CISA Cybersecurity Alerts 10.24.22
Ep 35 | 10.24.22

CISA Alert AA22-294A – #StopRansomware: Daixin Team.


This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Two Nine Four Alpha.

Original release date–October twenty first, twenty twenty two.

CISA, the FBI, and the Department of Health and Human Services are releasing this advisory to provide information on the Daixin Team, a cybercrime group that is actively targeting U.S. businesses in the Healthcare and Public Health Sector.

The Daixin Team is a ransomware and data extortion group that has targeted the Healthcare Sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple healthcare organizations.

Daixin Team deploys ransomware to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services, and has

exfiltrated PII and patient health information and threatened to release the information if a ransom is not paid.

Daixin actors gain initial access to victims through VPN servers. In one confirmed compromise, the actors used compromised credentials to access a legacy VPN server that did not use multifactor authentication. The actors are believed to have acquired the VPN credentials through a phishing email with a malicious attachment.

The alert documentation listed in the show notes includes Daixin Team TTPs, indicators of compromise, a MITRE ATTACK mapping for this threat activity, and mitigations.

FBI, CISA, and HHS would like to thank CrowdStrike and the Health-ISAC for their contributions to this alert.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at, or call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.