HoundER Blog

BianLian Ransomware: Unveiling Initial Access and the Urgency of Robust Patch Management in the Fight Against Ransomware

The threat landscape in the digital realm continues to evolve, with cybercriminals constantly devising new and sophisticated methods to exploit vulnerabilities. One such threat actor group, known as BianLian, has gained notoriety for its malicious activities. In response to the increasing ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has launched the #StopRansomware initiative. On the 18th of May 2023, CISA released the advisory AA23-136A and this article sheds light on the BianLian Ransomware Group, their Initial Access techniques within the MITRE ATT&CK framework, and highlights the importance of robust patch management processes, along with the role of HoundER Attack Surface Management in enhancing cybersecurity defenses.

The BianLian Ransomware Group:

The BianLian Ransomware Group is a highly organized cybercriminal organization responsible for executing ransomware attacks. The group employs advanced techniques to gain unauthorized access to systems and encrypt valuable data, demanding significant ransom payments in exchange for decryption keys. Their operations pose a severe threat to organizations across various sectors, including government agencies, healthcare, and private enterprises.

Initial Access:

In the case of the BianLian Ransomware Group, their initial access techniques include:
  • External Remote Services [T1133]: The group exploits weaknesses in externally accessible remote services, such as Remote Desktop Protocol (RDP), to gain a foothold into targeted networks. Adversaries typically leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.
  • Credentials from Valid Accounts [T1078] used by BianLian are likely obtained from compromised users likely acquired from access broker actors in the dark web or obtained via Phishing [T1566] attacks.
  • Exploit Public-Facing Application [T1190]: BianLian leverages vulnerabilities within web applications to breach security defenses and establish unauthorized access. Access may also be gained through exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.

Mitigations and Importance of Robust Patch Management:

To mitigate the risks posed by the BianLian Ransomware Group and similar threat actors, organizations must prioritize robust patch management processes. Regular and timely patching of operating systems, software, and firmware is crucial, especially for systems exposed to the internet. By promptly applying security patches and updates, organizations can significantly reduce the attack surface and minimize the likelihood of successful exploitation. In addition, it is recommended:
  • Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.
  • Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations.
  • Deny direct remote access to internal systems using network proxies, gateways, and firewalls.
  • Disable or block remotely available services that may be unnecessary.

HoundER Attack Surface Management offers a comprehensive approach to discovering, notifying, and prioritizing remediation of known exploited vulnerabilities in internet-facing systems. Our platform plays a pivotal role in enhancing organizations security posture by alerting about the exposure of remote administration services. Furthermore, HoundER identifies web application vulnerabilities, providing valuable insights for effective vulnerability and patching management programs.

Recognizing the urgency and severity of ransomware attacks, CISA has launched the #StopRansomware initiative. This initiative aims to raise awareness about the evolving threat landscape, promote best practices, and provide guidance to organizations in defending against ransomware attacks. The #StopRansomware initiative emphasizes the adoption of robust patch management processes, among other essential security measures, to safeguard against these threats.

The BianLian Ransomware Group's activities highlight the ever-present danger of ransomware attacks in today's digital landscape. Organizations must prioritize robust patch management processes to keep their systems secure. By leveraging HoundER Attack Surface Management and embracing the guidelines set forth by initiatives like #StopRansomware, organizations can enhance their cybersecurity defenses, mitigate vulnerabilities, and protect their valuable assets from the clutches of ransomware attackers.


CISA Advisory AA23-136A: https://www.us-cert.cisa.gov/ncas/alerts/aa23-136a
#StopRansomware Initiative: https://www.cisa.gov/stopransomware
MITRE ATT&CK Framework: https://attack.mitre.org/
ASM Cyber Intelligence Vulnerability Management