daixin-team-ransomware

Analysis

On 21st October 2022, the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly issued a warning about a ransomware group (Daixin Team) targeting Healthcare sectors and businesses with ransomware carrying data extortion operations.

The threat group has been targeting organizations since June 2022, the Daixin team gain initial access through the VPN servers, then move laterally by using Remote Desktop Protocol (RDP) and Secure Shell (SSH), then the threat group gains privileged account access through credential dumping and pass the hash.

Finally, Daixin Team deploys ransomware with a ransomware note and exfiltrates data from the compromised system. To exfiltrate data the threat group uses a dedicated virtual private server.

Prevention

  • Keep the system software up-to-date with security updates.
  • Use phishing-resistant MFA for as many services as possible.
  • Use Antivirus and EDR in all endpoints.
  • Take regular backups of devices in the organization to reduce the impact of ransomware attacks.

Detection

Create rules based on known indicators of ransomware in the SIEM (Security incident event management) tool for the detection of ransomware.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Reconnaissance T1598.002

Phishing for Information:

Spearphishing Attachment

Initial Access T1190 

Exploits Public-facing

Application

Initial Access T1078

Valid Accounts

Persistence T1098 

Account Manipulation

Credential Access T1003

OS Credential Dumping

Lateral Movement T1563.001

Remote Service Session

Hijacking: SSH Hijacking.

Lateral Movement T1563.002

Remote Service Session

Hijacking: RDP Hijacking

Lateral Movement T1550.002

Use Alternate Authentication

Material: Pass the Hash

Exfiltration T1567

Exfiltration Over Web Service

Impact T1486

Data Encrypted for Impact

 

Indicators of Compromise (IOCs)

File SHA256
rclone-v1.59.2-windows-amd64\git-log.txt

9E42E07073E03BDEA4CD978D9E7B44A95749

72818593306BE1F3DCFDEE722238

rclone-v1.59.2-windows-amd64\rclone.1

19ED36F063221E161D740651E6578D50E0D3

CACEE89D27A6EBED4AB4272585BD

rclone-v1.59.2-windows-amd64\rclone.exe

54E3B5A2521A84741DC15810E6FED9D739EB

8083CB1FE097CB98B345AF24E939

rclone-v1.59.2-windows-amd64\README.html

EC16E2DE3A55772F5DFAC8BF8F5A365600FA

D40A244A574CBAB987515AA40CBF

rclone-v1.59.2-windows-amd64\README.txt

475D6E80CF4EF70926A65DF5551F59E35B71

A0E92F0FE4DD28559A9DEBA60C28

 

References

CISA.gov

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

Enquiry Now