StopRansomware Daixin Team CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppActions to take today to mitigate cyber threats from ransomwareppNote This joint Cybersecurity Advisory CSA is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Federal Bureau of Investigation FBI Cybersecurity and Infrastructure Security Agency CISA and Department of Health and Human Services HHS are releasing this joint CSA to provide information on the Daixin Team a cybercrime group that is actively targeting US businesses predominantly in the Healthcare and Public Health HPH Sector with ransomware and data extortion operationsppThis joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and thirdparty reportingppDownload the PDF version of this reportppDownload the IOCs ppNote This advisory uses the MITRE ATTCK for Enterprise framework version 11 See MITRE ATTCK for Enterprise for all referenced tactics and techniquesppCybercrime actors routinely target HPH Sector organizations with ransomwareppThe Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022 Since then Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they haveppDaixin actors gain initial access to victims through virtual private network VPN servers In one confirmed compromise the actors likely exploited an unpatched vulnerability in the organizations VPN server T1190 In another confirmed compromise the actors used previously compromised credentials to access a legacy VPN server T1078 that did not have multifactor authentication MFA enabled The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment T1598002ppAfter obtaining access to the victims VPN server Daixin actors move laterally via Secure Shell SSH T1563001 and Remote Desktop Protocol RDP T1563002 Daixin actors have sought to gain privileged account access through credential dumping T1003 and pass the hash T1550002 The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords T1098 for ESXi servers in the environment The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware T1486 on those servers ppAccording to thirdparty reporting the Daixin Teams ransomware is based on leaked Babuk Locker source code This thirdparty reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in vmfsvolumes with the following extensions vmdk vmem vswp vmsd vmx and vmsn A ransom note is also written to vmfsvolumes See Figure 1 for targeted file system path and Figure 2 for targeted file extensions list Figure 3 and Figure 4 include examples of ransom notes Note that in the Figure 3 ransom note Daixin actors misspell Daixin as DaxinppppFigure 1 Daixin Team Ransomware Targeted File PathppppFigure 2 Daixin Team Ransomware Targeted File ExtensionsppppFigure 3 Example 1 of Daixin Team Ransomware NoteppppFigure 4 Example 2 of Daixin Team Ransomware NoteppIn addition to deploying ransomware Daixin actors have exfiltrated data TA0010 from victim systems In one confirmed compromise the actors used Rclonean opensource program to manage files on cloud storageto exfiltrate data to a dedicated virtual private server VPS In another compromise the actors used Ngroka reverse proxy tool for proxying an internal service out onto an Ngrok domainfor data exfiltration T1567ppSee Table 1 for all referenced threat actor tactics and techniques included in this advisoryppTable 1 Daixin Actors ATTCK Techniques for EnterpriseppReconnaissanceppTechnique TitleppIDppUseppPhishing for Information Spearphishing AttachmentppT1598002ppDaixin actors have acquired the VPN credentials later used for initial access by a phishing email with a malicious attachmentppInitial AccessppTechnique TitleppIDppUseppExploit PublicFacing ApplicationppT1190ppDaixin actors exploited an unpatched vulnerability in a VPN server to gain initial access to a networkppValid AccountsppT1078ppDaixin actors use previously compromised credentials to access servers on the target networkppPersistenceppTechnique TitleppIDppUseppAccount ManipulationppT1098ppDaixin actors have leveraged privileged accounts to reset account passwords for VMware ESXi servers in the compromised environmentppCredential AccessppTechnique TitleppIDppUseppOS Credential DumpingppT1003ppDaixin actors have sought to gain privileged account access through credential dumpingppLateral MovementppTechnique TitleppIDppUseppRemote Service Session Hijacking SSH HijackingppT1563001ppDaixin actors use SSH and RDP to move laterally across a networkppRemote Service Session Hijacking RDP HijackingppT1563002ppDaixin actors use RDP to move laterally across a networkppUse Alternate Authentication Material Pass the HashppT1550002ppDaixin actors have sought to gain privileged account access through pass the hashppExfiltrationppTechnique TitleppIDppUseppExfiltration Over Web ServiceppT1567ppDaixin Team members have used Ngrok for data exfiltration over web serversppImpactppTechnique TitleppIDppUseppData Encrypted for ImpactppT1486ppDaixin actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resourcesppSee Table 2 for IOCs obtained from thirdparty reportingppTable 2 Daixin Team IOCs Rclone Associated SHA256 HashesppFileppSHA256pprclonev1592windowsamd64gitlogtxtpp9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238pprclonev1592windowsamd64rclone1pp19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BDpprclonev1592windowsamd64rcloneexepp54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939pprclonev1592windowsamd64READMEhtmlppEC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBFpprclonev1592windowsamd64READMEtxtpp475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28ppFBI CISA and HHS urge HPH Sector organizations to implement the following to protect against Daixin and related malicious activityppIf a ransomware incident occurs at your organizationppNote FBI CISA and HHS strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activitiesppThe FBI is seeking any information that can be shared to include boundary logs showing communication to and from foreign IP addresses a sample ransom note communications with Daixin Group actors Bitcoin wallet information decryptor files andor a benign sample of an encrypted file Regardless of whether you or your organization have decided to pay the ransom the FBI CISA and HHS urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisagovreportppFBI CISA and HHS would like to thank CrowdStrike and the Health Information Sharing and Analysis Center HealthISAC for their contributions to this CSAppThe information in this report is being provided as is for informational purposes only FBI CISA and HHS do not endorse any commercial product or service including any subjects of analysis Any reference to specific commercial products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by FBI CISA or HHSppInitial Publication October 21 