Alert Essentials:
BianLian is contacting supposed ransomware victims by sending printed letters delivered by the postal service. If communication is received, review system logs for indicators of compromise (IoCs).
Detailed Threat Description:
Emerging as a banking trojan in 2019, BianLian has since evolved into a ransomware developer, deployer, and data extortion cybercriminal group. Known for their adaptability, this group shifted to a data theft and extortion operation in 2023 following Avast’s release of a decryptor for their ransomware strain, BianLian.
The threat group typically gains initial network access by exploiting compromised Remote Desktop Protocol (RDP) credentials or vulnerabilities in servers such as TeamCity and ProxyShell.
After successfully infiltrating the environment, BianLian pivots to living off the land, using PowerShell to deploy a customized version of their GO backdoor and Windows Command Shell to harvest credentials for lateral movement.
This treacherous troop is infamous for its unconventional methods of delivering ransom notes. They print ransom notes on victims’ printers and often call employees to issue threats. More recently, the US Postal Service delivered the group’s demands.
Fortified Health Security Threat Defense Team has witnessed threat actors sending ransomware notes through U.S. mail.
While the return address on the envelope is a vacant building, the addressee is BianLian. The enclosed ransomware ultimatums state the victims’ networks were compromised, and data was exfiltrated.
This dangerous adversary provides a QR code with a Bitcoin address and mandates payment within 10 days of receiving the letter. If timely compensation is not received, they promise to publish sensitive data to their leak site and email relevant parties.
Although their tactics of delivering ransom notes are unusual, the threats are often very real. According to GuidePoint Security, during the first nine months of 2024, BianLian was among the top three most active ransomware groups targeting the healthcare industry.
Fortified recommends healthcare companies receiving the note investigate the validity by reviewing system logs for TTPs and IoCs. Organizations should utilize network monitoring tools to detect unusual activity and potential threats. Additionally, regularly updated intrusion detection systems (IDS) and security information and event management (SIEM) tools can identify ransomware attacks before they spread.
If ransomware exfiltration is discovered, follow notification requirements outlined in the organization’s cyber incident response plan. Engage internal and external teams and stakeholders to help mitigate, respond to, and recover from the incident.
Impacts on Healthcare Organizations:
A ransomware attack on a hospital can be severe, potentially endangering patients’ lives and causing significant financial losses. Healthcare organizations can significantly reduce their risk of falling victim to ransomware attacks and improve their overall cybersecurity posture with a comprehensive cybersecurity strategy that includes technical and human-focused measures.
It is worth noting that the group may not always attempt to encrypt systems, and thus, evidence of data theft or unauthorized access/account compromise should be sought.
Affected Products / Versions:
CVEs
- CVE-2024-27198 – CWE-288/306 – (CVSS 9.8)
- CVE-2023-42793 – CWE-288/306 – (CVSS 9.8)
- CVE-2022-37969 – CWE-787 – (CVSS 7.8)
- CVE-2021-34473 – CWE-918 – (CVSS 9.8)
- CVE-2021-34523 – CWE-287 – (CVSS 9.8)
- CVE-2021-31207 – CWE-434 – (CVSS 6.6)
Tactics, Techniques, and Procedures (TTPs)
| Tactic Name | Technique |
|---|---|
| Exfiltration | T1041 – Exfiltration Over C2 Channel |
| Exfiltration | T1567 – Exfiltration Over Web Service |
| Exfiltration | T1020 – Automated Exfiltration |
| Execution | T1569.002 – Service Execution |
| Discovery | T1016.001 – Internet Connection Discovery |
| Initial Access | T1195 – Supply Chain Compromise |
| Initial Access | T1566.002 – Spearphishing Link |
| Privilege Escalation | T1547.001 – Registry Run Keys / Startup Folder |
| Persistence | T1547.001 – Registry Run Keys / Startup Folder |
| Initial Access | T1190 – Exploit Public-Facing Application |
| Execution | T1059.003 – Windows Command Shell |
| Impact | T1486 – Data Encrypted for Impact |
| Initial Access | T1566.001 – Spearphishing Attachment |
| Execution | T1059.001 – PowerShell |
| Privilege Escalation | T1547.009 – Shortcut Modification |
| Persistence | T1547.009 – Shortcut Modification |
| Exfiltration | T1537 – Transfer Data to Cloud Account |
| Collection | T1114.001 – Local Email Collection |
| Privilege Escalation | T1078 – Valid Accounts |
| Defense Evasion | T1078 – Valid Accounts |
| Initial Access | T1078 – Valid Accounts |
| Persistence | T1078 – Valid Accounts |
| Exfiltration | T1029 – Scheduled Transfer |
| Defense Evasion | T1036.005 – Match Legitimate Name or Location |
| Defense Evasion | T1027.001 – Binary Padding |
Recommendations:
Engineering Recommendations:
- Strictly limit the use of RDP and other remote desktop services
- Audit remote access tools
- Disable command-line and scripting activities and permissions
- Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions
- Restrict usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version
- Enable enhanced PowerShell logging
- Block both inbound and outbound connections on common remote access software ports and protocols at the network perimeter
- Maintain offline backups
- Keep all operating systems, software, and firmware up to date
Leadership/Program Recommendations:
- Implement application controls to manage and control the execution of software
- Develop and maintain a recovery plan
- Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Avast Decryptor: https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/
- CISA: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
- CISA Cybersecurity Performance Goals: https://www.cisa.gov/cross-sector-cybersecurity-performance-goals
- Cybersecurity advisory: https://www.ic3.gov/CSA/2024/241120.pdf
- Downloadable Indicators of Compromise (IoCs): https://www.cisa.gov/sites/default/files/2023-05/aa23-136a.stix_.xml
- GuidePoint Security: https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/
- HIPAA: https://www.hipaajournal.com/bianlian-cybersecurity-alert/
