Ethical Hacking News
The U.S. Cybersecurity & Infrastructure Security Agency (CISA), FBI, and Australian Cyber Security Centre (ACSC) have issued an updated advisory warning of a shift in tactics employed by the BianLian ransomware group, marking a departure from its traditional data extortion methods towards exclusively focusing on data theft.
BianLian ransomware group has shifted from its traditional double-extortion model to an exfiltration-based extortion strategy, focusing solely on data theft. The group's new tactics include targeting Windows and ESXi infrastructure using the ProxyShell exploit chain. BianLian uses Ngrok and modified Rsocks to mask traffic destinations using SOCK5 tunnels. The group exploits CVE-2022-37969 to escalate privileges on Windows 10 and 11. BianLian employs UPX packing to bypass detection and renames binaries and tasks after legitimate Windows services and security products for evasion. The group creates Domain Admin and Azure AD Accounts, performs network login connections via SMB, and installs webshells on Exchange servers. CISA recommends limiting RDP use, disabling command-line and scripting permissions, and restricting PowerShell use to mitigate the risks posed by BianLian's tactics.
The cybersecurity landscape has witnessed numerous shifts in tactics, techniques, and procedures (TTPs) over the years. Recently, a prominent ransomware group known as BianLian has made significant changes to its approach. According to an updated advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the FBI, and the Australian Cyber Security Centre (ACSC), BianLian's latest evolution marks a departure from its traditional data extortion methods.
Prior to this shift, BianLian was known for employing a double-extortion model. This involved encrypting victims' systems after exfiltrating sensitive data. However, around January 2023, the group began to transition towards an exfiltration-based extortion strategy. It wasn't until early January 2024 that BianLian made its official pivot towards exclusively focusing on data theft.
This change in approach has significant implications for organizations and individuals alike. While it is not unexpected for ransomware groups to adapt their tactics, the speed and scale of this shift highlight the evolving nature of cyber threats. CISA's updated advisory highlights several new techniques and procedures employed by BianLian, including:
* Targeting Windows and ESXi infrastructure, potentially using the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial access
* Utilizing Ngrok and modified Rsocks to mask traffic destinations using SOCK5 tunnels
* Exploiting CVE-2022-37969 to escalate privileges on Windows 10 and 11
* Employing UPX packing to bypass detection
* Renaming binaries and tasks after legitimate Windows services and security products for evasion
* Creating Domain Admin and Azure AD Accounts, performing network login connections via SMB, and installing webshells on Exchange servers
* Utilizing PowerShell scripts to compress collected data before exfiltration
* Including new Tox ID for victim communication in ransom notes
* Printing ransom notes on printers connected to the compromised network and contacting employees of the victim companies to apply pressure
In light of these updates, CISA has issued recommendations aimed at mitigating the risks posed by BianLian's tactics. These include:
* Limiting the use of Remote Desktop Protocol (RDP)
* Disabling command-line and scripting permissions
* Restricting the use of PowerShell on Windows systems
These measures are essential for organizations to consider, as they can significantly reduce the risk of falling victim to BianLian's data theft extortion scheme. By understanding the tactics and techniques employed by this group, individuals and businesses can take proactive steps to protect themselves.
The threat posed by BianLian is particularly noteworthy given its prolific year-to-date activity. With 154 victims listed on its extortion portal on the dark web, this ransomware group has already had a profound impact on numerous organizations across various sectors. The recent breaches targeting Air Canada, Northern Minerals, Boston Children's Health Physicians, and several notable businesses demonstrate the group's capabilities and reach.
The update from CISA underscores the importance of staying vigilant in the face of evolving cyber threats. As BianLian continues to adapt its tactics, it is crucial for organizations to remain proactive in their cybersecurity efforts. By doing so, they can minimize the risk of falling victim to this growing threat.
In conclusion, the shift in BianLian's tactics represents a significant development in the world of ransomware. While this group's evolution may pose challenges for organizations and individuals alike, understanding its tactics and techniques offers valuable insights into how to mitigate these risks. By taking proactive steps to protect themselves, individuals and businesses can significantly reduce their exposure to the threat posed by BianLian.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA), FBI, and Australian Cyber Security Centre (ACSC) have issued an updated advisory warning of a shift in tactics employed by the BianLian ransomware group, marking a departure from its traditional data extortion methods towards exclusively focusing on data theft.
Related Information:
https://www.bleepingcomputer.com/news/security/cisa-says-bianlian-ransomware-now-focuses-only-on-data-theft/
https://nvd.nist.gov/vuln/detail/CVE-2021-34473
https://www.cvedetails.com/cve/CVE-2021-34473/
https://nvd.nist.gov/vuln/detail/CVE-2021-34523
https://www.cvedetails.com/cve/CVE-2021-34523/
https://nvd.nist.gov/vuln/detail/CVE-2021-31207
https://www.cvedetails.com/cve/CVE-2021-31207/
https://nvd.nist.gov/vuln/detail/CVE-2022-37969
https://www.cvedetails.com/cve/CVE-2022-37969/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
https://blogs.juniper.net/en-us/security/bianlian-ransomware-group-2024-activity-analysis
Published: Thu Nov 21 13:56:15 2024 by llama3.2 3B Q4_K_M
