Yesterday, CISA, the FBI, and the Australian Signal’s Australian Cyber Security Centre (ASD’s ACSC) released updates to their advisory #StopRansomware: BianLian Ransomware Group on observed tactics, techniques, and procedures (TTPs) and indicators of compromise attributed to data extortion group, BianLian. See WaterISAC’s previous coverage of the advisory from May.
The advisory has been updated to include additional TTPs obtained through FBI’s and ASD’s ACSC investigations. Likely based in Russia, BianLian has affected organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega.
CISA and partners encourage critical infrastructure organizations to review and implement the mitigations in this advisory to reduce the likelihood of impact of BianLian and other ransomware incidents. Access the full advisory at CISA.
Resource:
