daixin-team-ransomware

Analysis

On 21st October 2022, the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly issued a warning about a ransomware group (Daixin Team) targeting Healthcare sectors and businesses with ransomware carrying data extortion operations.

The threat group has been targeting organizations since June 2022, the Daixin team gain initial access through the VPN servers, then move laterally by using Remote Desktop Protocol (RDP) and Secure Shell (SSH), then the threat group gains privileged account access through credential dumping and pass the hash.

Finally, Daixin Team deploys ransomware with a ransomware note and exfiltrates data from the compromised system. To exfiltrate data the threat group uses a dedicated virtual private server.

Prevention

  • Keep the system software up-to-date with security updates.
  • Use phishing-resistant MFA for as many services as possible.
  • Use Antivirus and EDR in all endpoints.
  • Take regular backups of devices in the organization to reduce the impact of ransomware attacks.

Detection

Create rules based on known indicators of ransomware in the SIEM (Security incident event management) tool for the detection of ransomware.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Reconnaissance T1598.002

Phishing for Information:

Spearphishing Attachment
Initial Access T1190 

Exploits Public-facing

Application
Initial Access T1078

Valid Accounts
Persistence T1098 

Account Manipulation
Credential Access T1003

OS Credential Dumping
Lateral Movement T1563.001

Remote Service Session

Hijacking: SSH Hijacking.
Lateral Movement T1563.002

Remote Service Session

Hijacking: RDP Hijacking
Lateral Movement T1550.002

Use Alternate Authentication

Material: Pass the Hash
Exfiltration T1567

Exfiltration Over Web Service
Impact T1486

Data Encrypted for Impact

 

Indicators of Compromise (IOCs)

File SHA256
rclone-v1.59.2-windows-amd64\git-log.txt

9E42E07073E03BDEA4CD978D9E7B44A95749

72818593306BE1F3DCFDEE722238
rclone-v1.59.2-windows-amd64\rclone.1

19ED36F063221E161D740651E6578D50E0D3

CACEE89D27A6EBED4AB4272585BD
rclone-v1.59.2-windows-amd64\rclone.exe

54E3B5A2521A84741DC15810E6FED9D739EB

8083CB1FE097CB98B345AF24E939
rclone-v1.59.2-windows-amd64\README.html

EC16E2DE3A55772F5DFAC8BF8F5A365600FA

D40A244A574CBAB987515AA40CBF
rclone-v1.59.2-windows-amd64\README.txt

475D6E80CF4EF70926A65DF5551F59E35B71

A0E92F0FE4DD28559A9DEBA60C28

 

References

CISA.gov

 

# Managed Security Services # SIEM # Security Operations

Recent Threat Bulletin

A report on Jenkins CVE-2024-23897 vulnerability
Ivanti Zero-Day Vulnerabilities: Connect Secure and IPS
Unmasking Androxgh0st: A deep dive to safeguard your network

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

logo-img

Positka specializes in high-end technology solutions to help businesses improve their IT infrastructure with advanced Security Protocols, excellence in Analytics, Streamlined IT Operations, & around-the-clock Managed services.

Quick Links

Services

Copyright Positka © . All Rights Reserved.