Recommendations for Mitigating BianLian Ransomware Group attack

To enhance your organization's cybersecurity posture and counter the activities of the BianLian Ransomware Group, we advise implementing the following mitigations. These measures align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST (the National Institute of Standards and Technology). The CPGs outline a minimum set of practices and protections recommended for all organizations, based on existing cybersecurity frameworks and guidance that target common and impactful threats and tactics.

1. Reduce the risk of malicious actors using remote access tools by taking the following actions:

   - Conduct an audit of remote access tools on your network to identify authorized and currently used software.

   - Review logs to detect abnormal use of portable executable programs running remote access software.

   - Utilize security software capable of detecting instances where remote access software is loaded only in memory.

   - Allow authorized remote access solutions strictly from within your network, using approved methods like virtual private networks (VPNs) or virtual desktop interfaces (VDIs).

   - Block inbound and outbound connections on common remote access software ports and protocols at the network perimeter.

   - Implement application controls to manage and control the execution of software, including allowing only approved remote access programs.

   - Employ application allowlisting to prevent the installation and execution of unauthorized remote access software, including portable versions that evade traditional antivirus solutions.

For additional guidance, refer to the NSA Cybersecurity Information Sheet on enforcing signed software execution policies.

2. Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services. If RDP is necessary, adhere to best practices such as:

   - Conduct network audits to identify systems using RDP.

   - Close unused RDP ports.

   - Enforce account lockouts after a specified number of failed login attempts.

   - Implement phishing-resistant multifactor authentication (MFA).

   - Log RDP login attempts.

   - Disable command-line and scripting activities and permissions.

   - Restrict the use of PowerShell to specific users who manage the network or Windows operating systems.

   - Keep PowerShell updated to the latest version and uninstall older versions.

   - Enable enhanced PowerShell logging to capture valuable data for monitoring and incident response.

3. Review domain controllers, servers, workstations, and active directories to identify any new or unrecognized accounts. Audit user accounts with administrative privileges and configure access controls based on the principle of least privilege.

4. Reduce the risk of credential compromise by implementing the following measures:

   - Place domain admin accounts in the protected users' group to prevent local caching of password hashes.

   - Implement Credential Guard for Windows 10 and Server 2016, or enable Protected Process Light for Local Security Authority (LSA) on Windows Server 2012R2.

   - Avoid storing plaintext credentials in scripts.

   - Implement time-based access for admin-level accounts using methods like Just-in-Time (JIT) access provisioning.

In addition to the above recommendations, the FBI, CISA, and ACSC suggest the following mitigations to limit the adversarial use of system and network discovery techniques and reduce the impact and risk of ransomware or data extortion:

1. Develop and maintain a recovery plan that includes multiple copies of sensitive data and servers stored in physically separate, segmented, and secure locations. Maintain offline backups of data, following the 3-2-1 backup strategy (three copies, two media types, one off-site).

2. Ensure that all accounts with password logins comply with NIST standards for password policies. Use longer passwords, store passwords in hashed format using recognized password managers, add password user "salts" to shared login credentials, avoid password reuse, implement multiple failed login attempt account lockouts, disable password hints, and limit


Post a Comment

Twitter Facebook Favorites More