BIAN LIAN
BIAN LIAN is an active ransomware group primarily targeting organizations across various sectors but without specific industry or infrastructure focus identified to date. The initial access vector remains unclear, but the high volume of predicted CVE correlations suggests that BIAN LIAN likely exploits vulnerabilities before they are widely known, indicating a proactive approach to discovering and leveraging software flaws. This group is distinctive for its extensive use of unconfirmed yet strategically significant CVEs, suggesting a sophisticated capability in identifying and exploiting zero-day vulnerabilities. They operate with a double extortion strategy, encrypting data while also threatening public release unless ransom demands are met.
BIAN LIAN's technical footprint reveals a preference for critical and high-severity vulnerabilities, particularly those related to remote code execution (RCE) and authentication bypass mechanisms. The group’s reliance on unconfirmed CVEs indicates a high level of sophistication in vulnerability research and exploitation techniques. Defenders should prioritize the continuous monitoring and patching of software to mitigate known risks, especially focusing on critical systems exposed to RCE vulnerabilities. Additionally, enhancing network segmentation and implementing robust data exfiltration detection mechanisms can help prevent double extortion tactics.
CISA Intelligence #StopRansomware
#StopRansomware: BianLian Ransomware Group · 2024-11-20
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ASD’S ACSC investigations.
(New, November 20, 2024) The reporting agencies are aware of multiple ransomware groups, like BianLian, that seek to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group, likely based in Russia, with multiple Russia-based affiliates.
(Updated, November 20, 2024) BianLian group actors have affected organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian then extorts money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, they shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024.
Predicted CVEs (100) CORRELATION
How does prediction work?
Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.