Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
The FBI told how the tactics of cybercriminals have changed in 2024.
The FBI, together with CISA and the Australian Cyber Security Centre (ACSC), has released a fact sheet on the methods, tactics and procedures (TTPs) and indicators of compromise (IOCs) associated with the BianLian group. The group is known for developing and using ransomware, as well as extortion.
BianLian has been active since 2022, attacking critical infrastructure sectors in the United States and Australia, including professional services and construction businesses. Initially, the attackers used a double extortion scheme: they encrypted data and threatened to publish it. However, since January 2023, the main method has been the collection and extortion of data without encryption, and since January 2024, encryption has been completely excluded from attack schemes.
To penetrate networks, attackers use stolen RDP credentials, as well as attacks using ProxyShell vulnerabilities. After accessing the systems, tools for remote control and cloaking of the command center, such as Ngrok and Rsocks, are installed. Attackers also escalate privileges by exploiting CVE-2022-37969 (CVSS score: 7.8), which affects the CLFS driver on Windows.
To hide their activity, attackers use PowerShell and Windows Command Shell to disable antivirus solutions and protection, as well as obfuscate files. In addition, network scanning tools such as Advanced Port Scanner and scripts for collecting credentials and Active Directory data are used.
The BianLian group collects sensitive files using PowerShell scripts to search and compress the data before transferring it via FTP, Rclone, or the Mega service. To increase pressure on victims, attackers send threatening notes to corporate printers or contact company employees by phone.
Experts from the FBI, CISA and ACSC urge organizations to apply best practices to minimize the risk of attacks. Among the main measures: remote access auditing, strict network segmentation, the use of multi-factor authentication (MFA) and regular system updates. It is also recommended that you back up your data and regularly test your security mechanisms against the attacker techniques described in the notification.
Source
The FBI, together with CISA and the Australian Cyber Security Centre (ACSC), has released a fact sheet on the methods, tactics and procedures (TTPs) and indicators of compromise (IOCs) associated with the BianLian group. The group is known for developing and using ransomware, as well as extortion.
BianLian has been active since 2022, attacking critical infrastructure sectors in the United States and Australia, including professional services and construction businesses. Initially, the attackers used a double extortion scheme: they encrypted data and threatened to publish it. However, since January 2023, the main method has been the collection and extortion of data without encryption, and since January 2024, encryption has been completely excluded from attack schemes.
To penetrate networks, attackers use stolen RDP credentials, as well as attacks using ProxyShell vulnerabilities. After accessing the systems, tools for remote control and cloaking of the command center, such as Ngrok and Rsocks, are installed. Attackers also escalate privileges by exploiting CVE-2022-37969 (CVSS score: 7.8), which affects the CLFS driver on Windows.
To hide their activity, attackers use PowerShell and Windows Command Shell to disable antivirus solutions and protection, as well as obfuscate files. In addition, network scanning tools such as Advanced Port Scanner and scripts for collecting credentials and Active Directory data are used.
The BianLian group collects sensitive files using PowerShell scripts to search and compress the data before transferring it via FTP, Rclone, or the Mega service. To increase pressure on victims, attackers send threatening notes to corporate printers or contact company employees by phone.
Experts from the FBI, CISA and ACSC urge organizations to apply best practices to minimize the risk of attacks. Among the main measures: remote access auditing, strict network segmentation, the use of multi-factor authentication (MFA) and regular system updates. It is also recommended that you back up your data and regularly test your security mechanisms against the attacker techniques described in the notification.
Source
