Note: FRSecure is aware of a malware named Daxin. It appears that Daixin and Daxin are related, and the name differences are due to “Daxin” being used in some ransom notes.
In conjunction with the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS), the Cybersecurity and Infrastructure Security Agency (CISA) today advised that the Daixin Team is actively targeting US businesses, particularly in the Healthcare and Public Health Sector (HPH).
The Daixin Team is a data extortion and ransomware group that has been targeting the HPH Sector since at least June 2022. Servers with personally identifiable information (PII) and protected health information (PHI) are highly sought after targets, and such information has been threatened to be released if ransoms are not paid. Daixin Team threat actors are typically gaining initial access to victims’ networks through VPN servers, and then move laterally with SSH and remote desktop, according to the advisory. The ransomware is based on leaked Babuk Locker source code, and used Rclone for data exfiltration in at least one confirmed compromise.
CISA is urging organizations to prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities.
To see the full advisory, along with known Indicators of Compromise (IOCs) at this time, visit: https://www.cisa.gov/uscert/ncas/alerts/aa22-294a