CyberSecurityBoard
Sponsor Register Login

BianLian Threat Actor Shifts Focus to Extortion-Only Tactics

The BianLian threat actor has been observed shifting toward extortion-only activities, according to recent findings by GuidePoint's Research and Intelligence Team.
Following Avast's release of a decryptor for BianLian in January 2023, the group has altered its tactics.
In a recent incident response, GRIT, in collaboration with GuidePoint's DFIR team, uncovered new details of BianLian's modus operandi.
Exploiting vulnerabilities in a TeamCity server, the threat actor gained initial access into the victim's environment.
Utilizing a PowerShell implementation of the BianLian GO backdoor, the attacker executed a series of malicious commands.
The intrusion started with the exploitation of known TeamCity vulnerabilities CVE-2024-27198 and CVE-2023-42793, allowing the threat actor to infiltrate the victim's system.
Once inside, the attacker used Windows commands to navigate the network landscape, eventually compromising two build servers.
Through the deployment of legitimate files winpty-agent.
Dll, the attacker remotely executed commands and introduced malicious tools, including the web.
In an advisory published last Friday, GuidePoint said that despite initial challenges with their standard GO backdoor, BianLian successfully pivoted to a PowerShell-based alternative, showcasing adaptability in their approach.
While the PowerShell script exhibited obfuscation techniques, further analysis revealed its true intent was to serve as a backdoor facilitating remote control over compromised systems.
The script used advanced techniques such as Runspace Pools and SSL streams for asynchronous command execution, underscoring the threat actor's sophistication.
The use of SSL certificate validation and IP address resolution techniques further indicated a connection to BianLian's previous tactics, aiding in attribution efforts.
To counter threats like this, GuidePoint advised focusing on preparedness: patching external apps, practicing incident response, conducting threat intel-informed pen tests and leveraging threat intel.


This Cyber News was published on www.infosecurity-magazine.com. Publication date: Mon, 11 Mar 2024 16:15:10 +0000


Cyber News related to BianLian Threat Actor Shifts Focus to Extortion-Only Tactics

BianLian Threat Actor Shifts Focus to Extortion-Only Tactics - The BianLian threat actor has been observed shifting toward extortion-only activities, according to recent findings by GuidePoint's Research and Intelligence Team. Following Avast's release of a decryptor for BianLian in January 2023, the group has ...
1 year ago Infosecurity-magazine.com CVE-2024-27198 CVE-2023-42793 BianLian
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
1 year ago Feeds.fortinet.com CVE-2023-42793 APT29
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor's Activity - By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims. After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity ...
1 year ago Thedfirreport.com
Windows Incident Response: Human Behavior In Digital Forensics, pt III - Digital forensics can provide us insight into a threat actor's sophistication and situational awareness, which can, in turn, help us understand their intent. Observing the threat actor's actions helps us understand not just their intent, but what ...
1 year ago Windowsir.blogspot.com
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, ...
1 year ago Thedfirreport.com Trigona
FBI Warns of Threats Actors mimic as BianLian Group to Attack Corporate Executives - Unlike legitimate BianLian operations, which rely on technical compromises like exploiting ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) or leveraging stolen Remote Desktop Protocol (RDP) credentials—these letters lack ...
1 month ago Cybersecuritynews.com CVE-2021-34473 BianLian
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US - Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity. We ...
1 year ago Unit42.paloaltonetworks.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian
Ransomware Gangs Are Collaborating To Attack Financial Services - The Cyber-Extortion Trinity-the BianLian, White Rabbit, and Mario ransomware gangs-was observed by researchers working together to launch a joint extortion campaign against publicly traded financial services companies. Although these joint ransomware ...
1 year ago Cybersecuritynews.com BianLian
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com
Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
1 year ago Microsoft.com Kimsuky
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks - Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet, that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for ...
10 months ago Microsoft.com
Threat Intelligence Feeds Flood Analysts With Data, But Context Still Lacking - By combining external threat data with internal risk assessments, contextual threat intelligence helps organizations measure the risk level of alerts or vulnerabilities in relation to their business and technical assets, ensuring that the most ...
1 week ago Cybersecuritynews.com
APT trends report Q1 2024 - Careto is a highly sophisticated threat actor that has been seen targeting various high-profile organizations since at least 2007. The last operations conducted by this threat actor were observed in 2013. Our private report provided a detailed ...
11 months ago Securelist.com OilRig Sidewinder
Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
1 year ago Techrepublic.com
Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware - Recruiters and anyone else involved in hiring processes should be knowledgeable about this social engineering attack threat. A new report from U.S.-based cybersecurity company Proofpoint exposes a new attack campaign operated by a ...
1 year ago Techrepublic.com
What Is Threat Modeling? - Threat modeling emerges as a pivotal process in this landscape, offering a structured approach to identify, assess, and address potential security threats. Threat Modeling Adoption and Implementation The successful adoption of threat modeling within ...
1 year ago Feeds.dzone.com
Top 10 Notorious Ransomware Gangs of 2023 - By employing a multitude of advanced techniques like double extortion along with other illicit tactics, ransomware groups are continually evolving at a rapid pace. Here below, we have mentioned all the types of ransomware used by the threat actors ...
1 year ago Cybersecuritynews.com LockBit BianLian Everest Ragnar Locker Black Basta
How to Use Threat Intelligence Feeds for SOC/DFIR Teams - Threat intelligence feeds provide real-time updates on indicators of compromise, such as malicious IPs and URLs. Security systems can then ingest these IOCs to identify and block potential threats, which essentially grants organizations immunity to ...
11 months ago Cybersecuritynews.com
Companies Must Strengthen Cyber Defense in Face of Shifting Threat Actor Strategies - Critical for organizations to understand attackers' tactics, techniques, and procedures. The 2023 mid-year cyber threat report card portends an ominous outlook with staggering data including the fact that 332 million cryptojacking attacks were ...
1 year ago Cyberdefensemagazine.com
It's Time to Tear Down the Barriers Preventing Effective Threat Intelligence - Today, organizations are confronted with a deluge of cyber threats, ranging from sophisticated AI-powered ransomware to tried and true brute force attacks. At this point, IT security teams know it's essential to stay one step ahead of cybercriminals, ...
1 year ago Cyberdefensemagazine.com
How to Overcome the Most Common Challenges with Threat Intelligence - Today's typical approach to threat intelligence isn't putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon. Organizations ...
1 year ago Cyberdefensemagazine.com Hunters
What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
1 year ago Techrepublic.com
CISA, FBI warn of BianLian mail scam targeting executives with $500k ransom note | The Record from Recorded Future News - A spokesperson for the company told Recorded Future News that Arctic Wolf is aware of at least 20 organizations or executives who have received these letters. The letters have a return address based in Boston, Massachusetts and the FBI said it is ...
1 month ago Therecord.media BianLian
Free BianLian Ransomware Decryptor: A Complete Guide - With the recent emergence of ransomware attacks targeting organizations around the world, it has become increasingly important to have the latest security solutions in place in order to combat such threats. One of the most notable ransomware threats ...
2 years ago Securityaffairs.com BianLian

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)