An institution of higher education (IHE) in Virginia was subject to an intrusion by a criminal affiliate assessed by the institution to be associated with BianLian ransomware. The attack was thwarted before widespread exfiltration or encryption of systems was completed by the cybercriminals.
On Monday, July 25, 2022, tooling alerted institutional technology staff of a password spray from a service account within the academic network; further review indicated suspicious activity on a Windows Activity Directory Domain Controller (DC) as well.
Response teams removed login privileges from the service account, rotated its password, isolated the source workstation, and began further analysis on the DC logs. Out-of-band communications were initiated with institutional leadership, and relevant institutional vendors (such as cybersecurity companies and insurance carriers) were engaged as additional response resources.
Initial access was likely gained in November 2021 when a banking trojan was downloaded and installed on a user workstation. Post-exploitation from that host yielded access to a service account with a weak password and finally a domain administrator account.
Multiple Remote Access Software were used for command and control by the threat actors including Atera and Splashtop, as well as a custom backdoor written in Golang. Publicly available offensive tools implicated in various stages of the attack were used for port scanning, dumping LSASS, and attacking Kerberos. Attempted use of Cobalt Strike and WinSCP to exfiltrate data was automatically blocked and logged by protection devices.
Based on the analysis by the various responders including retroactive hunts, additional mitigation measures were taken: password resets were forced on all Active Directory (AD) accounts (including the KRBTGT account twice), backups were isolated, all remote access was moved behind Multi-Factor Authentication (MFA), and observed Indicators of Compromise (IOCs) were added to block and alert lists. Compromised hosts were rebuilt, Microsoft LAPS was implemented for workstations and servers, and Group Policy Objects were reviewed for anomalies.
Due to the successful detection of suspicious post-compromise activity; the well-arranged architecture by the IT team including redundancy of systems in place; and the quick response time, the institution was able to avoid serious system downtime or interruption to academic operations despite the Fall 2022 academic semester beginning during recovery.
Due to mandatory password resets, university constituents did need to engage with the institutional help desk to cycle their passwords to regain access to systems.
Analysis concluded 16 servers and 30 workstations were impacted by the compromise, so those had to be rebuilt using backups preserved from prior to the initial compromise. During that recovery, older operating systems (Server 2012 and earlier) were upgraded to Server 2016 and Server 2019 versions.
Tactic | Technique ID | Technique Name |
Initial Access | Phishing | |
Execution | Windows Management Instrumentation Command and Scripting Interpreter | |
Persistence | Valid Accounts: Domain Accounts External Remote Services Create Account: Local Account | |
Defense Evasion | Indirect Command Execution | |
Credential Access | OS Credential Dumping: LSASS Memory Brute Force: Password Spraying | |
Discovery | System Service Discovery System Network Configuration Discovery Remote System Discovery Process Discovery Permission Groups Discovery System Information Discovery File and Directory Discovery Network Share Discovery | |
Lateral Movement | Remote Services Lateral Tool Transfer | |
Collection | Data from Local System Automated Collection | |
Command and Control | Remote Access Software | |
Impact | Data Encrypted for Impact Service Stop Inhibit System Recovery Defacement: Internal Defacement |
Malware metadata and tool usage match those documented here:
https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go
Contact Us
2715 E. Tenth Street
Bloomington, IN 47408
812-856-0717
info@ren-isac.net
Member of the Indiana University Cybersecurity Community
24-Hour CSIRT Watch Desk
+1 317-274-7228
soc@ren-isac.net
Report a Vulnerability
