Written by staff writer.
Ransomware group BianLian was the subject of a joint cybersecurity advisory last week, with the Australian Cyber Security Centre (ACSC), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) warning that the cybercriminal group is increasingly active and now focusing on exfiltration-based extortion.
The FBI says BianLian has targeted multiple US critical infrastructure entities since mid-2000. In contrast, the ACSC says the group primarily targets private enterprises in Australia but has also attempted to extort at least one local critical infrastructure entity.
US-based cybersecurity firm SISA recently reported BianLian was demonstrating a “a high degree of operational security and network penetration expertise.” They, along with the agencies behind the latest cybersecurity advisory, say the cybercriminal group have moved away from a double extortion model that exfiltrated data and encrypted systems, to a straight exfiltration-only model that leaves systems intact, instead threatening to leak data if a ransom goes unpaid.
Satnam Narang, a senior staff researcher at Tenable, says his firm has previously highlighted the increasing prominence of extortion-only groups. “BianLian’s pivot highlights a potential shift ahead,” he said. “BianLian appears to breach organisations through stolen remote desktop protocol (RDP) credentials, likely sold to them by initial access brokers, a key player in the ransomware ecosystem, enabling many attacks. BianLian may also find success through phishing attacks to steal valid credentials.”
The joint advisory breaks down the BianLian modus operandi. After gaining access, the group uses PowerShell and Windows Command Shell to disable antivirus tools and then download “a range of tools” to the target network to learn about the environment. They use valid account details for lateral movement through the network, which the group obtains using Windows Command Shell to find unsecured credentials.
“BianLian group actors use PsExec and RDP with valid accounts for lateral movement,” the joint advisory says. “Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local remote desktop users’ group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic.”
The hackers specifically search for encrypted financial, client, business, technical, and personal files, which they collect using malware that collates registries and files and copies clipboard data from users. The data is removed to cloud storage before a ransom note gets created. That note contains a unique victim ID, used when initiating contact and ransom negotiations with BianLian via Tox messaging or encrypted email.
SISA say BianLian have become increasingly sophisticated and “found their stride.” In mid-March 2023, BianLian’s dark website listed 118 past targets, including sector breakdowns (healthcare was the biggest targeted sector). Seven percent of targets were in Australia, 11% in the UK, and 71% in the US.
CISA, the FBI, and ACSC say the purpose of the joint advisory is to publicise known BianLian tactics, techniques, and procedures, as well as indicators of compromise and mitigations, allowing organisations to protect themselves better.
“Organisations should prioritise securing RDP, both from reducing external exposure, auditing for default accounts, inactive accounts, implementing settings for improved authentication and encryption, strong and unique password requirements and multifactor authentication,” advises Narang.
