FBI Warns Poorly Protected VPN Servers Are Under Attack
Rising ransomware and data extortion attacks on healthcare providers have prompted issuance of a joint Cybersecurity Advisory (CSA) by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Department of Health and Human Services (HHS).
The agencies report that these attacks often focus on unsecured VPN servers and have been steadily increasing in frequency since June 2022.
Daixin Team Likely Culprits
The joint advisory names “Daixin Team” as the threat actor behind this crime spree involving targeted ransomware and data extortion operations. Daixin Team is also believed responsible for specific ransomware incidents at multiple healthcare and public health (HPH) organizations where they:
Deployed ransomware to encrypt servers responsible for managing healthcare records and services, including electronic health records, diagnostic services, imaging services, and intranet services.
Extracted and exploited personally identifiable information (PII) and patient health information (PHI), threatening release of this sensitive data if ransom was not paid.
VPNs Become Ransomware Targets
To execute their attacks, Daixin Team cybercrime actors leverage a variety of tactics, techniques, and procedures (TTPs) correlating to the MITRE ATT&CK® for Enterprise framework. However, in each case, Daixin actors gain initial access to victims by exploiting the organization’s virtual private network (VPN). Once access is obtained, Daixin actors traverse the networks and siphon relevant data they can use to carry out the ransomware attack.
In one confirmed compromise, Daixin Team exploited an unpatched vulnerability in the victim organization’s VPN. In another confirmed case, the attacker used previously compromised credentials to access an unsecured legacy VPN server. It is believed that these credentials were obtained using a phishing email with a malicious attachment, which once permitted onto the system, allowed for credential dumping. The server that was later compromised with these dumped credentials did not have multifactor authentication (MFA) enabled, so the threat actor’s illicit access went unchecked.
Full-trust access, enabled by an unsecure VPN, allows Daixin threat actors to move laterally through the organization’s network to retrieve data, encrypt it, and hold it for ransom. The actors leverage both Secure Shell (SSH) protocol and Remote Desktop Protocol (RDP) as tools to move across systems within the organization. The credential dumping allows them to gain privileged account access, and to extract the credentials for future use and exploitation. Once privileged accounts are breached, they are used to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. Daixin can then use SSH access to connect to the compromised servers and deploy ransomware.
According to third-party reporting, the Daixin Team’s ransomware is based on leaked Babuk Locker source code, which specifically targets ESXi servers. The ransomware encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written to /vmfs/volumes/. More details on the TTPs used as well as Indicators of Compromise (IOCs) can be found on the CISA website.
Mitigating Daixin’s Impact
The FBI, CISA, and HHS joint advisory recommended some key mitigation steps to help protect against Daixin and related malicious activity, including:
- Keep software and systems up to date, with a particular focus on patching remote access software and virtual machines.
- Require the use of MFA across all systems.
- Secure and monitor Remote Desktop Protocol (RDP) by limiting access over internal networks.
- Disable ports and protocols that are not being used for business purposes.
- Disable SSH and other network device management interfaces, and secure with strong passwords and encryption when enabled.
- Implement and enforce multilayer network segmentation, placing the most critical communications and data on the most secure and reliable layer.
- Maintain continuous authentication for endpoints that must be connected to the network, to limit access and ensure data packages are not manipulated by man-in-the-middle attacks while in transit.
- Leverage standard user accounts on internal systems, and limit administrative accounts, promoting “least privileged” access across the network.
- Use monitoring tools to observe if various connected devices are behaving erratically due to compromise.
- Regularly practice and prepare for ransomware attacks with cyber incident response plans and data backups.
Adopting Zero Trust to Mitigate These Attacks
Many of the CISA recommendations to mitigate these incidents are also primary tenets of adopting zero trust network access (ZTNA), in lieu of relying on traditional VPN technology, which is highly susceptible to the TTPs identified in the multi-agency advisory.
Key to this strategy is ensuring a tight interlock between a ZTNA solution and endpoint security agents. This method solidifies a lock-step procedure to leverage access management and endpoint security from the same tenant.
Taking this a step further, mandatory user re-authentication when accessing private resources guarantees the use of continuous authentication to manage the release of information. Adopting least privileged access also minimizes the amount of “runway” a threat actor can obtain via compromised accounts.
Built-in threat protection through an Intrusion Detection System (IDS) can strengthen these defenses, helping to identify malicious activity and destination reputation analysis. Network defenders gain the ability to understand if actors from known malicious destinations are attempting to access network resources, even when attackers impersonate confirmed users with stolen credentials.
These zero trust fundamentals work together to challenge threats by ensuring granular access control and multilayer network segmentation, providing the most critical protection to the most critical data and communications.
When implemented holistically, ZTNA is a deterrent against ransomware, command-and-control (C2) beacons, privilege escalation, and data exfiltration. This cohesion reduces the surface area for attack, preventing lateral movement and unwanted application discovery, and providing greater visibility into network activity for both on-premises and cloud resources.
BlackBerry believes in a multi-tenant, cloud-native approach to ZTNA, to provide modern enterprises with a fast, reliable, and elastic solution that empowers digital business transformation while keeping networks and endpoints secure. It should be coupled with cybersecurity solutions that leverage world-class AI (artificial intelligence) and ML (machine learning) to support an effective prevention-first strategy.
Understanding ZTNA
To learn more about harnessing the power of ZTNA to combat growing threat vectors, and harnessing BlackBerry® solutions with Cylance® AI, check out CylanceGATEWAY™.