[Comment: I’ve been waiting for this since I first suspected that Daixin Team might be responsible for the CommonSpirit breach. And although it has not been confirmed by anyone, I still suspect them of that one. — Dissent]
Alert (AA22-294A)
#StopRansomware: Daixin Team
Download the PDF version of this report: pdf, 591 KB
Technical Details
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Cybercrime actors routinely target HPH Sector organizations with ransomware:
- As of October 2022, per FBI Internet Crime Complaint Center (IC3) data, specifically victim reports across all 16 critical infrastructure sectors, the HPH Sector accounts for 25 percent of ransomware complaints.
- According to an IC3 annual report in 2021, 649 ransomware reports were made across 14 critical infrastructure sectors; the HPH Sector accounted for the most reports at 148.
The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have:
- Deployed ransomware to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services, and/or
- Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.
Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server [T1190]. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server [T1078] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment [T1598.002].
After obtaining access to the victim’s VPN server, Daixin actors move laterally via Secure Shell (SSH) [T1563.001] and Remote Desktop Protocol (RDP) [T1563.002]. Daixin actors have sought to gain privileged account access through credential dumping [T1003] and pass the hash [T1550.002]. The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords [T1098] for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware [T1486] on those servers.
According to third-party reporting, the Daixin Team’s ransomware is based on leaked Babuk Locker source code. This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in
/vmfs/volumes/
with the following extensions:.vmdk
,.vmem
,.vswp
,.vmsd
,.vmx
, and.vmsn
. A ransom note is also written to/vmfs/volumes/
. See Figure 1 for targeted file system path and Figure 2 for targeted file extensions list.Figure 3
andFigure 4
include examples of ransom notes. Note that in the Figure 3 ransom note, Daixin actors misspell “Daixin” as “Daxin.”
Read more of the alert at CISA.gov.
But note that Daixin didn’t just accidentally misspell Daixin as Daxin. As this site has previously reported, DataBreaches had asked them about the similarity of their name, Daixin, to Daxin malware. They told me the similarity was not coincidental.