Key Development:
BianLian has transformed from a traditional ransomware operation into a dedicated data theft extortion group as of January 2024, according to a joint advisory from U.S. CISA, FBI, and Australian Cyber Security Centre.
Operational Changes:
– Abandoned encryption-based attacks following Avast’s decryptor release
– Now focuses exclusively on data exfiltration and extortion
– Operates primarily from Russia, using foreign-language names as cover
Technical Tactics:
1. Attack Methods:
– Targets Windows and ESXi systems
– Exploits ProxyShell vulnerabilities
– Uses modified Rsocks and Ngrok for traffic masking
– Leverages UPX packing for detection evasion
2. Infiltration Techniques:
– Creates administrative accounts
– Deploys webshells on Exchange servers
– Uses PowerShell for data compression
– Exploits CVE-2022-37969 for privilege escalation
Recent Activity:
– 154 victims listed on dark web portal
– Notable targets include Air Canada, Northern Minerals, and Boston Children’s Health Physicians
– Multiple pending claims against global organizations
Security Recommendations:
– Limit RDP usage
– Disable command-line scripting
– Restrict PowerShell access
– Implement robust access controls
This threat actor remains highly active and continues to evolve its tactics, primarily targeting small to medium-sized organizations while occasionally striking larger enterprises.