Threat Research

#StopRansomware: Daixin Team | CISA

Securonix

Daixin Team is a ransomware and data extortion group focused on Healthcare and Public Health sector targets in the U.S., using VPN compromises and credential theft to deploy ransomware on ESXi servers and exfiltrate data. The FBI/CISA/HHS advisory details TTPs, IOCs, and mitigations to help defend against these operations, including specific file paths, exfiltration methods, and recommended protections. #DaixinTeam #BabukLocker #Ngrok #Rclone #VMwareESXi #HIPAA #PHI #PII #StopRansomware

Keypoints

  • Daixin Team has targeted the Healthcare and Public Health (HPH) Sector with ransomware and data extortion since at least June 2022.
  • Initial access commonly occurred via VPN exploits, including unpatched VPN vulnerabilities and the use of previously compromised credentials obtained through phishing attachments.
  • After gaining access, attackers moved laterally using SSH and RDP, and pursued privileged access through credential dumping and pass-the-hash techniques.
  • They leveraged privileged accounts to reset ESXi passwords and deployed ransomware on ESXi servers, encrypting /vmfs/volumes/* files (e.g., .vmdk, .vmem, .vswp, .vmsd, .vmx, .vmsn).
  • Daixin also exfiltrated data using tools like Rclone (to a VPS) and Ngrok for web-based exfiltration.
  • The advisory maps these actions to MITRE ATT&CK techniques and provides IOCs (including Rclone-related hashes) to aid defense and incident response.
  • Mitigations emphasize patching, phishing-resistant MFA, securing RDP, network segmentation, least-privilege access, robust backups, and incident-response planning.

MITRE Techniques

  • [T1598.002] Phishing for Information: Spearphishing Attachment – “Daixin actors have acquired the VPN credentials (later used for initial access) by a phishing email with a malicious attachment.”
  • [T1190] Exploit Public-Facing Application – “Daixin actors exploited an unpatched vulnerability in a VPN server to gain initial access to a network.”
  • [T1078] Valid Accounts – “Daixin actors use previously compromised credentials to access servers on the target network.”
  • [T1098] Account Manipulation – “Daixin actors have leveraged privileged accounts to reset account passwords for VMware ESXi servers in the compromised environment.”
  • [T1003] OS Credential Dumping – “Daixin actors have sought to gain privileged account access through credential dumping.”
  • [T1563.001] SSH Hijacking – “Daixin actors use SSH to move laterally across a network.”
  • [T1563.002] RDP Hijacking – “Daixin actors use RDP to move laterally across a network.”
  • [T1550.002] Pass the Hash – “Daixin actors have sought to gain privileged account access through pass the hash.”
  • [T1567] Exfiltration Over Web Service – “Daixin Team members have used Ngrok for data exfiltration over web servers.”
  • [T1486] Data Encrypted for Impact – “Daixin actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.”

Indicators of Compromise

  • [SHA256 Hash] Rclone-associated hashes – 9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238, 19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD, and 3 more hashes
  • [File] Rclone-related artifacts – rclone-v1.59.2-windows-amd64git-log.txt, rclone-v1.59.2-windows-amd64rclone.1, rclone-v1.59.2-windows-amd64rclone.exe, rclone-v1.59.2-windows-amd64README.html, rclone-v1.59.2-windows-amd64README.txt

Read more: https://www.cisa.gov/uscert/ncas/alerts/aa22-294a