Between June 05-12, 2024, Blackpoint’s Security Operations Center (SOC) responded to 89 total incidents. These incidents included 14 on-premises MDR incidents, 2 Cloud Response for Google Workspace, and 73 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:
- Potential Bianlian ransomware featuring persistence and lateral movement techniques;
- TeamViewer for persistence and defense evasion; and
- BitLocker , likely for encryption.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
Potential BianLian Ransomware Incident with Consumer Cyclicals Partner on 2024-06-06
Topline Takeaways
- Industry target: Consumer Cyclicals
- Attacker information:
- winppx
- netstat
- RDP
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use to exploit other Consumer Cyclicals organizations over the next 12 months.
- Recommended remediations and mitigations:
- Heuristics-based activity monitoring and remediation
- Regularly audit both environment and endpoints
- Least-privilege access controls
- Create and maintain data backups
Potential BianLian Ransomware Incident Timeline for 2024-06-06
- Blackpoint’s MDR+R technology alerted to suspicious lateral spread from a Consumer Cyclicals’s partner’s network. The impacted user’s profile:
- Remotely executed code on the affected device to set up an initial foothold within the network.
- Created a persistence mechanism on the affected device.
- Added a file titled “startup.exe” to the directory C:\Users\$username\AppData\Roaming\.
- Blackpoint’s Active SOC team monitored several malicious actions within the compromised environment, including the utilization of an additional persistence mechanism through the winppx service on the same device:
- The binary created a netstat connection to IP address 94.198.50[.]195 via the executable svhost.exe, which was masquerading as the legitimate executable svchost.exe.
- The APG and other threat researchers previously linked the observed IP address to BianLian ransomware operations.
- The malicious executable utilized bcdedit.exe to disable integrity checks; net.exe executed winppx.
- Active SOC analysts also observed numerous lateral movement attempts after established persistence mechanisms, including the use of RDP to move laterally to other devices on the compromised network and additional use of local administrator accounts to RDP to two morehost devices.
- The binary created a netstat connection to IP address 94.198.50[.]195 via the executable svhost.exe, which was masquerading as the legitimate executable svchost.exe.
- Blackpoint’s MDR+R technology also alerted to credential theft techniques by the threat actor on three affected hosts.
- Blackpoint’s Active SOC team isolated all affected devices to prevent any additional malicious activity, then contacted the impacted Consumer Cyclicals partner to discuss needed remediation and additional details of the incident.
More About BianLian Ransomware
Click for details
BianLian is a Golang-based ransomware-as-a-service (RaaS) that has been active since at least 2022. The group previously (from 2022 – 2023) operated a RaaS and used a double extortion method, where the ransomware both encrypted the victim’s machines and exfiltrated sensitive data; the group threated to leak the stolen data if the ransom demand was not paid.
However, in 2023, the group was observed stealing sensitive data and extorting victims, avoiding the encryption portion of a typical ransomware attack. Avast researchers released a decryptor for the BianLian ransomware in 2023, which likely led to the groups’ change in tactics (1).
The IP address, 94.198.50[.]195, has previously been attributed to BianLian operations and is registered in Russia (2). BianLian often uses valid credentials for persistence, defense evasion, and lateral movement. The group extracts credentials from the victim environment, creates new administration accounts, or modifies existing accounts’ passwords to allow incoming RDP traffic.
BianLian encrypts files using the AES256 algorithm and, as opposed to other operations, the AES key is not encrypted by a public key and is not stored in the encrypted files. The malware divided the file content into 10-byte chunks. It reads ten bytes from the original file, then encrypts the bytes, and writes the encrypted data into the target file.
From 2023 April 01 – 2024 March 31, BianLian operators listed 220 victims on their data leak site, with the majority of those victims in the Healthcare vertical and the majority based in the U.S. It is very likely that BianLian has targeted many more victims, as the tracked numbers include only those listed on the group’s data leak site and omits victims that paid the ransom or were not listed for other reasons.
APG Threat Analysis of BianLian Ransomware for 2024
Click for details
The APG predicts that threat actors will very likely continue to use BianLian ransomware and other ransomware variants to attack Consumer Cyclicals organizations over the next 12 months.
The APG bases this assessment on internal Blackpoint observed attacks and external incident reports that detail BianLian ransomware activity.
- In February 2024, a new ransomware operation, TriSec, claimed responsibility for a ransomware attack targeting an Ireland-based Consumer Cyclicals company on their data leak site (4). Due to the new operation, little analysis has been done on the variant; however, the group claims to be a private operation that is state funded. The nature of the operations remains unverified at the time of writing (June 2024).
- In March 2024, security researchers with Guidepoint Security reported that BianLian ransomware operators claimed responsibility for a ransomware attack targeting a hospital network in Australia (3). As BianLian has often been observed exfiltrating data without encryption, it is likely that the group did not encrypt the network of the hospital.
