BianLian threat actor [1] [4], as identified by researchers from GuidePoint Security, has recently shifted towards extortion activities [1] [4], targeting organizations in various industries [3].

Description

They exploit vulnerabilities in the TeamCity continuous integration server for initial access into networks [2], using techniques like Runspace Pools and SSL streams [1] [4]. The group deploys a new PowerShell backdoor, winpty-agent.exe [1] [2] [4], and web.ps1 script for remote control [4], showcasing adaptability in their tactics. BianLian primarily targets healthcare [2], manufacturing [2], professional [2], and legal services sectors in the US and Europe [2], using data leak extortion tactics [2]. They gain initial access through stolen RDP credentials and known vulnerabilities like ProxyShell [2]. In a recent attack [2], BianLian exploited a TeamCity vulnerability to create new users and execute malicious commands on build servers [2]. The attackers leveraged winpty.dll to run commands and deploy the malicious PowerShell script [2], web.ps1 [1] [2] [4], which uses SSL streams and Runspace Pools for C2 communication to avoid detection by security products [2]. The ransomware group has shown adaptability in exploiting emerging vulnerabilities and is expected to continue evolving their tactics [3], especially for data exfiltration-focused ransomware attacks [3]. In January 2023 [3], a free decryptor for BianLian was released by Avast [3], indicating a potential shift in the group’s operations. GuidePoint’s Research and Intelligence Team (GRIT) has been monitoring BianLian’s operations closely [5], with an incident involving the exploitation of a TeamCity server leading to the deployment of a PowerShell implementation of BianLian’s GO backdoor [5]. GuidePoint advises preparedness measures like patching apps [1], incident response [1] [4], threat intel-informed pen tests to counter such threats [1].

Conclusion

The evolving tactics of BianLian pose a significant threat to organizations, especially in the healthcare, manufacturing [2], professional [2], and legal services sectors [2]. Mitigation measures such as patching vulnerabilities, incident response planning, and threat intelligence-informed penetration testing are crucial to counter these threats. The release of a free decryptor by Avast in January 2023 may indicate a shift in the group’s operations, but organizations should remain vigilant and prepared for future attacks.

References

[1] https://ciso2ciso.com/bianlian-threat-actor-shifts-focus-to-extortion-only-tactics-source-www-infosecurity-magazine-com/
[2] https://www.csoonline.com/article/1312926/bianlian-group-exploits-teamcity-again-deploys-powershell-backdoor.html
[3] https://securityaffairs.com/160357/hacking/bianlian-group-ttack-jetbrains-teamcity.html
[4] https://www.infosecurity-magazine.com/news/bianlian-shifts-focus-extortion/
[5] https://www.securitricks.com/bianlian-gos-for-powershell-after-teamcity-exploitation-monday-march-11-2024/