Threat Watch: BrianLian Ransomware Group – Tactics, Techniques, and Mitigation Strategies

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) have jointly released a cybersecurity advisory on the BrianLian ransomware and data extortion group. This article aims to provide an in-depth analysis of the BrianLian group’s activities, including their targets, techniques, and impact. Additionally, we will explore effective mitigation strategies to protect organizations from this evolving threat.

1. Background and Targets: The BrianLian group, identified as a ransomware developer, deployer, and data extortion cybercriminal group, has been actively targeting organizations in critical infrastructure sectors since June 2022. Their scope of attacks extends to both the United States and Australia, with additional focus on professional services and property development sectors. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, utilizing open-source tools and command-line scripting for discovery and credential harvesting.
2. Tactics, Techniques, and Procedures (TTPs):
   • Compromised RDP credentials obtained through initial access brokers or phishing techniques. b. Command and Control:
   • Custom backdoor implants specific to each victim, written in Go, for persistence and command and control. c. Defense Evasion:
   • Use of PowerShell and Windows Command Shell to disable antivirus tools and modify Windows Registry. d. Discovery:
   • Employment of compiled tools, such as Advanced Port Scanner and SoftPerfect Network Scanner, for network reconnaissance. e. Credential Access:
   • Harvesting of credentials from the Local Security Authority Subsystem Service (LSASS) memory and through Windows Command Shell. f. Persistence and Lateral Movement:
   • Utilization of PsExec and RDP with valid accounts for lateral movement within the network. g. Collection, Exfiltration, and Impact:
   • Sensitive file searches, exfiltration using FTP, Rclone, or Mega, and data extortion through encryption or threat of data publication on the Tor network.
3. Indicators of Compromise (IoC’s):

Name	SHA-256 Hash	Description
def.exe	7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893	Malware associated with BianLian intrusions, which is a possible backdoor developed by BianLian group.
encryptor.exe	1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43	Example of a BianLian encryptor.
exp.exe	0c1eb11de3a533689267ba075e49d93d55308525c04d6aff0d2c54d1f52f5500	Possible NetLogon vulnerability (CVE-20201472) exploitation.
system.exe	40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce	Enumerates registry and files. Reads clipboard data.

The BianLian Group actors employ various techniques as part of their enterprise resource development and attack lifecycle. The techniques used by the group are outlined in Table 2:

Technique Title	ID	Description
Develop Capabilities: Malware	T1587.001	BianLian group actors developed a custom backdoor used in their intrusions.
Initial Access: External Remote Services	T1133	BianLian group actors used RDP with valid accounts as a means of gaining initial access and for lateral movement.
Initial Access: Phishing	T1566	BianLian group actors used phishing to obtain valid user credentials for initial access.
Initial Access: Valid Accounts	T1078	BianLian group actors used RDP with valid accounts as a means of gaining initial access and for lateral movement.
Execution: Command and Scripting Interpreter: PowerShell	T1059.001	BianLian group actors used PowerShell to disable AMSI on Windows.
Execution: Command and Scripting Interpreter: Windows Command Shell	T1059.003	BianLian group actors used Windows Command Shell to disable antivirus tools, for discovery, and to execute their tools on victim networks.
Execution: Scheduled Task/Job: Scheduled Task	T1053.005	BianLian group actors used a Scheduled Task run as SYSTEM to execute a Dynamic Link Library (DLL) file daily.
Persistence: Account Manipulation	T1098	BianLian group actors changed the password of an account they created and modified the password of an account added to the local Remote Desktop Users group.
Persistence: Create Account: Local Account	T1136.001	BianLian group actors created/activated a local administrator account and added a user account to the local Remote Desktop Users group.
Defense Evasion: Modify Registry	T1112	BianLian group actors modified the registry to disable user authentication for RDP connections, receive help from Remote Assistance, and disable tamper protection for certain services.
Defense Evasion: Impair Defenses: Disable or Modify Tools	T1562.001	BianLian group actors disabled Windows Defender, AMSI, and tamper protection services for certain tools.
Defense Evasion: Impair Defenses: Disable or Modify System Firewall	T1562.004	BianLian group actors added modified firewalls to allow RDP traffic and enable existing firewall rules.
Credential Access: OS Credential Dumping: LSASS Memory	T1003.001	BianLian group actors accessed credential material stored in the process memory of the LSASS.
Credential Access: OS Credential Dumping: NTDS	T1003.003	BianLian group actors attempted to access or create a copy of the Active Directory domain database to steal credential information.
Credential Access: Unsecured Credentials: Credentials In Files	T1552.001	BianLian group actors searched local and remote file systems for files containing insecurely stored credentials.
Discovery: Account Discovery: Domain Account	T1087.002	BianLian group actors queried the domain controller to identify accounts in the Domain Admins and Domain Computers groups.
Discovery: Domain Trust Discovery	T1482	BianLian group actors used PingCastle to enumerate the AD and map trust relationships.
Discovery: File and Directory Discovery	T1083	BianLian group actors used malware (system.exe) to enumerate files.
Discovery: Network Service Discovery	T1046	BianLian actors used Advanced Port Scanner and SoftPerfect Network Scanner to identify computers, ports, and program versions.
Discovery: Network Share Discovery	T1135	BianLian actors used SoftPerfect Network Scanner and SharpShares to discover shared folders and accessible network shares.
Discovery: Permission Groups Discovery: Domain Groups	T1069.002	BianLian group actors queried the domain controller to identify groups.
Discovery: Query Registry	T1012	BianLian group used malware (system.exe) to enumerate the registry.
Discovery: Remote System Discovery	T1018	BianLian group actors attempted to get a listing of other systems on a network for lateral movement.
Discovery: System Owner User Discovery	T1033	BianLian group actors queried currently logged-in users on a machine.
Lateral Movement: Remote Services: Remote Desktop Protocol	T1021.001	BianLian group actors used RDP with valid accounts for lateral movement.
Collection: Clipboard Data	T1115	BianLian group actors’ malware collects data stored in the clipboard.
Command and Control: Ingress Tool Transfer	T1105	BianLian group actors transferred tools or other files from an external system into a compromised environment.
Command and Control: Remote Access Software	T1219	BianLian group actors used legitimate desktop support and remote access software for command and control purposes.
Exfiltration: Transfer Data to Cloud Account	T1537	BianLian group actors used Rclone to exfiltrate data to a cloud account they control.
Exfiltration: Exfiltration Over Alternative Protocol	T1048	BianLian group actors exfiltrated data via FTP.
Exfiltration: Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	BianLian group actors exfiltrated data via Mega public file-sharing service.
Impact: Data Encrypted for Impact	T1486	BianLian group actors encrypted data on target systems.

