AdvisoriesCISAAA23-136AMay 16, 2023
May 16, 2023
This joint cybersecurity advisory by the FBI, CISA, and ACSC aims to share information about the BianLian ransomware and data extortion group. BianLian is a cybercriminal group that has targeted organizations in critical infrastructure sectors in the US and Australia since June 2022. They gain access to victim systems using valid Remote Desktop Protocol (RDP) credentials and employ open-source tools and command-line scripting for discovery and credential harvesting. Victim data is exfiltrated through File Transfer Protocol (FTP), Rclone, or Mega, and the group extorts money by threatening to release the data if payment is not made. The advisory provides mitigation recommendations to help critical infrastructure organizations and small- to medium-sized organizations reduce the likelihood and impact of BianLian and other ransomware incidents.
May 16, 2023
Computers are designed to be networked, so they can talk to each other and share data unhindered. This enables ideal usability but comes at a cost: once a single device is compromised, a threat actor can move to others and compromise them as well. BianLian, like many malware samples, uses a common operating system utility to move laterally. The best mitigation is to move from servers and workstations to “secure by design” devices, such as containers, Chromebooks or iPads. These device types rely on application sandboxing to prevent a malicious user from moving to other machines. If this is not feasible, evaluate which utilities are required for day-to-day IT operations and remove the others. Utilities you should be looking for include: RDP, PuTTY, WinRM, PSExec (Windows) and SSH (Linux/MacOS).
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
