Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

CISA and Partners Release BianLian Ransomware Cybersecurity Advisory – SystemTek | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacking | #aihp

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega.

BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.

Initial Access

BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566].

Command and Control

BianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) [T1587.001] and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control [T1105],[T1219].

FBI also observed BianLian group actors create and/or activate local administrator accounts [T1136.001] and change those account passwords [T1098].

Defense Evasion

BianLian group actors use PowerShell [T1059.001] and Windows Command Shell [T1059.003] to disable antivirus tools [T1562.001], specifically Windows defender and Anti-Malware Scan Interface (AMSI). BianLian actors modify the Windows Registry [T1112] to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.

Name SHA-256 Hash Description
def.exe 7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893 Malware associated with BianLian intrusions, which is an example of a possible backdoor developed by BianLian group.
encryptor.exe 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43 Example of a BianLian encryptor.
exp.exe 0c1eb11de3a533689267ba075e49d93d55308525c04d6aff0d2c54d1f52f5500 Possible NetLogon vulnerability (CVE-2020-1472) exploitation.
system.exe 40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce Enumerates registry and files. Reads clipboard data.

We recommend that you read the full report –

Click Here For The Original Source.