November 21, 2024 at 01:39PM
The BianLian ransomware group has transitioned to primarily data theft extortion techniques, as noted in a U.S. and Australian advisory. Since January 2024, they focus exclusively on this method, employing new tactics like exploiting Windows vulnerabilities and using RDP for access. Recent attacks include breaches of notable organizations.
### Meeting Takeaways on BianLian Ransomware Update
1. **Shift in Tactics**:
– BianLian ransomware has transformed into a data theft extortion group, moving away from file encryption methods. This shift has been confirmed by an updated advisory from CISA, the FBI, and the Australian Cyber Security Centre.
– The group’s transition began in January 2023, culminating in exclusive reliance on data extortion strategies by January 2024.
2. **Operational Techniques**:
– BianLian targets Windows and ESXi infrastructure, potentially utilizing the ProxyShell exploit chain for initial access.
– New techniques include:
– Using Ngrok and modified Rsocks for traffic obfuscation.
– Exploiting specific CVEs (CVE-2022-37969) for privilege escalation.
– Employing UPX packing to evade detection.
– Renaming binaries to resemble legitimate services for stealth.
– Creating Domain Admin and Azure AD accounts and installing webshells on Exchange servers.
– Utilizing PowerShell scripts for data compression prior to exfiltration.
3. **Communication and Pressure Tactics**:
– The group includes a new Tox ID in ransom notes for victim communication.
– Ransom notes are being printed on victims’ network-connected printers and employees are contacted directly to apply pressure.
4. **Victim Statistics**:
– Since its onset in 2022, BianLian has targeted 154 victims in 2023 alone, mainly focusing on small to medium-sized organizations.
– Recent notable breaches reported include Air Canada, Northern Minerals, and Boston Children’s Health Physicians, along with unconfirmed breaches against various other organizations.
5. **Recommendations from CISA**:
– Limit the use of Remote Desktop Protocol (RDP).
– Disable command-line and scripting permissions.
– Restrict PowerShell usage on Windows systems to enhance security.
This update outlines the serious nature of the evolving threat posed by BianLian and underscores the necessity for organizations to strengthen their cybersecurity measures against such ransomware operations.