CISA & FBI has released a joint Cybersecurity Advisory from government agencies in the United States and Australia to warn businesses about the most recent tactics, methods, and procedures (TTPs) utilized by the BianLian ransomware group.
Since June 2022, BianLian, a ransomware and data extortion outfit, has been aiming its attacks towards organizations within the United States and Australia’s critical infrastructure.
The #StopRansomware alert is based on findings from the FBI and the Australian Cyber Security Centre as of March 2023 and is part of a larger effort to combat ransomware. The goal is to arm defenders with the knowledge they need to defend themselves against BianLian and other malware better.
After collecting sensitive information from target networks, BianLian encrypted systems and threatened to release the files as a second form of extortion.
As a result of Avast’s publication of a decryptor for the ransomware in January 2023, the group has shifted its focus to extortion via data theft without encrypting systems. Since these instances are effectively data breaches, they also cause the victim’s reputation to suffer, erode the trust of their customers, and open them up to legal issues.
According to the CISA advice, BianLian compromises systems with legitimate Remote Desktop Protocol (RDP) credentials that were likely obtained through phishing or were purchased through early access brokers.
BianLian then does network reconnaissance using a bespoke Go backdoor, commercial remote access tools, the command line, and scripts. The final step is the exfiltration of victim data using a file sharing service like Mega, the Rclone tool, or the File Transfer Protocol (FTP).
BianLian uses PowerShell and the Windows Command Shell to stop antivirus-related tasks from executing and dodge detection. Tamper protection in Sophos security systems is also disabled by manipulating the Windows Registry.
Restricting the usage of PowerShell on mission-critical systems, prohibiting command-line and scripting activities, and limiting the use of remote desktop protocols are all recommended mitigations.
Several preventative steps are suggested in the warning to keep the network secure:
- Make sure all applications and tools used for remote access are being monitored and controlled.
- Implement severe security measures and limit access to remote desktop programs like RDP.
- Reduce your reliance on PowerShell, get the newest version, and turn on detailed logging.
- Use the concept of least privilege and conduct regular audits of administrative accounts.
- Create a backup plan that includes numerous, off-site copies of your data.
- Password policies should be in line with NIST recommendations for security, including in terms of length, storage, reuse, and multi-factor authentication.
- Software and firmware updates should be performed routinely, networks should be segmented to increase security, and network activity should be actively monitored.
Full bulletins from CISA and the ACSC provide more information on the recommended countermeasures, indicators of compromise (IoCs), command traces, and BianLian approaches.
Conclusion
The FBI, CISA, and ACSC are warning critical infrastructure organizations of BianLian ransomware assaults. Since June 2022, the gang has used remote desktop protocol (RDP) credentials from initial access brokers or phishing assaults to access victim networks. CISA, FBI, and ACSC claim the BianLian gang has targeted US critical infrastructure organizations and Australian private companies, including a critical infrastructure organization, for a year. Starting in January 2023, the organization focused on data exfiltration rather than ransomware.
After getting network access, the gang installs remote management and access tools including Atera Agent, AnyDesk, SplashTop, and TeamViewer plus a victim-specific Go-based backdoor. BianLian also created administrator accounts, changed passwords, disabled antivirus software, and modified Windows registry to disable and uninstall Sophos endpoint protection solutions. Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, PingCastle, Impacket, and command-line scripting are used for reconnaissance.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.