2022ppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppActions to take today to mitigate cyber threats from ransomwareppNote This joint Cybersecurity Advisory CSA is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Federal Bureau of Investigation FBI Cybersecurity and Infrastructure Security Agency CISA and Department of Health and Human Services HHS are releasing this joint CSA to provide information on the Daixin Team a cybercrime group that is actively targeting US businesses predominantly in the Healthcare and Public Health HPH Sector with ransomware and data extortion operationsppThis joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and thirdparty reportingppDownload the PDF version of this reportppDownload the IOCs ppNote This advisory uses the MITRE ATTCK for Enterprise framework version 11 See MITRE ATTCK for Enterprise for all referenced tactics and techniquesppCybercrime actors routinely target HPH Sector organizations with ransomwareppThe Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022 Since then Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they haveppDaixin actors gain initial access to victims through virtual private network VPN servers In one confirmed compromise the actors likely exploited an unpatched vulnerability in the organizations VPN server T1190 In another confirmed compromise the actors used previously compromised credentials to access a legacy VPN server T1078 that did not have multifactor authentication MFA enabled The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment T1598002ppAfter obtaining access to the victims VPN server Daixin actors move laterally via Secure Shell SSH T1563001 and Remote Desktop Protocol RDP T1563002 Daixin actors have sought to gain privileged account access through credential dumping T1003 and pass the hash T1550002 The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords T1098 for ESXi servers in the environment The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware T1486 on those servers ppAccording to thirdparty reporting the Daixin Teams ransomware is based on leaked Babuk Locker source code This thirdparty reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in vmfsvolumes with the following extensions vmdk vmem vswp vmsd vmx and vmsn A ransom note is also written to vmfsvolumes See Figure 1 for targeted file system path and Figure 2 for targeted file extensions list Figure 3 and Figure 4 include examples of ransom notes Note that in the Figure 3 ransom note Daixin actors misspell Daixin as DaxinppppFigure 1 Daixin Team Ransomware Targeted File PathppppFigure 2 Daixin Team Ransomware Targeted File ExtensionsppppFigure 3 Example 1 of Daixin Team Ransomware NoteppppFigure 4 Example 2 of Daixin Team Ransomware NoteppIn addition to deploying ransomware Daixin actors have exfiltrated data TA0010 from victim systems In one confirmed compromise the actors used Rclonean opensource program to manage files on cloud storageto exfiltrate data to a dedicated virtual private server VPS In another compromise the actors used Ngroka reverse proxy tool for proxying an internal service out onto an Ngrok domainfor data exfiltration T1567ppSee Table 1 for all referenced threat actor tactics and techniques included in this advisoryppTable 1 Daixin Actors ATTCK Techniques for EnterpriseppReconnaissanceppTechnique TitleppIDppUseppPhishing for Information Spearphishing AttachmentppT1598002ppDaixin actors have acquired the VPN credentials later used for initial access by a phishing email with a malicious attachmentppInitial AccessppTechnique TitleppIDppUseppExploit PublicFacing ApplicationppT1190ppDaixin actors exploited an unpatched vulnerability in a VPN server to gain initial access to a networkppValid AccountsppT1078ppDaixin actors use previously compromised credentials to access servers on the target networkppPersistenceppTechnique TitleppIDppUseppAccount ManipulationppT1098ppDaixin actors have leveraged privileged accounts to reset account passwords for VMware ESXi servers in the compromised environmentppCredential AccessppTechnique TitleppIDppUseppOS Credential DumpingppT1003ppDaixin actors have sought to gain privileged account access through credential dumpingppLateral MovementppTechnique TitleppIDppUseppRemote Service Session Hijacking SSH HijackingppT1563001ppDaixin actors use SSH and RDP to move laterally across a networkppRemote Service Session Hijacking RDP HijackingppT1563002ppDaixin actors use RDP to move laterally across a networkppUse Alternate Authentication Material Pass the HashppT1550002ppDaixin actors have sought to gain privileged account access through pass the hashppExfiltrationppTechnique TitleppIDppUseppExfiltration Over Web ServiceppT1567ppDaixin Team members have used Ngrok for data exfiltration over web serversppImpactppTechnique TitleppIDppUseppData Encrypted for ImpactppT1486ppDaixin actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resourcesppSee Table 2 for IOCs obtained from thirdparty reportingppTable 2 Daixin Team IOCs Rclone Associated SHA256 HashesppFileppSHA256pprclonev1592windowsamd64gitlogtxtpp9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238pprclonev1592windowsamd64rclone1pp19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BDpprclonev1592windowsamd64rcloneexepp54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939pprclonev1592windowsamd64READMEhtmlppEC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBFpprclonev1592windowsamd64READMEtxtpp475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28ppFBI CISA and HHS urge HPH Sector organizations to implement the following to protect against Daixin and related malicious activityppIf a ransomware incident occurs at your organizationppNote FBI CISA and HHS strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activitiesppThe FBI is seeking any information that can be shared to include boundary logs showing communication to and from foreign IP addresses a sample ransom note communications with Daixin Group actors Bitcoin wallet information decryptor files andor a benign sample of an encrypted file Regardless of whether you or your organization have decided to pay the ransom the FBI CISA and HHS urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisagovreportppFBI CISA and HHS would like to thank CrowdStrike and the Health Information Sharing and Analysis Center HealthISAC for their contributions to this CSAppThe information in this report is being provided as is for informational purposes only FBI CISA and HHS do not endorse any commercial product or service including any subjects of analysis Any reference to specific commercial products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by FBI CISA or HHSppInitial Publication October 21 2022ppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp