Headline
Researchers Spot Snowballing BianLian Ransomware Gang Activity
The operators of the emerging cross-platform ransomware BianLian increased their command and control infrastructure this month, indicating an acceleration in their operational pace.
A new player to the ransomware space called BianLian is ramping up activity, and has already targeted organizations in Australia, North America, and the United Kingdom.
According to an advisory from cybersecurity firm Redacted, there has been a “troubling” rise in the rate at which BianLian is bringing new command-and-control (C&C) servers online.
The ransomware was created with Golang (Go), the Google-created open source programming language, and targets SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
“While we lack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase their operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having more resources available to them,” the researchers noted in the Friday post.
BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which published details on the ransomware last month.
The BianLian Ransomware Attack Flow
To begin its attacks, the ransomware gang leverages the access gained through the ProxyShell vulnerabilities to install a Web shell or ngrok payload for monitoring activities. The group has been taking care to avoid detection and minimize observable events as it hunts for data and identifies machines to encrypt, researchers said.
In a campaign observed by Redacted, once in, BianLian most often utilized standard “living off the land” (LoL) techniques for network profiling and lateral movement, the report noted. These included net.exe to add and/or modify user permissions; netsh.exe to configure host firewall policies; and reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.
In addition to leveraging the LoL techniques, the group is also known to deploy a custom implant as an alternative means to maintain persistent network access. The main objective of this “simple but effective” backdoor is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them.
“BianLian have shown themselves to be adept with the methodology to move laterally, adjusting their operations based on the capabilities and defenses they encountered in the network,” the report stated.
BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is also able to start servers in Windows Safe Mode to execute its file-encrypting malware while remaining undetected by security solutions installed on the system. Other measures taken to circumvent security barriers include deleting snapshots, purging backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts.
The group’s emergence adds to the growing number of threats using Go as a base language, allowing adversaries to make quick changes in a single code base that can then be compiled for multiple platforms.
Ransomware Runs Wild
Acronis’ mid-year cyber-threats report found that ransomware continues to be the top threat to large and midsize businesses, including government organizations, while research from Sophos indicates ransomware gangs may be working in concert to orchestrate multiple attacks.
Further complicating the security landscape is the emergence of data marketplaces that make it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.
Despite the growing risk level and sophistication of ransomware attacks, ransomware coverage is lacking even among businesses with cyber insurance, according to a BlackBerry survey.
The Redacted advisory recommended using a layered approach when trying to mitigate the threat posed by ransomware actors.
“Focus needs to be placed on reducing your attack surface to avoid the most common types of exploitation techniques, but also preparing to act quickly and effectively when a compromise inevitably happens,” the report said.
The foundation of this strategy includes multifactor authentication (MFA), secure backups, and an incident response plan.
Related news
Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023. "Sighting this group's [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them," Kaspersky
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
Sites spoofing Grammarly and a Cisco webpage are spreading the DarkTortilla threat, which is filled with follow-on malware attacks.
Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to
By Waqas Going by the name of Witchetty; the hacker group is targeting countries in Africa and the Middle East. This is a post from HackRead.com Read the original post: Chinese Hackers Hiding Malware in Windows Logo
APT group Witchetty (aka LookingFrog) has exploited the ProxyShell and ProxyLogon vulnerabilities to gain initial access and deploy new custom cyber tools against government agencies and a stock exchange.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked
By Deeba Ahmed Worok is primarily targeting organizations in banking, telecommunication, marine, military, energy, public sectors, and government in its current campaign. This is a post from HackRead.com Read the original post: Worok Hackers Targeting Orgs, Govts in Asia, Middle East and Africa
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
A relative newcomer to the ransomware scene, the BlackCat group quickly gained notoriety and may be associated with other APT groups like Conti and DarkSide.
The stealthy crypter, active since 2015, has been used to deliver a wide range of information stealers and RATs at a rapid, widespread clip.
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.
The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers. The post IIS extensions are on the rise as backdoors to servers appeared first on Malwarebytes Labs.
The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers. The post IIS extensions are on the rise as backdoors to servers appeared first on Malwarebytes Labs.
The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers. The post IIS extensions are on the rise as backdoors to servers appeared first on Malwarebytes Labs.
By Deeba Ahmed Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,… This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
By Deeba Ahmed Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,… This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
By Deeba Ahmed Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,… This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday – our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.