- In May 2024, LockBit ransomware operators listed a Europe-based Consumer Cyclicals company on their data leak site, per the APG’s own internal threat actor tracking. The group reportedly demanded a $25 million ransom payment. The group claimed to have accessed employee information, classified head office files, and more. The post was removed from the LockBit data leak site; however, it is not known if the company paid the ransom demand or if the post was removed for another reason.
Recommended BianLian Ransomware Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the deployment of ransomware and the use of legitimate processes and services for persistence and lateral movement.
- Monitor system activity through heuristics-based triggers and alerts, which can help identify legitimate software being installed or used in suspicious or abnormal methods and identify behaviors consistent with ransomware activity.
- Regularly audit both environment and endpoints, that can aid in identifying previously unknown (or unapproved) installed software that can be abused for malicious actions.
- Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conduct certain activities in the event of a possible account compromise.
- Create and maintain data backups that can aid in recovery in the event of ransomware attacks; this should include offline backups and regular testing to ensure the backups are sufficient and usable in the event of an incident.
TeamViewer and Living off the Land (LotL) Incident with Industrials Partner on 2024-06-09
Topline Takeaways
- Industry target: Industrials
- Attacker information:
- scheduled task “Antivirus Emergency Update”, “AVG Antivirus Patcher”, and “Overseer”
- TeamViewer
- Adding Registry Keys
- Antivirus (AV) and / or EDR present in environment? No
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use LotL techniques for persistence and defense evasion to exploit other Industrials organizations over the next 12 months.
- Multifactor authentication (MFA)
- Application allowlisting and blocklisting
- Heuristics-based activity monitoring and remediation
- Risk-based patch management programs
TeamViewer and Living off the Land (LotL) Incident Timeline for 2024-06-06
- Blackpoint’s MDR+R technology alerted to suspicious activity on an Industrial partner’s user account.
- Active SOC analysts observed multiple malicious actions on the compromised user account, including:
- Deleting over 1,115 logs on a host;
- Opening up programs and features in the control panel, then spawning “Network Security.exe” and a cmd session, which would create the directory C:\Users\$username\AppData\Local\Temp\ztmp, if it did not already exist;
- Checking if “tmp875.exe” existed in the directory, and if it did, deleting;
- Executing a third cmd session (“tmps852.bat”);
- Deleting the batch script and the executable; and
- Attempting to hide the “ztmp” folder by using attrib +h and navigating to a website to uninstall any identified security software.
- Blackpoint’s Active SOC conducted further analysis, finding:
- An executable installed in the user’s downloads folder and scheduled tasks for persistence;
- Threat actor use of TeamViewer; and
- Multiple registry keys on the local machine’s registry hive.
- The first key added “SupportPhone” with the string “Can’t Talk @WhatsApp Only +$phonenumber”.
- The second key added “SupportURL” with the string “hxxps[://]www[.]facebook[.]com/$username”.
- The third registry key added “Secondary Start Pages” that pointed to two websites.
- Active SOC analysts isolated the affected devices to prevent any additional malicious activity before reaching out to the Industrials partner on next step and additional remediation advice.
More About TeamViewer Abuse
Click for details
TeamViewer is a remote administration tool that can be used to remotely access machines and conduct activities such as updates, installation and removal of software/services, and other remote activities.
Threat actors often find these types of tools an attractive target and tool to use during cyberattacks (5)due to:
- The access these types of tools provide;
- The ability to remain undetected and blend into normal traffic; and
- The potential for persistent access to compromised networks.
APG Threat Analysis of TeamViewer Abuse and Other Living off the Land (LotL) Techniques for 2024
Click for details
The APG predicts that threat actors will very likely continue to abuse TeamViewer and other allowlisted tools as part of a Living off the Land (LotL) strategy for peristence and defense evasion over the next 12 months.
We base this assessment on internal Blackpoint observed attacks and external reporting related to the use of TeamViewer during a cyberattack.
Blackpoint’s APG has tracked at least three ransomware operations that have used TeamViewer during cyberattacks, which include:
- BianLian
- LockBit
- Trigona
Furthermore, security researchers with ReliaQuest reported that between 2022 and 2024, more than one third of the intrusions the company responded to involved RMM tools (6).
Threat actors are likely going to continue to abuse and target remote administration tools both for persistence and initial access, given their high level of access within target environments. Threat actors will also likely continue to install these tools, including TeamViewer, post-intrusion to maintain persistent access to victim environments.
However, threat actors will also likely target vulnerabilities, credentials, and weaknesses in pre-installed tools to gain access to victim environments.
Recommended TeamViewer Abuse and Other Living off the Land (LotL) Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the abuse of TeamViewer for persistence and defense evasion.
- Enable multi-factor authentication (MFA), which can help identify malicious or anomalous logins and require an additional step for securing user accounts.
- Implement application controls to help manage and control the installation of software, including RMM software.
- Monitor system activity through heuristics-based triggers and alerts, which can aid in identifying the malicious install, use, and presence of unapproved tools and malicious activities on devices.
- Implement a patch management program to ensure that security vulnerabilities are patched in a timely manner in operationally-critical-yet-frequently-abused services, such as RMM tools, to prevent exploitation.
