Feds Update BianLian Cybersecurity Alert as Threat Actor Adopts New Tactics
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) have updated their cybersecurity advisory about the BianLian threat group following the adoption of new tactics in recent attacks.
BianLian is believed to operate from inside Russia and has many Russia-based affiliates. Since June 2022, the threat group has attacked many critical infrastructure entities in the United States and Australia, including healthcare organizations such as Boston Children’s Health Physicians, Amherstburg Family Health, River Region Cardiology Associates, Healthcare Management Systems, and Augusta-Aiken Orthopedic Specialists. The group has also targeted the property development and professional services sector.
Bianlian is a ransomware developer, deployer, and data extortion group, and its early attacks involved breaching networks, stealing data, and encrypting files. In January 2023, the BianLian group started transitioning to data extortion-only attacks, exfiltrating data and issuing ransom demands, but leaving victims’ networks intact. The ransom must be paid to prevent the publication of the stolen data on its data leak site. Since January 2024, the BianLian group has been exclusively conducting exfiltration and extortion attacks, dropping file encryption altogether.
BianLian’s tactics, techniques, and procedures (TTPs) have evolved. The group is now primarily gaining access to victims’ networks by using compromised Remote Desktop Protocol (RDP) credentials and has been observed targeting Windows and ESXi infrastructure, likely by using the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial access.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
BianLian is thought to use Ngrok, a legitimate reverse proxy tool and a modified version of the Rsocks utility. This is a change from previous tactics, where a custom Go backdoor was installed that was specific to each victim. Previously, the group used PowerShell and Windows Command Shell to disable antivirus tools and now packs executables using UPX to hide malicious code and evade signature-based and heuristic detection. Binaries and scheduled tasks are renamed to mimic legitimate Windows services and security products.
BianLian has been observed exploiting the CVE-2022-37969 Windows Common Log File System Driver elevation of privilege vulnerability on Windows 10 and Windows 11 systems, creating Domain Admin accounts for lateral movement, and Azure AD accounts to maintain access to compromised systems. BianLian has been observed installing webshells on Exchange servers for persistence. PowerShell scripts are used to search for and compress sensitive data to exfiltrate, then the group drops a ransom note and prints ransom notes on networked printers. BianLian threatens to leak the stolen data if the ransom is not paid and has been observed calling employees of attacked companies to pressure them into paying the ransom.
The updated alert provides recommended mitigations. The authoring agencies recommend removing remote access tools if they are not in use, and if remote access tools are required, to only use them from within your network and via a Virtual Private Network (VPN) or Virtual Desktop Interface (VDI). Inbound and outbound connections should be blocked on common remote access software ports and protocols at the network perimeter. Remote access software logs should be reviewed to identify abnormal use of programs running as a portable executable, security software should check the use of remote access tools being executed only in the memory, command-line and scripting permissions should be disabled, and the use of PowerShell should be restricted on Windows systems.
