A joint cybersecurity advisory from government agencies in the United States and Australia and published by the Cybersecurity and Infrastructure Security Agency (CISA) alerts organizations to the latest tactics, techniques, and procedures (TTPs) used by the BianLian ransomware group .
BianLian is a ransomware and data extortion group that targets critical infrastructure entities in the United States and Australia. June 2022.
Part of the #StopRansomware effort, the advisory is based on investigations by the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Center (ACSC) in March 2023. It aims to provide advocates with information that allow them to adjust protections and strengthen their security posture against BianLian ransomware and other similar threats.
BianLian Attack Tactics
BianLian initially used a double extortion model, encrypting systems after stealing private data from victim networks, then threatening to release the files.
However, since January 2023, when Avast released a decryptor for ransomware, the group moved to extortion based on data theft without encryption systems.
This tactic is always compelling because the incidents are essentially data breaches that come with damage to the victim’s reputation, undermine customer trust, and introduce legal complications.
The CISA advisory warns that BianLian is breaching systems using valid Remote Desktop Protocol (RDP) credentials, possibly purchased from initial access brokers or acquired through phishing.
BianLian then uses a custom backdoor written in Go, commercial remote access tools, and command line and scripts for network reconnaissance. The last step is to exfiltrate victims’ data via File Transfer Protocol (FTP), Rclone tool or Mega file hosting service.
To evade detection by security software, BianLian uses PowerShell and Windows Command Shell to disable running processes associated with antivirus tools. The Windows registry is also manipulated to circumvent the anti-tamper protection provided by Sophos security products.
Recommended mitigations include limiting the use of RDP and other remote desktop services, disabling command line and scripting activities, and restricting the use of PowerShell on critical systems.
The advisory recommends several measures that can help defend the network:
- Audit and control the execution of remote access tools and software on your network.
- Limit the use of remote desktop services such as RDP and enforce strict security measures.
- Limit the use of PowerShell, update to the latest version, and enable enhanced logging.
- Regularly audit administrative accounts and apply the principle of least privilege.
- Develop a recovery plan with multiple copies of data stored securely and offline.
- Meet NIST standards for password management, including length, storage, reuse, and multi-factor authentication.
- Regularly update software and firmware, segment networks to improve security, and actively monitor network activity.
“The FBI, CISA, and ACSC encourage critical infrastructure organizations and small and medium-sized businesses to implement the recommendations in the Mitigation section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.” – CISA.
More detailed information on recommended mitigations, Indicators of Compromise (IoC), command traces, and BianLian techniques can be found in the comprehensive bulletins of CISA and the CSCA.