U.S. and Australian Agencies Publish Joint Cybersecurity Advisory on BianLian Ransomware Group
The FBI, ACSC and CISA have released a joint cybersecurity advisory discussing the BianLian ransomware group.
Background
As part of the #StopRansomware campaign, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. and the Australian Cyber Security Centre (ACSC) released a joint cybersecurity advisory (CSA AA23-136A) discussing the BianLian ransomware group. The advisory details the tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) associated with the group and its corresponding malware.
A new #ransomware group named #BianLian claims to have hacked #Mooresville Schools (@MrsvlPioneers), a public school district in Indiana, 🇺🇸. The group claims to have stolen ~4,200 student records containing phone numbers, email addresses, and social security numbers... pic.twitter.com/QWECxn62L9
— BetterCyber (@_bettercyber_) July 11, 2022
Tweet from BetterCyber in July 2022 discussing the “new” ransomware group called BianLian
The BianLian ransomware operation emerged in June 2022 and over the past year has been responsible for a number of attacks targeting critical infrastructure in the U.S. and Australia. The group originally favored the double-extortion technique, a tactic where data was encrypted on the victim’s machines and also exfiltrated to the operator’s infrastructure, then teasers of the data are advertised on a leak website to publicly shame and entice the victim into paying the ransom. This technique was pioneered by the Maze ransomware group in 2019, a phenomenon we discuss in our Ransomware Ecosystem report.
While this technique has helped propel ransomware to new heights, according to the joint advisory, BianLian’s tactics changed to exfiltration only in January 2023, around the same time a free decryptor tool was released by Avast. BianLian’s shift aligns with findings in our 2022 Threat Landscape Report, where we observed an increase in the prominence of extortion-only attacks.
Analysis
Tactics, Techniques and Procedures
According to the cybersecurity advisory, BianLian gains initial access by using compromised Remote Desktop Protocol (RDP) credentials, which are assumed to have been obtained from initial access brokers or phishing attacks. Once the victim network is compromised, the group uses custom backdoors written in Go and tailor made for each victim. Additionally, the group will download remote management tools such as TeamViewer or Atera Agent, and create local administrator accounts to maintain persistence.
For defense evasion, the group disables Windows Defender and Anti-Malware Scan Interface (AMSI) using PowerShell and Windows Command Shell. BianLian actors also modify registry keys to disable tamper protection for Sophos services, which allows the group to uninstall antivirus services.
During the discovery phase, the group has been observed using tools such as Advanced Port Scanner and SoftPerfect Network Scanner to identify open ports across the victim network and discover shared folders. The group utilizes SharpShares to identify network shares and PingCastle to enumerate and map the victims Active Directory (AD).
To laterally move through the environment, the group gathers credentials from several sources. To find local, unsecured credentials, the group uses Windows Command Shell, and has been observed extracting credentials from the Local Security Authority Subsystem Service (LSASS) memory, brute forcing RDP passwords or checking for RDP vulnerabilities using RDP Recognizer, and attempting to access the NTDS.dit domain database.
For data exfiltration, the group uses file transfer protocol (FTP), Rclone and, in at least one instance, the file sharing service Mega to move sensitive data from the victim network.
Potential use of Zerologon (CVE-2020-1472)
According to the advisory, a forensic artifact found on a compromised system suggests that the group exploited CVE-2020-1472, a privilege escalation vulnerability known as Zerologon which can allow an attacker to compromise a domain controller. Zerologon has been widely favored by threat actors of all types since its disclosure. In fact, CVE-2020-1472 was featured in the top 5 vulnerabilities list two years in a row in the 2020 Threat Landscape Retrospective and 2021 Threat Landscape Retrospective reports.
Reduce your exposure by identifying affected systems
As we review the list of mitigations discussed in the advisory, our Tenable Identity Exposure (formerly Tenable.ad) solution can help organizations review Indicators of Exposure such as the unsecured configuration of Netlogon Protocol and insufficient hardening against ransomware attacks as well as utilize the Indicators of Attack for CVE-2020-1472. We highly recommend reviewing your AD environment as part of your ransomware preparedness strategy to focus on misconfigurations that may put your organization at risk.
The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed Common Vulnerabilities and Exposures (CVEs). A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
- Exposure Management