Information Sharing and Analysis Center (Health-ISAC) for their contributions to this CSA.
The information in this report is being provided âas isâ for informational purposes only. FBI, CISA, and HHS do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.
Initial Publication: October 21, 2022
405d.hhs.gov/
www.secretservice.gov/contact/field-offices/
attack.mitre.org/versions/v11/matrices/enterprise/
attack.mitre.org/versions/v11/software/S0508/
attack.mitre.org/versions/v11/software/S0508/
attack.mitre.org/versions/v11/tactics/TA0010/
attack.mitre.org/versions/v11/techniques/T1003/
attack.mitre.org/versions/v11/techniques/T1003/
attack.mitre.org/versions/v11/techniques/T1078/
attack.mitre.org/versions/v11/techniques/T1078/
attack.mitre.org/versions/v11/techniques/T1098/
attack.mitre.org/versions/v11/techniques/T1098/
attack.mitre.org/versions/v11/techniques/T1190/
attack.mitre.org/versions/v11/techniques/T1190/
attack.mitre.org/versions/v11/techniques/T1486/
attack.mitre.org/versions/v11/techniques/T1486/
attack.mitre.org/versions/v11/techniques/T1550/002/
attack.mitre.org/versions/v11/techniques/T1550/002/
attack.mitre.org/versions/v11/techniques/T1563/001
attack.mitre.org/versions/v11/techniques/T1563/001
attack.mitre.org/versions/v11/techniques/T1563/002
attack.mitre.org/versions/v11/techniques/T1563/002
attack.mitre.org/versions/v11/techniques/T1567/
attack.mitre.org/versions/v11/techniques/T1567/
attack.mitre.org/versions/v11/techniques/T1598/002/
attack.mitre.org/versions/v11/techniques/T1598/002/
cisa.gov/stopransomware
cisa.gov/stopransomware/stopransomware
csrc.nist.gov/publications/detail/sp/800-63b/final
github.com/cisagov/cset/releases/tag/v10.3.0.0
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=%23StopRansomware%3A%20Daixin%20Team+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a
us-cert.cisa.gov/ncas/alerts/aa20-245a
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/report
www.cisa.gov/report
www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf
www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf
www.cisa.gov/tips/st04-002
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a&title=%23StopRansomware%3A%20Daixin%20Team
www.fbi.gov/contact-us/field-offices
www.fbi.gov/contact-us/field-offices
www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule
www.hhs.gov/about/agencies/asa/ocio/hc3/index.html
www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a
www.oig.dhs.gov/
www.stopransomware.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=%23StopRansomware%3A%20Daixin%20Team&body=www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a