![]() ![]() See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used. BianLian actors modify the Windows Registry to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. Defense EvasionīianLian group actors use PowerShell and Windows Command Shell to disable antivirus tools, specifically Windows defender and Anti-Malware Scan Interface (AMSI). įBI also observed BianLian group actors create and/or activate local administrator accounts and change those account passwords. Command and ControlīianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) and install remote management and access software-e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk-for persistence and command and control. Initial AccessīianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers, or via phishing. BianLian actors warn of financial, business, and legal ramifications if payment is not made. In 2023, FBI observed BianLian shift to primarily exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian group originally employed a double-extortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. critical infrastructure sectors since June 2022. FBI observed BianLian group targeting organizations in multiple U.S. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.īianLian is a ransomware developer, deployer, and data extortion cybercriminal group. ![]() See the MITRE ATT&CK® Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® Tactics and Techniques. Note: This advisory uses the MITRE ATT&CK ® for Enterprise framework, version 13. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data however, around January 2023, they shifted to primarily exfiltration-based extortion.įBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.ĭownload the PDF version of this report (710kb):įor a downloadable copy of IOCs in JSON format, see Technical Details BianLian group actors then extort money by threatening to release data if payment is not made. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.
0 Comments
Leave a Reply. |