Analysis
On 21st October 2022, the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly issued a warning about a ransomware group (Daixin Team) targeting Healthcare sectors and businesses with ransomware carrying data extortion operations.
The threat group has been targeting organizations since June 2022, the Daixin team gain initial access through the VPN servers, then move laterally by using Remote Desktop Protocol (RDP) and Secure Shell (SSH), then the threat group gains privileged account access through credential dumping and pass the hash.
Finally, Daixin Team deploys ransomware with a ransomware note and exfiltrates data from the compromised system. To exfiltrate data the threat group uses a dedicated virtual private server.
Prevention
- Keep the system software up-to-date with security updates.
- Use phishing-resistant MFA for as many services as possible.
- Use Antivirus and EDR in all endpoints.
- Take regular backups of devices in the organization to reduce the impact of ransomware attacks.
Detection
Create rules based on known indicators of ransomware in the SIEM (Security incident event management) tool for the detection of ransomware.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Reconnaissance | T1598.002 |
Phishing for Information: Spearphishing Attachment |
Initial Access | T1190 |
Exploits Public-facing Application |
Initial Access | T1078 |
Valid Accounts |
Persistence | T1098 |
Account Manipulation |
Credential Access | T1003 |
OS Credential Dumping |
Lateral Movement | T1563.001 |
Remote Service Session Hijacking: SSH Hijacking. |
Lateral Movement | T1563.002 |
Remote Service Session Hijacking: RDP Hijacking |
Lateral Movement | T1550.002 |
Use Alternate Authentication Material: Pass the Hash |
Exfiltration | T1567 |
Exfiltration Over Web Service |
Impact | T1486 |
Data Encrypted for Impact |
Indicators of Compromise (IOCs)
File | SHA256 |
rclone-v1.59.2-windows-amd64\git-log.txt |
9E42E07073E03BDEA4CD978D9E7B44A95749 72818593306BE1F3DCFDEE722238 |
rclone-v1.59.2-windows-amd64\rclone.1 |
19ED36F063221E161D740651E6578D50E0D3 CACEE89D27A6EBED4AB4272585BD |
rclone-v1.59.2-windows-amd64\rclone.exe |
54E3B5A2521A84741DC15810E6FED9D739EB 8083CB1FE097CB98B345AF24E939 |
rclone-v1.59.2-windows-amd64\README.html |
EC16E2DE3A55772F5DFAC8BF8F5A365600FA D40A244A574CBAB987515AA40CBF |
rclone-v1.59.2-windows-amd64\README.txt |
475D6E80CF4EF70926A65DF5551F59E35B71 A0E92F0FE4DD28559A9DEBA60C28 |
References
CISA.gov