The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Health have warned hospitals and other healthcare facilities in the United States about a ransomware group that can access networks through VPN servers. The group is called Daixin Team and is said to have been active since June of this year (pdf). Last month, several American hospitals were victims of the ransomware group.
The attackers use VPN servers to gain access to their victims' networks, the FBI said. This exploits known vulnerabilities in VPN software and stolen VPN credentials. For example, in at least one attack, the attackers managed to log in to a legacy VPN server that did not use multi-factor authentication (MFA). Presumably, the VPN credentials were stolen through phishing or malicious email attachments.
Once the VPN server is accessed, the attackers use SSH (secure shell) and RDP (remote desktop protocol) to move laterally through the network. By applying techniques such as credential dumping and pass the hash, the attackers try to gain control over accounts with high privileges. These accounts then log into VMware vCenter servers and reset account passwords for ESXi servers on the network. Via SSH, the attackers connect to the ESXi servers on which they deploy the ransomware. The attackers also steal patient data.
The encrypted servers are used, among other things, for the provision of healthcare services, such as electronic patient records, diagnostic services, scans and intranets. When the affected hospitals and healthcare institutions refuse to pay the ransom, the attackers threaten to put the stolen patient data on the internet. To counter the attacks, healthcare organizations are advised to install security updates, set up MFA for as many services as possible, and train staff to recognize and report phishing attacks.