CyberWire Daily - CISA Alert AA23-136A – #StopRansomware: BianLian Ransomware Group. [CISA Cybersecurity Alerts]
Episode Date: May 18, 2023FBI, CISA, and the Australian Cyber Security Centre are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through F...BI and ACSC investigations as of March 2023. AA23-136A Alert, Technical Details, and Mitigations AA23-136A.STIX_.xml Stopransomware.gov, a whole-of-government approach with one central location for U.S. ransomware resources and alerts. cyber.gov.au for the Australian Government’s central location to report cyber incidents, including ransomware, and to see advice and alerts. The site also provides ransomware advisories for businesses and organizations to help mitigate cyber threats. CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide for guidance on mitigating and responding to a ransomware attack No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered 16th, 2023.
FBI, CISA, and the Australian Cybersecurity Center are releasing this joint cybersecurity advisory to disseminate known BNLEAN ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023. BNLian is a cybercriminal group
that has targeted organizations
in multiple U.S. critical infrastructure sectors
since June 2022.
They have also targeted
Australian critical infrastructure sectors
in addition to professional services
and property development.
The group gains access to victim systems
through valid Remote Desktop Protocol,
or RDP, credentials,
uses open-source
tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim
data via file transfer protocol, R-Clone, or Mega. BNLian Group actors then extort money by
threatening to release data if payment is not made. BNLian Group originally employed a double
extortion model in which they encrypted victims' systems after exfiltrating the data. However, around January 2023, they shifted to primarily
exfiltration-based extortion. To mitigate cyber threats from BN Lee and ransomware and data
extortion, system administrators should strictly limit the use of RDP and other remote desktop
services, disable command line and scripting activities and permissions, and restrict usage
of PowerShell and update Windows PowerShell or PowerShell Core to the latest version. Thank you. to reduce the likelihood and impact of B and Leon and other ransomware incidents. A link to this report can be found in the show notes.
To report incidents and anomalous activity
or to request incident response resources or technical assistance,
contact CISA at report at cisa.gov,
call 888-282-0870
or report incidents to your local FBI field office.
This report was written by CISA,
the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by N2K Networks
as a public service. Please visit www.cisa.gov to read the full report, which may include
additional details, links, and illustrations. A link to this report can be found in the show notes.
A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.