According to the advisory, Virtual Private Network (VPN) servers are used in these attacks to gain initial access to targeted networks, often exploiting unpatched security vulnerabilities and compromised credentials obtained via phishing emails. After establishing a foothold, the Daixin Team has been seen moving laterally via Secure Shell (SSH) and remote desktop protocol (RDP), then gaining elevated privileges using techniques like credential dumps. “The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware on those servers,” stated the U.S. government. The Daixin Team’s ransomware is based on another strain called Babuk. Organizations are advised to implement multi-factor authentication, create network segmentation, apply the most recent software upgrades, and keep regular offline backups.
https://thehackernews.com/2022/10/cisa-warns-of-daixin-team-hackers.html
