CyberWire Daily - CISA Alert AA22-294A – #StopRansomware: Daixin Team. [CISA Cybersecurity Alerts]
Episode Date: October 24, 2022FBI, CISA, and Department of Health and Human Services are releasing this joint advisory to provide information on the Daixin Team, a cybercrime group that is actively targeting U.S. businesses, predo...minantly in the Healthcare and Public Health Sector. AA22-294A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Ongoing Threat Alerts and Sector alerts are produced by the Health Sector Cybersecurity Coordination Center (HC3) and can be found at hhs.gov/HC3 For additional best practices for Healthcare cybersecurity issues see the HHS 405(d) Aligning Health Care Industry Security Approaches at 405d.hhs.gov CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered 21st, 2022.
CISA, the FBI, and the Department of Health and Human Services are releasing this advisory to provide information on the Dexin team, a cybercrime group that is actively targeting U.S. businesses in the healthcare and public health sector. The Dexin team is a ransomware and data extortion group that has targeted the healthcare sector with ransomware and data extortion operations since at least June
2022. Since then, Dexin team cybercrime actors have caused ransomware incidents at multiple
healthcare organizations. Dexin team employs ransomware to encrypt servers responsible for
healthcare services, including electronic health record services, diagnostic services,
imaging services, and intranet services, and has exfiltrated PII and patient health information
and threatened to release the information if a ransom is not paid.
Dexon actors gain initial access to victims through VPN servers.
In one confirmed compromise, the actors used compromised credentials to access a legacy
VPN server that did not use multi-factor authentication.
The actors are believed to have acquired the VPN credentials through a phishing email with a malicious attachment.
The alert documentation listed in the show notes includes Dexin Team TTPs, indicators of compromise, a MITRE attack mapping for this threat activity, and mitigations.
a MITRE attack mapping for this threat activity, and mitigations.
FBI, CISA, and HHS would like to thank CrowdStrike and the Health ISAC for their contributions to this alert.
To report incidents and anomalous activity or to request incident response resources or technical assistance,
contact CISA at report at cisa.gov or call 888-282-0870 or report incidents to your local FBI field office. This report was written by CISA,
the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio
by the Cyber Wire as a public service. Please visit www.cisa.gov to read the full report,
which may include additional details, links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.