According to the experts, the BianLian group gains access to victim networks via remote desktop protocol (RDP) credentials, which were likely obtained through phishing attacks or brokers. After gaining access to the network, the group deploys a custom Go-based backdoor, specific to each victim, and installs software such as Atera Agent, AnyDesk, SplashTop, and TeamViewer to gain remote management and access.
The group targets multiple critical infrastructure organizations in the US and private entities in Australia, including a critical infrastructure organization, by exploiting vulnerabilities such as the Netlogon vulnerability (CVE-2020-1472) and using reconnaissance tools like SoftPerfect Network Scanner, SharpShares, PingCastle, and Impacket. Once victim data is harvested, it is exfiltrated via FTP or Mega file-sharing services. In cases where ransomware was deployed and executed, the encrypted files had .bianlian extension. In such cases, the group also threatened to publish the exfiltrated data on leak sites, forcing the victims to pay the ransom in cryptocurrency if they wanted the data to remain confidential.
To mitigate the threat posed by the BianLian group and similar ransomware attacks, CISA, FBI, and ACSC recommend organizations to keep all systems and software updated, implement strong authentication practices, maintain offline backups and devise a recovery plan. They also encourage companies to audit the use of RDP and other remote access tools, disable command-line scripting, restrict PowerShell usage, control software execution, and audit user accounts.
The rise in ransomware attacks in recent years has made internet security an urgent priority for businesses and individuals alike. By adopting a proactive approach and implementing effective security measures, companies can reduce the risks of cyber-attacks that can disrupt operations and potentially compromise sensitive information. In case of a cyber breach, having an updated recovery plan is crucial to ensure incident response and minimize damage.
<< photo by Jorge Jesus >>
You might want to read !
- Lacroix Shuts Down Manufacturing Facilities After Cyberattack Rattles Operations
- Consolidation on the Rise: Cybersecurity Companies Merge and Acquire in May 2023
- “Cyber Threat Group Exploits Azure Serial Console for Complete Virtual Machine Hijacking”
- Key Criteria for Choosing an Effective Patch Management Solution
- “Is Your Smart Home Really Safe? Belkin Wemo Smart Plugs Suffer Major Security Flaw”
- “Chrome 113 Update Tackles Critical Vulnerability: A Boost for Browser Security”
- “Red Stinger Emerges: APT Group Poses New Threat to Eastern Europe’s Military and Critical Infrastructure”
- The Power of Identity: How Prioritizing Identity Protection Can Prevent Critical Infrastructure Attacks
- “US Critical Infrastructure Remains Vulnerable to Ransomware Attacks Two Years After Colonial Pipeline”
- “New Free Tool Offers Hope in Decrypting Ransomware Attacks”
- Microsoft Report Reveals Alarming Nation-State Threats and Growing Cyber Mercenary Activity
- “Entro’s $6M Funding Round Targets Tackling of Secrets Sprawl in Cybersecurity”
