The FBI and friends have warned organizations to “strictly limit the use of RDP and other remote desktop services” to avoid BianLian infections and the ransomware gang’s extortion attempts that follow the data encryption.
In a 19-page joint alert [PDF] issued Tuesday, the FBI, along with the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC), warned admins about the extortion crew’s indicators of compromise along with its tactics, techniques and procedures observed as recently as March.
BianLian typically gains access to victims’ Windows systems via Remote Desktop Protocol (RDP) credentials — hence the advice to shore up RDP security — and then uses software tools and command-line scripting to find and steal more credentials and snoop through the network and its files. Presumably the miscreants guess or obtain those remote-desktop credentials initially, so adding extra security there and after, if not limiting or blocking access outright, is useful.
Once the intruders are in and find sensitive data they can use to extort their victims, they exfiltrate the info using FTP, Rclone, and Mega, it’s said by law enforcement.
To lessen the threat of becoming BianLian’s next victim, the government agencies urge organizations to, as well as lock down RDP, disable or limit command-line and scripting activities and permissions, restrict the execution of application software, and also to restrict use of PowerShell. Updating Windows PowerShell or PowerShell Core to the latest version is a good idea, too.
There’s other advice you should check out,
Read more