Tech

FBI Alert: This ransomware group is targeting poorly protected VPN servers


fbi-hacker-left-align.jpg

The FBI and other agencies are warning about the rise of Daixin Team ransomware and data extortion attacks on healthcare providers.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), and the Department of Health and Human Services (HHS) have issue a general warning about Daixin Team active against the medical and public health sector since June 2022.

The group used ransomware to encrypt servers that provide electronic health record, diagnostics, imaging, and intranet services. They also filtered out the personally identifiable information and patient health information.

The agencies are warning healthcare providers to secure VPN servers because this is how the group gained access to previous targets, including by exploiting a vulnerability. unpatched in the victim’s VPN server. In another confirmed case, actors used previously compromised credentials to access a legacy VPN server where multi-factor authentication (MFA) was not enabled. The actors are said to have obtained the VPN login information through a phishing email with a malicious attachment.

Also: Ransomware: Why is it still a big threat and where are gangs going next?

After accessing the VPN, the team used the remote protocols SSH and RDP to move horizontally, then searched for privileged accounts via credential dump and ‘pass hash’, where Attackers use stolen password hashes to move horizontally.

The actors also used privileged accounts to access VMware vCenter Servers and reset account passwords for ESXi servers in the environment. They then use SSH to connect to the accessible ESXi servers and deploy the ransomware on those servers, according to the advice.

The Daixin team also extracts data from victim systems.

Among several mitigations, the advisor said organizations must prioritize patching VPN servers, remote access software, virtual machine software, and known CISA vulnerabilities. It also recommends locking down RDP and disabling SSH, as well as Telnet, Winbox, and HTTP for wide area networks, and securing them with passwords and strong encryption when enabled. Organizations should also request an MFA for as many services as possible.

Because lives can depend on these systems, vendors in this sector are frequently targeted by cybercriminals. Data from the FBI’s Internet Crime Complaint Center (IC3) shows that the medical sector accounted for 25% of ransomware complaints in victim reports across all 16 critical infrastructure sectors.

Additionally, in IC3’s 2021 annual report, the HPH Region accounted for 148 ransomware reports. It was the largest source of ransomware complaints out of 649 ransomware reports made that year across 14 critical infrastructure sectors.

news7f

News7F: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, Sports...at the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button