Last week, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) published a joint Cybersecurity Advisory (CSA) to provide information on the “Daixin Team,” a cybercrime group actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations. 

Daixin Team is believed to have been in operation since at least June 2022. According to the FBI IC3 data, the Daixin Team has targeted all U.S. critical infrastructure sectors. Reporting indicates that after gaining initial access through victims’ virtual private networks (VPN) servers, the threat actors moved laterally “seeking to gain privileged account access so they could ultimately reset account passwords for ESXi servers in the environment. Then, the actors used secure shell (SSH) to connect to accessible ESXi servers and deploy ransomware, which is based on leaked Babuk Locker source code that targets ESXi services and encrypts files.” In addition to deploying ransomware, Daixin threat actors have exfiltrated data from victim devices using an open-source program, rclone, or a reverse proxy tool, Ngrok. 

The joint CSA also provides tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommended mitigations to help organizations defend against this threat. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.