BitLocker and Encrypted File System User Interface (efsui.exe) Incident with Professional & Commercial Services Partner on 2024-06-10
Topline Takeaways
- Industry target: Professional & Commercial Services
- Attacker information:
- Encrypted File System User Interface (efsui.exe)
- LSASS
- BitLocker
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use BitLocker encryption to exploit other Professional & Commercial Services organizations over the next 12 months.
- Recommended remediations and mitigations:
- Improve endpoint, asset, and overall environment visibility
- Password managers
- Zero trust network architecture
- Scripting language controls
BitLocker and Encrypted File System User Interface (efsui.exe) Incident Timeline for 2024-06-06
- Blackpoint’s MDR+R technology alerted to the remote execution of the Encrypted File System User Interface (efsui.exe) on a Professional & Commercial Services partner’s host.
- The specific command observed “efsui.exe /efs /enroll /setkey” performed an enrollment process and set an encryption key.
- The /enroll and /setkey flags likely indicate that a new user without an EFS private key attempted to execute the activity.
- If BitLocker was recently enabled/disabled on the machine, efsui.exe may inject into lsass.exe and spawn a UI prompt asking the user to set and record a backup key.
- Blackpoint’s Active SOC team isolated the affected devices to prevent additional suspicious and malicious activity, before reaching out to the Professional & Commercial Service’s partner with additional remediation advice and incident details.
More About BitLocker
Click for details
BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled (7).
For threat actors seeking to hold victim organizations ransom (“Pay us or you can’t have your device or data, so you can’t do business!”), BitLocker presents a welcome opportunity as an often allowlisted tool already present within a given environment.
APG Threat Analysis of BitLocker and Encrypted File System User Interface (efsui.exe) Abuse for 2024
Click for details
The APG predicts that threat actors will very likely continue to abuse BitLocker over the next 12 months.
This assessment is based on internal Blackpoint observed attacks and external reporting related to threat actors’ abuse of BitLocker.
- In May 2024, security researchers with Kaspersky reported ransomware attacks had been using Microsoft’s BitLocker to attempt encryption of corporate files. The threat actors removed the recovery options to prevent the files from being restored and used a malicious script that detected specific Windows versions and enabled BitLocker (8). Additionally, the threat actors delete the protectors used to secure BitLocker’s encryption key so that the victim can’t recover them.
- In 2022, security researchers with Microsoft reported that DEV-0270 had been observed abusing the BitLocker service to attempt encryption of a victim’s network. The group reported demanded ransom payments of more than $8,000 for decryption keys (9).
Threat actors find BitLocker an attractive tool because they can conduct encryption-based attacks by leveraging a tool built into the operating system.
While the majority of ransomware operators utilize their own (or purchased) ransomware encryptor as they typically have more capabilities, such as exfiltrating sensitive data. BitLocker provides an integrated tool for conducting simple ransomware attacks, which can still be detrimental to an organization’s data.
Recommended BitLocker and Encrypted File System User Interface (efsui.exe) Abuse Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the malicious abuse of tools such as BitLocker as part of threat actors’ living off the land (LotL) strategies.
- Improve security visibility of networks, endpoints, and other managed assets to aid in detecting and alerting to suspicious actions and use of OS-integrated tools, such as BitLocker.
- Create and implement a strong password policy to provide additional protection on devices with BitLocker enabled; and can ensure that passwords and recovery keys are stored in a secure location.
- Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious and embodies aggressive and continuous monitoring and management. Doing so means catching more in-progress attacks, instead of assuming the activity is authorized because the user or program itself is allowlisted.
- Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities (and few end users legitimately require such processes for their daily responsibilities).
References and Resources
A quick note on incident details:
As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.
However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.
Please feel free to reach out to the APG directly if you have any questions about a specific incident!
Click for full reference list
- Avast’s Blog: “Decrypted: BianLian Ransomware” by Threat Research Team on 2023-01-16
- VirusTotal’s Repository: “94.198.50.195” by VirusTotal on 2024-06-13
- Guidepoint Security’s Blog: “BianLian Ransomware Strikes Lindsay Municipal Hospital: Another US Institution Under Attack” by Guidepoint Security on 2024-03-11
- Privacy Affairs’s Article: “Novel Trisec Ransomware Hits Toyota Ireland” by Niklos Zoltan on 2024-02-17
- Blackpoint Cyber’s Blog: “Vulnerable RMM Tools and Vulnerable Industries: Why Vigilance is Key” by Blackpoint Cyber on 2024-03-28
- ReliaQuest’s Blog: “RMM Tool Abuse” by ReliaQuest Threat Research Team on 2024-02-20
- Microsoft’s Blog: “BitLocker overview” by Microsoft on 2023-11-06
- Kaspersky’s Blog: “Kaspersky uncovers new BitLocker-abusing ransomware” by Kaspersky on 2024-05-23
- Microsoft’s Blog: “Profiling DEV-0270: PHOSPHORUS’ ransomware operations” by Microsoft Threat Intelligence on 2022-09-07