BianLian Ransomware Targets RDP

A new threat actor, the BianLian Ransomware Group has captured the attention of prominent U.S. security agencies. They target critical infrastructure organizations in the United States and Australia and their motivations range from financial gains to causing widespread disruption. They have recently shifted their focus from deploying file-encrypting ransomware to prioritizing data exfiltration as their primary objective.

They are currently being monitored by several agencies including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC). The recent warning from these agencies underlines the gravity and urgency of addressing the threat posed by this notorious group.

The group employs various tactics to infiltrate victim networks, with their initial access often obtained through remote desktop protocol (RDP) credentials acquired from initial access brokers or phishing attacks. They utilize customized backdoors tailored to each victim, along with popular remote management and access software like Atera Agent, AnyDesk, SplashTop, and TeamViewer.

They rely on a range of reconnaissance tools such as Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, PingCastle, and Impacket. Their preferred techniques are credential harvesting, lateral movement using valid RDP credentials, and exploiting vulnerabilities (such as the Netlogon vulnerability, Affiliations, and Duration.

The BianLian’s attacks on critical infrastructure organizations pose significant risks, including potential disruptions to essential services, compromise of sensitive data, and financial losses for the targeted entities. Their threats to expose exfiltrated data on leaked sites amplify the reputational and security concerns faced by the victims.

Acreto Solution

Acreto offers a comprehensive approach to addressing the threats posed by the BianLian ransomware group. By leveraging the power of Ecosystems, Acreto provides a dedicated security infrastructure that can be deployed per application, project, or third-party, ensuring limited access only to authorized users, devices, systems, and applications that need to interoperate together.

• Micro-Segmentation: Acreto enables the segmentation of groups of systems within a shared network, including potentially hostile networks or the entire network itself. This means that even if an attacker gains initial access to one system within the network, they will be isolated from other systems and unable to move laterally.

• Nano-Segmentation: Acreto allows for the isolation of individual systems, devices, or applications, limiting access only to other authorized Ecosystem members. This ensures that even if an attacker manages to compromise one specific device or application, they will have restricted access and be unable to move laterally to other parts of the network.

• Acreto’s encrypted secure scan decrypts, scans, and re-encrypts encrypted communications in real-time, blocking any malicious content embedded within the payload. This ensures that organizations can secure their communications effectively, even when the majority of the traffic is encrypted.

• Identity-based access control, including multi-factor authentication, ensures that only authenticated users with the proper credentials can access the Ecosystem. Device-based access control is also implemented to validate the identity of autonomous applications or IoT devices.

• Network protocols, ports, application protocols, and application programs can be controlled to regulate communication between Ecosystem members and external resources. Acreto enables organizations to define policies based on content categories and file types, preventing the upload or download of sensitive data such as credit card information or social security numbers.

• Threat prevention capabilities in Acreto’s solution utilize both threat signature identification and zero-day behavioral analysis. Known exploits, malware, botnets, and ransomware are identified and mitigated through threat signature identification. The behavioral analysis identifies potential threats based on system functions’ reactions to payloads, providing an additional layer of protection against emerging threats.

With Acreto’s comprehensive solution, organizations can effectively mitigate the risks posed by the BianLian ransomware group. By implementing Ecosystems, organizations can create a secure and controlled environment, limiting access and protecting critical assets from evolving cyber threats.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

• Access to victim networks is gained through RDP credentials acquired from initial access brokers or phishing attacks.

• Targets include critical infrastructure organizations in the US and private entities in Australia.

• Custom Go-based backdoor specific to each victim is deployed, along with remote management and access software like Atera Agent, AnyDesk, SplashTop, and TeamViewer.

• Administrator accounts are created, existing account passwords are changed, antivirus software is disabled, and Windows registries are modified to disable/uninstall Sophos endpoint protection solutions.

• Reconnaissance tools used include Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, PingCastle, and Impacket.

• Credential harvesting is done using LSASS memory dumps and command-line scripting, and RDP Recognizer is used to brute force RDP passwords or identify vulnerabilities.

• Lateral movement involves PsExec and RDP with valid credentials, adding a user account to the Remote Desktop Users group, modifying account passwords, and firewall rules to allow RDP traffic.

• Exploitation of Netlogon vulnerability (CVE-2020-1472) to connect to an Active Directory domain controller.

• PowerShell scripts are used to harvest victims’ data, which is then exfiltrated over FTP or using tools like Rclone. Mega file-sharing service is used in Australia for data exfiltration.

• When ransomware is deployed, encrypted files have the .bianlian extension, and ransom notes inform victims that data has been encrypted and exfiltrated.

• The group threatens to publish exfiltrated data on a leak site, and victims are instructed to contact the group via Tox chat and pay a ransom in cryptocurrency.

• To pressure victims, the group prints the ransom note on company printers and contacts employees via phone.

 

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.