The FBI, CISA, and ACSC have released an updated security advisory concerning the BianLian cybercrime group, highlighting a significant shift in their attack methods.

Background on BianLian's Operations

BianLian, believed to operate primarily out of Russia, has been a persistent threat to critical infrastructure sectors in the U.S. and Australia since June 2022. Its targets have included healthcare institutions such as Boston Children's Health Physicians and Amherstburg Family Health, as well as those in property development and professional services. Initially, BianLian was notorious for deploying ransomware to encrypt files and demanding payment for decryption. However, in a strategic pivot starting January 2023, the group began focusing solely on data theft and extortion, abandoning file encryption. By January 2024, this method had become their exclusive modus operandi, where victims face threats of public data leaks unless a ransom is paid.

Evolved Tactics and Techniques

The group has refined its attack strategies, notably gaining entry to systems using compromised RDP credentials. They frequently target Windows and ESXi infrastructures, leveraging the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for system access. BianLian's toolkit now includes Ngrok and a modified Rsocks utility, moving away from the prior use of custom Go backdoors tailored per victim. Their strategies to evade detection have also progressed; they now employ UPX to consolidate executables and disguise them as legitimate applications. The group manipulates binaries and scheduled tasks to appear as genuine Windows services. Further, BianLian exploits the CVE-2022-37969 vulnerability to escalate privileges on Windows systems, creating Domain Admin and Azure AD accounts for sustained access. Establishing persistence, they deploy webshells on compromised Exchange servers. PowerShell scripts facilitate the search and exfiltration of sensitive data, followed by ransom note drops, often manifested as printouts on network printers. In their pursuit of ransom, BianLian has even resorted to directly contacting employees at targeted organizations to exert pressure for payment.

Recommended Mitigations

To counteract these evolving threats, agencies recommend disabling any unused remote access tools and limit their usage to internal networks through VPNs or Virtual Desktop Interfaces (VDIs).

Additionally:

Block common remote access software ports and protocols at the network's perimeter.

Review access software logs for unexpected behavior.

Ensure security software detects remote access tool execution solely in memory.

Disable command-line and scripting features wherever possible.

Limit the use of PowerShell on Windows devices.

Per the advisory, these steps are crucial to safeguard against BianLian’s advanced extortion tactics and protect sensitive data from unauthorized access and potential exposure.

The link has been copied!