U.S. and Australian agencies have updated a joint advisory on the tactics, techniques and procedures that the BianLian ransomware uses, informing organizations about new methods malicious actors employ to compromise critical infrastructure systems.
The additional TTPs were discovered through industry threat intelligence and investigations by the Cybersecurity and Infrastructure Security Agency, the FBI and the Australian Cyber Security Centre.
According to the updated guidance, BianLian is likely based in Russia, with multiple affiliates based in Russia. It indicated that BianLian chose a name in a foreign language, like other ransomware groups, to mislead authorities and network defenders in identifying its location and nationality.
The document also stated that BianLian has targeted U.S. and Australian critical infrastructure sectors, professional services and property development since June 2022. The agencies warned organizations that the data extortion cybercriminal group gains access to systems through valid Remote Desktop Protocol credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol, Rclone, or Mega.
BianLian originally employed a double-extortion model involving the encryption of systems after exfiltrating data but shifted to an exfiltration-based extortion model in January, the advisory authors said.
Critical infrastructure entities and small and medium-sized organizations are advised to implement mitigations, including auditing remote access tools, using security software to detect instances of remote access, and disabling command-line and scripting activities and permissions to improve their cybersecurity posture.
The update to the cybersecurity advisory, originally published in 2023, follows a new Australian Signals Directorate report that found growing cybersecurity threats from state-sponsored hackers and criminal groups that target government operations, critical infrastructure and businesses.