Scroll Top

Daixin Team

Daixin Team is a notorious ransomware group that emerged in June 2022, primarily driven by financial motives. This cybercriminal gang has posed a significant threat to various sectors, with a particular focus on the US Healthcare and Public Health (HPH) sector. The group’s activities have led to severe disruptions in healthcare services by stealing sensitive data and compromising critical systems.

Major Attacks by Daixin Team
Daixin Team has not limited its attacks to the HPH sector. In late 2022, the group breached AirAsia Group, Malaysia’s largest airline, leaking the personal information of over 5 million passengers and employees. Similarly, in February 2023, Daixin attacked B&G Foods, a major conglomerate, resulting in the release of internal documents and customer data after the company refused to negotiate.

Initial Access
Daixin Team typically gains access to target networks through unsecured virtual private network (VPN) servers. They exploit unpatched vulnerabilities, misconfigurations, and use stolen credentials, often obtained via phishing campaigns.

Lateral Movement and Data Exfiltration
Once inside the network, Daixin conducts reconnaissance to extract internal credentials and move laterally using Secure Shell (SSH) and Remote Desktop Protocol (RDP). They use tools like Rclone and Ngrok for data exfiltration, sending stolen data to external servers.

Encryption and Extortion
The group uses a ransomware strain based on Babuk Locker. Small files are encrypted with the ChaCha8 algorithm, while larger files are segmented and partially encrypted. They also target ESXi servers, encrypting files and leaving ransom notes demanding payment to avoid data leaks.

Signs of a Daixin Team Attack
Indicators of a Daixin attack include malware hash signatures and known tactics, techniques, and procedures (TTPs) identified by the FBI, CISA, and DHS. These can be used to develop YARA rules for intrusion detection systems (IDSs).

Prevention Strategies
To mitigate the risk of Daixin Team attacks, organizations should:

User Awareness Training:
Educate employees about phishing techniques and suspicious email handling.
Apply Updates and Patches:
Regularly update all systems, including security products, operating systems, and applications.
Implement MFA:
Use multi-factor authentication for all critical assets and services.
Network Security:
Employ IDS, next-gen firewalls, and segment critical systems on separate VLANs.
Endpoint Security:
Install advanced security products on all endpoints to detect and block ransomware payloads.
Backup Strategy:
Maintain offline, encrypted, and immutable backups of critical data.
Restrict SMB Protocol:
Disable or update outdated versions of the Server Message Block protocol.

Tools Leveraged by Daixin Actors

  • AdFind
    Queries Active Directory.
  • Advanced IP Scanner
    Scans network devices.
  • AnyDesk
    Remote access software.
  • LaZagne
    Password recovery tool.
  • PCHunter64
    Acquires system information.
  • Mimikatz
    Dumps authentication credentials.
  • Ngrok
    Creates secure tunnels.
  • RClone
    Syncs files with cloud storage.
  • SoftPerfect
    Network scanner.
  • WinRAR
    Compresses files for exfiltration.
  • WinSCP
    Transfers data over networks.

Conclusion
The Daixin Team continues to be a formidable threat, especially to the healthcare sector. Organizations must adopt robust cybersecurity measures to protect against such ransomware attacks. By staying vigilant and implementing comprehensive security strategies, the impact of these attacks can be significantly mitigated.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.