Lab[7] Threat Watch RCA (Recommended Course of Action)

To improve your organization’s cybersecurity posture based on the threat actors’ activity, it is recommended to implement the following mitigations:

1. Reduce threat of malicious actors using remote access tools:
   • Audit remote access tools on your network to identify currently used and authorized software.
   • Review logs for execution of remote access software to detect abnormal use of programs running as a portable executable.
   • Use security software to detect instances of remote access software only being loaded in memory.
   • Require authorized remote access solutions to be used from within your network over approved remote access solutions like virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
   • Block both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
2. Implement application controls to manage and control execution of software:
   • Application controls should prevent installation and execution of unauthorized remote access programs, including portable versions.
   • Configure application allowlisting solution to block any unlisted application execution.
   • Enforce signed software execution policies.
3. Strictly limit the use of RDP and other remote desktop services:
   • Audit the network for systems using RDP.
   • Close unused RDP ports.
   • Enforce account lockouts after a specified number of attempts.
   • Apply phishing-resistant multifactor authentication (MFA).
   • Log RDP login attempts.
4. Disable command-line and scripting activities and permissions.
5. Restrict the use of PowerShell:
   • Use Group Policy to only grant PowerShell access to specific users who manage the network or Windows operating systems.
   • Update PowerShell to the latest version and uninstall all earlier versions.
   • Enable enhanced PowerShell logging.
6. Configure the Windows Registry to require User Account Control (UAC) approval for PsExec operations requiring administrator privileges.
7. Review domain controllers, servers, workstations, and active directories for new and unrecognized accounts.
8. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
9. Reduce the threat of credential compromise:
   • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
   • Implement Credential Guard for Windows 10 and Server 2016.
   • Refrain from storing plaintext credentials in scripts.
10. Implement time-based access for accounts set at the admin level and higher.
11. Implement a recovery plan and maintain offline backups of data:
    • Maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
    • Regularly maintain backup and restoration.
    • Follow the 3-2-1 backup strategy.
12. Require all accounts with password logins to comply with NIST standards for password policies.
13. Require phishing-resistant multifactor authentication for all services.
14. Keep all operating systems, software, and firmware up to date:
    • Timely patch vulnerable software and hardware systems within 24 to 48 hours from vulnerability disclosure.
    • Prioritize patching known exploited vulnerabilities in internet-facing systems.
15. Segment networks to prevent the spread of ransomware.
16. Identify, detect, and investigate abnormal activity and potential traversal of ransomware:
    • Implement a networking monitoring tool that logs and reports all network traffic.
    • Consider using Endpoint Detection and Response (EDR) tools.
17. Install, regularly update, and enable real-time detection for antivirus software on all hosts.
18. Disable unused ports.
19. Consider adding an email banner to emails received from outside your organization.
20. Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.

By implementing these mitigations, your organization can enhance its cybersecurity defenses against the threat actors’ activities and align with the recommended practices provided by FBI, CISA, and ACSC.

Conclusion: The BrianLian ransomware and data extortion group poses a significant threat to organizations, targeting critical infrastructure sectors in the United States and Australia. By understanding their tactics, techniques, and procedures, and implementing effective mitigation strategies, organizations can enhance their resilience against this evolving threat landscape. Stay informed, remain vigilant, and implement a comprehensive cybersecurity strategy to safeguard your business from the BrianLian ransomware group and other similar threats.

Sources: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a