US, Australian security agencies warn of BianLian group using valid RDP credentials to target organizations

U.S. and Australian cybersecurity agencies released a joint cybersecurity advisory (CSA) on the BianLian ransomware and data extortion group. The advisory provides technical details, including IOCs and TTPs, identified through investigations executed by the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) as of March this year. The BianLian group is known to gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers or via phishing. 

“BianLian is a ransomware developer, deployer, and data extortion cybercriminal group who has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022,” according to the advisory released Tuesday by the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and ACSC. “They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.” 

The advisory added that the group gains access to victim systems through valid RDP credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. “BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.”

Organizations have been advised to strictly limit the use of RDP and other remote desktop services; disable command-line and scripting activities and permissions; and restrict the use of PowerShell and only grant to specific users on a case-by-case basis. Adoption of these mitigation measures will help reduce the likelihood and impact of BianLian and other ransomware incidents. Furthermore, the advisory also indicators of compromise to help cybersecurity professionals detect if this ransomware activity is on their networks. Microsoft and Sophos contributed to this advisory. 

In January, industrial cybersecurity vendor Dragos observed that BianLian ransomware struck the energy, engineering, food and beverage, mining, pharmaceuticals, and manufacturing sectors.

The advisory said that the FBI observed the BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed the BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a double-extortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. 

“In 2023, FBI observed BianLian shift to primarily exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion,” the advisory said. “BianLian actors warn of financial, business, and legal ramifications if payment is not made.” 

The advisory disclosed that BianLian group hackers implant a custom backdoor specific to each victim written in Go language and install remote management and access software, such as TeamViewer, Atera Agent, SplashTop. and AnyDesk for persistence and command and control. “FBI also observed BianLian group actors create and/or activate local administrator accounts and change those account passwords.

These hackers also use PowerShell and Windows Command Shell to disable antivirus tools, specifically Windows Defender and Anti-Malware Scan Interface (AMSI), according to the advisory. “BianLian actors modify the Windows Registry to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services.”

The advisory disclosed that the BianLian group uses valid accounts for lateral movement through the network and to pursue other follow-on activity. “To obtain the credentials, BianLian group actors use Windows Command Shell to find unsecured credentials on the local machine. FBI also observed BianLian harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory, download RDP Recognizer (a tool that could be used to brute force RDP passwords or check for RDP vulnerabilities) to the victim system, and attempt to access an Active Directory domain database (NTDS[dot]dit),” it added.

In one case, “FBI observed BianLian actors use a portable executable version of an Impackettool (secretsdump[dot]py) to move laterally to a domain controller and harvest credential hashes from it,” the advisory said. “Through the Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network. Threat actors can run portable executable files on victim systems using local user rights, assuming the executable is not blocked by an application allowlist or antivirus solution.”

The advisory said that BianLian group actors use PsExec and RDP with valid accounts for lateral movement. “Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local ‘Remote Desktop Users’ group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic,” it added.

“In one case, FBI found a forensic artifact (exp[dot]exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller,” the advisory added. 

FBI observed BianLian group actors using malware (system[dot]exe) that enumerates registry and files and copies clipboard data from users. Furthermore, “the BianLian group actors search for sensitive files using PowerShell scripts and exfiltrate them for data extortion. Prior to January 2023, BianLian actors encrypted files after exfiltration for double extortion. BianLian group uses File Transfer Protocol (FTP) and Rclone, a tool used to sync files to cloud storage, to exfiltrate data. FBI observed BianLian group actors install Rclone and other files in generic and typically unchecked folders such as ‘programdata\vmware’ and music folders,” the advisory added.

ACSC observed BianLian group actors use Mega file-sharing service to exfiltrate victim data, according to the advisory. “BianLian’s encryptor (encryptor[dot}exe) modified all encrypted files to have the [dot]bianlian extension. The encryptor created a ransom note, ‘Look at this instruction[dot]txt,’ in each affected directory. According to the ransom note, BianLian group specifically looked for, encrypted, and exfiltrated financial, client, business, technical, and personal files,” it added. 

The advisory also detailed that the BianLian group engages in additional techniques to pressure the victim into paying the ransom. For example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with the BianLian group.

Some of the mitigation action suggested in the advisory aligns with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. 

Organizations must reduce the threat of malicious actors using remote access tools by auditing remote access tools on the network to identify currently used and/or authorized software. They must also review logs for the execution of remote access software to detect abnormal use of programs, use security software to detect instances of remote access software only being loaded in memory, and require authorized remote access solutions only be used from within the network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).

They must also block inbound and outbound connections on common remote access software ports and protocols at the network perimeter. Additionally, they must implement application controls to manage and control the execution of software, including allowlisting remote access programs; limiting the use of RDP and other remote desktop services; disabling command-line and scripting activities and permissions; and implementing time-based access for accounts set at the admin level and higher.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.