Critical Infrastructure Organizations Warned of BianLian Ransomware Attacks

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) are warning critical infrastructure organizations of the BianLian ransomware group’s attacks.

Active since at least June 2022, the gang has been observed gaining access to victim networks via remote desktop protocol (RDP) credentials that were likely acquired from initial access brokers or via phishing attacks.

For the past year, the BianLian gang has targeted multiple critical infrastructure organizations in the US, as well as private entities in Australia, including a critical infrastructure organization, CISA, FBI, and ACSC say.

Starting January 2023, the group focused on data exfiltration and no longer deploying file-encrypting ransomware on victims’ systems.

After gaining access to a network, the group deploys a custom Go-based backdoor specific to each victim. It installs remote management and access software such as Atera Agent, AnyDesk, SplashTop, and TeamViewer.

The BianLian group was also observed creating administrator accounts, changing passwords for existing accounts, disabling antivirus software, and modifying Windows registries to disable and uninstall Sophos endpoint protection solutions.

To perform reconnaissance, the group uses tools such as Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, PingCastle, and Impacket, along with command-line scripting.

BianLian also relies on LSASS memory dumps and command-line scripting for credential harvesting and uses RDP Recognizer to brute force RDP passwords or identify RDP vulnerabilities.

For lateral movement, the gang was seen using PsExec and RDP with valid credentials. It added a user account to the Remote Desktop Users group and modified the account’s password and firewall rules to allow RDP traffic.

In one case, the group exploited the Netlogon vulnerability (CVE-2020-1472) and connected it to an Active Directory domain controller.

Victims’ data is typically harvested using PowerShell scripts. The data is then exfiltrated over FTP and via tools such as Rclone and WinSCP Portable. In Australia, the group was seen using the Mega file-sharing service for data exfiltration.

In the attacks where ransomware was deployed and executed, the .bianlian extension was appended to the encrypted files. The deployed ransom notes informed victims that the ransomware searched for, encrypted, and exfiltrated business, client, financial, technical, and personal files.

The BianLian group threatens to publish the exfiltrated data on a leak site. Victims are told to contact the group via Tox chat and to pay a ransom in cryptocurrency. To pressure victims into paying, the group would print the ransom note on the company’s printers and contact employees via phone.

CISA, FBI, and ACSC encourage organizations to audit the use of RDP and other remote access tools, disable command-line scripting, restrict PowerShell usage, control software execution, audit user accounts, keep all systems and software updated, implement strong authentication practices, maintain offline backups and implement a recovery plan.

Source: SecurityWeek, CISA