One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8618094 |
| Date de publication | 2024-11-27 20:21:51 (vue: 2024-11-27 21:08:44) |
| Titre | CISA says BianLian Ransomware Now Focuses Only on Data Theft |
| Texte | ## Snapshot The BianLian ransomware operation, initially known for its double-extortion model involving encryption and data exfiltration, has now transitioned to focusing primarily on data theft extortion. ## Description This shift was highlighted in an updated advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the FBI, and the Australian Cyber Security Centre. The advisory notes that BianLian has moved away from file encryption, particularly after a decryptor was released by Avast in January 2023, and has been exclusively practicing exfiltration-based extortion since January 2024. BianLian\'s updated tactics include targeting Windows and ESXi infrastructure, potentially using the ProxyShell exploit chain for initial access, and exploiting CVE-2022-37969 to escalate privileges on Windows 10 and 11. The group uses Ngrok and modified Rsocks to create SOCKS5 tunnels to mask traffic destinations, employs UPX packing to evade detection, and renames binaries and tasks to mimic legitimate Windows services. Additionally, they create Domain Admin and Azure AD Accounts, perform network login connections via SMB, install webshells on Exchange servers, and use PowerShell scripts to compress data before exfiltration. The group has also introduced a new Tox ID for victim communication and prints ransom notes on printers connected to compromised networks, even calling employees to pressure them. Active since 2022, BianLian has listed 154 victims on its extortion portal and has been involved in notable breaches, including those against Air Canada, Northern Minerals, and the Boston Children\'s Health Physicians. The group has also claimed breaches against several other organizations, although these have not been confirmed. Despite their Russian origin, BianLian attempts to obscure their location by using foreign-language names. ## Recommendations Microsoft recommends the following mitigations to defend against this threat: - Keep software up to date. Apply new security patches as soon as possible. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enable [network protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=magicti_ta_learndoc) to help prevent access to malicious domains. - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Configure [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Read our [ransomware threat overview](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening Microsoft Defender customers can turn on [attack surface reduction rules](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=magicti_ta_learndoc) to help prevent common attack techniques used by Onyx Sleet: - [Block executab |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #stopransomware: **© 136a 154 2022 2023 2024 2024** 365/security/defender 37969 496d access accessed accounts action active ad3c additionally admin advanced advice advisories/aa23 advisory after against age agency air alert alerts all allow also although antivirus any apply are artifacts attack attacker attempts australian automated avast away azure based been before behind bianlian binaries bleepingcomputer block boston breach breaches c6a795a33c27/analystreport calling can canada centre chain children cisa claimed cloud com/defender com/microsoft com/news/security/cisa com/threatanalytics3/05658b6c common communication compress compromised configure confirmed connected connections content copyright cover create credential criterion customers cve cyber cybersecurity data date dc62 decryptor defend defender delivered description despite destinations detect detected detection developing distribution does domain domains double downloaded edr employees employs enable encryption endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/enable equivalent escalate esxi evade even events/cybersecurity evolving exchange exclusively executable execution exfiltration exploit exploiting extortion fbi file files first focuses focusing following foreign from full gov/news group hardening has have health help highlighted holistic https://learn https://security https://www hygiene immediate include including infrastructure initial initially install introduced investigation investigations involved involving its january javascript keep known language launching learndoc learndoc#block learndoc#use learning legitimate list listed location login machine majority malicious mask meet microsoft mimic minerals mitigations mode model modified moved names network networks new ngrok non northern not notable notes now obfuscated obscure ocid=magicti only onyx operation organizations origin other our overview packing part particularly passive patches perform permission physicians portal possible post posture potentially powershell practicing pressure prevalence prevent primarily printers prints privileges product prohibited protection protections proxyshell ransom ransomware rapidly read recommendations recommends reducing reduction reference references released remediate remediation renames reproduction reserved resolve response rights rsocks rules run running russian says scenes scripts security servers services several shift sight significantly since site sleet: smb snapshot socks5 software soon surface tactics take targeting tasks techniques theft theft/ them thereof these those threat threat: tools tox traffic transitioned trusted tunnels turn unknown unless updated upx use used uses using variants vbscript victim victims view=o365 volume webshells when windows without works worldwide written your for in in so |
| Tags | Ransomware Tool Threat |
| Stories | APT 45 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.