The increase in ransomware and data extortion attacks against healthcare providers has led to the publication of a Joint Council on Cybersecurity (CSA) by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the United States Department of Health and Human Services (HHS).
Agencies report that these attacks often focus on unsecured VPN servers and have steadily increased in frequency since June 2022.
The probable culprits of the Daixin team
The joint notice names “Daixin Team” as the threat actor behind this crime wave involving targeted ransomware and data extortion operations. The Daixin team is also considered responsible for specific ransomware incidents in several healthcare and public health (HPH) organizations where they:
Deployment of ransomware to encrypt servers responsible for managing health records and services, including electronic health records, diagnostic services, imaging services, and intranet services.
Extracts and exploits personally identifiable information (PII) and patient health information (PHI), threatening disclosure of this sensitive data if the ransom is not paid.
VPNs become targets of ransomware
To execute their attacks, Daixin Team cybercrime actors use a variety of tactics, techniques and procedures (TTPs) correlated to the MITER ATT&CK® for Enterprise framework. However, in each case, Daixin actors gain initial access to victims by exploiting the organization’s virtual private network (VPN). Once gained access, Daixin actors traverse networks and siphon relevant data that they can use to carry out the ransomware attack.
In a confirmed compromise, the Daixin team exploited an unpatched vulnerability in the victim organization’s VPN. In another confirmed case, the attacker used previously compromised credentials to gain access to an old, unsecured VPN server. It is believed that these credentials were obtained using a phishing email with a malicious attachment, which when authorized on the system allowed the credentials to be dumped. The server that was later compromised with these purged credentials did not have multi-factor authentication (MFA) enabled, so the threat actor’s illicit access went unchecked.
Full-trust access, enabled by an insecure VPN, allows Daixin threat actors to move laterally through the organization’s network to retrieve data, encrypt it, and hold it for ransom. Actors leverage both Secure Shell (SSH) and Remote Desktop Protocol (RDP) as tools to move between systems within the organization. Dumping credentials allows them to gain privileged access to the account and extract credentials for future use and exploitation. Once privileged accounts are hacked, they are used to access VMware vCenter Server and reset account passwords for ESXi servers in the environment. Daixin can then use SSH access to connect to compromised servers and deploy ransomware.
According to third-party reports, the ransomware from the Daixin team is based on the leaked source code of Babuk Locker, which specifically targets ESXi servers. The ransomware encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written in /vmfs/volumes/. More details on the TTPs used as well as Indicators of Compromise (IOC) can be found on the CISA website.
Mitigate the impact of Daixin
The joint FBI, CISA, and HHS advisory recommended some key mitigations to help protect against Daixin and related malicious activity, including:
- Keep software and systems up-to-date, with particular emphasis on patching remote access software and virtual machines.
- Require the use of MFA on all systems.
- Secure and monitor Remote Desktop Protocol (RDP) by restricting access on internal networks.
- Disable ports and protocols that are not used for business purposes.
- Disable SSH and other network device management interfaces, and secure them with strong passwords and encryption when enabled.
- Implement and enforce multi-layer network segmentation, placing the most critical communications and data on the most secure and reliable layer.
- Maintain continuous authentication for endpoints that need to be connected to the network, to limit access and ensure that data packets are not manipulated by man-in-the-middle attacks while in transit. transit.
- Leverage standard user accounts on internal systems and limit administrative accounts, favoring “least privileged” access on the network.
- Use monitoring tools to observe whether various connected devices behave erratically due to compromise.
- Regularly train and prepare for ransomware attacks with cyber incident response plans and data backups.
Embrace Zero Trust to mitigate these attacks
Many of CISA’s recommendations for mitigating these incidents are also core adoption principles. zero trust network access (ZTNA), instead of relying on traditional VPN technology, which is highly sensitive to the TTPs identified in the multi-agency advisory.
Key to this strategy is ensuring a close link between a ZTNA solution and endpoint security officers. This method solidifies a lockdown procedure to leverage access management and endpoint security from the same tenant.
To go further, the mandatory re-authentication of users when accessing private resources guarantees the use of continuous authentication to manage the distribution of information. Embracing least-privileged access also minimizes the amount of “lead” a malicious actor can obtain through compromised accounts.
Integrated threat protection via an intrusion detection system (IDS) can bolster these defenses, helping to identify malicious activity and analyze the reputation of the destination. Network defenders are able to understand if actors from known malicious destinations attempt to access network resources, even when attackers impersonate confirmed users with stolen credentials.
These zero-trust fundamentals work together to defy threats by providing granular access control and multi-layered network segmentation, providing the most critical protection to the most critical data and communications.
When implemented holistically, ZTNA is a deterrent against ransomware, command and control (C2) beacons, privilege escalation, and data exfiltration. This cohesion reduces the attack surface, preventing lateral movement and discovery of unwanted applications, and providing greater visibility into network activity for on-premises and cloud resources.
BlackBerry believes in a multi-tenant, cloud-native approach for ZTNA to provide modern enterprises with a fast, reliable, and elastic solution that enables digital business transformation while ensuring network and device security. It should be paired with cybersecurity solutions that leverage world-class AI (artificial intelligence) and ML (machine learning) to support an effective prevention strategy.
To learn more about harnessing the power of ZTNA to combat growing threat vectors and leveraging BlackBerry® solutions with Cylance® AI, Discover CylanceGATEWAY™.