The Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the Cybersecurity and Infrastructure Security Agency (CISA), have released their latest cybersecurity advisory regarding the BianLian threat group after using new tactics in its recent cyber attacks.
Bianlian develops and deploys its ransomware, and engages in data extortion. Its first attacks included breaching systems, stealing information, and encrypting data files. Since January 2023, the BianLian group began conducting data extortion-only attacks. The group exfiltrates data files and demands ransom from its victims, but does not encrypt the victims’ systems. Ransom payment is required to stop the exposure of the stolen information on its data leak website. From January 2024, the BianLian group exclusively conducted data exfiltration and extortion attacks, without doing file encryption.
BianLian implemented changes on its tactics, techniques, and procedures (TTPs). The group currently gets access to victims’ systems through exposed Remote Desktop Protocol (RDP) credentials and targeted Windows and ESXi infrastructure, probably by utilizing the ProxyShell exploit chain (CVE-2021-34523, CVE-2021-34473, CVE-2021-31207) for preliminary access.
BianLian is known for using Ngrok, a legit reverse proxy tool, and an improved release of the Rsocks utility. This is an adjustment from past tactics, where a customized Go backdoor was set up that was particular to every victim. In the past, the group utilized Windows Command Shell and PowerShell to deactivate antivirus software and currently keeps executables utilizing UPX to conceal malicious code and avoid signature-based and heuristic detection. Binaries and timetabled tasks are given new names to imitate actual Windows services and security products.
BianLian has been seen taking advantage of vulnerability CVE-2022-37969 on Windows 10 and Windows 11 systems. The Windows Common Log File System Driver elevation of privilege vulnerability, when exploited, creates Domain Admin accounts for lateral movement, as well as Azure AD accounts to have access to breached systems. BianLian has been seen adding webshells on Exchange servers for persistence. BianLian uses PowerShell scripts to find and compress sensitive information to steal. Then the group issues a ransom note threatening the victim to expose the stolen information if no ransom payment is received. The group also calls the staff of attacked organizations to force them into giving the ransom payment.
The latest notification from the authoring agencies gives the following recommended mitigations, which must be integrated with the HIPAA training of concerned entities.
- Remove remote access options when they are not being used. When remote access options are necessary, they must be used only from inside the network and through a Virtual Desktop Interface (VDI) or Virtual Private Network (VPN).
- Block inbound and outbound connections on typical remote access software ports and protocols at the system perimeter.
- Remote access software records must be checked to determine irregular use of applications functioning as a portable executable.
- Use security software to verify remote access tools being used only in the memory.
- Disable command-line and scripting permissions.
- Restrict the use of PowerShell on Windows systems.
Image credits: Tichila, AdobeStock
