The BianLian Ransomware Group and Vulnerabilities on Illumina Sequencing InstrumentsIllumina Sequencing Instruments

FBI and CISA Warn About BianLian Ransomware and Extortion Group

The Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory with regard to the BianLian ransomware and data extortion group.

The BianLian group is attacking organizations in America since June 2022 and has actively attacked critical infrastructure organizations, such as the medical and public health industry. The BianLian ransomware group develops and makes use of ransomware for its attacks, usually accomplishing double extortion tactics, exfiltrating sensitive private information from victims’ systems prior to encrypting files. The group pressures the victims to pay the ransom to stop leaking the stolen information. This 2023, the group has mainly used extortion-only attacks in which there is no encryption of files after exfiltration. These attacks are actually successful because the exposure of stolen information could cause substantial harm to a company’s reputation and legal issues.

The BianLian group mainly acquires access to victims’ systems by utilizing Remote Desktop Protocol (RDP) credentials, which could be acquired by means of brute force attacks to figure out weak credentials, buying credentials from phishing attacks or initial access brokers. As soon as credentials are acquired, the group uses a customized backdoor specific to every victim, and commercially accessible remote access tools can be acquired like TeamViewer, SplashTop, Atera Agent, and AnyDesk. The group utilizes command-line tools and scripts for network reconnaissance and collecting more credentials. Windows Command Shell and PowerShell are utilized to deactivate antivirus software programs like Anti-Malware Scan Interface (AMSI), Windows Defender and the registry is altered to remove services like Sophos SAVEnabled, SAVService services, and SEDenabled.

Tools usually downloaded onto the network of the victims consist of SoftPerfect Network Scanner, Advanced Port Scanner, PingCastle, and SharpShares to help discovery, together with Windows Command Shell, native Windows tools, and with PsExec and RDP with legitimate accounts utilized for lateral movement. As soon as sensitive information is located, exfiltration of data happens through File Transfer Protocol (FTP), Mega, or Rclone. As soon as data exfiltration has happened, threats are given to expose the stolen information.

The best protection against attacks is to restrict using RDP along with other remote desktop services. Audits ought to be done on all remote access tools on the system to discover installed and presently used software programs. Remote access tools that aren’t used now must be taken out or deactivated, and RDP must be locked down. Security applications must be employed to identify cases of loading remote access software in the memory, and records must be examined of remote access software to identify any unusual use.

Authorized remote access solutions must only be utilized from inside the network with authorized remote access tools, like virtual desktop interfaces (VDIs), or virtual private networks (VPNs). Inbound and outbound links on common remote access software ports and protocols must be stopped at the system perimeter. Companies must also deactivate command-line services and scripting activities and limit using PowerShell on critical systems, and enhanced PowerShell logging ought to be activated. Frequent audits of management accounts ought to be done, time-based access for accounts must be fixed at the administration level and higher, and be sure to apply the principle of least privilege.

The cybersecurity advisory involves Indicators of Compromise (IOCs), particulars of the tactics, techniques, and procedures (TTPs) employed by the group, and other suggested mitigations.

Maximum Severity Vulnerability Affects Illumina Sequencing Instruments

Healthcare companies and laboratory staff received a warning concerning a maximum severity vulnerability identified in the Illumina Universal Copy Service software program utilized by its DNA sequencing instruments.

The vulnerability impacts the following Illumina products that come with an installed Illumina Universal Copy Service (UCS) v2.x:

  • iSeq 100 (all versions)
  • iScan Controls Software (v4.0.0 and v4.0.5)
  • MiniSeq Control Software (v2.0 and later)
  • MiSeqDx Operating Software (v4.0.1 and afterward)
  • MiSeq Control Software (v4.0 RUO Mode)
  • NextSeq 550Dx Control Software (v4.0 RUO Mode)
  • NextSeq 500/550 Control Software (v4.0)
  • NextSeq 550Dx Operating Software (v1.0.0 to 1.3.1)
  • NextSeq 1000/2000 Control Software (v1.4.1 and earlier)
  • NextSeq 550Dx Operating Software (v1.3.3 and later)
  • NovaSeq 6000 Control Software (v1.7 and earlier)
  • NovaSeq Control Software (v1.8)

Impacted devices are susceptible to two vulnerabilities. The most critical vulnerability is monitored as CVE-2023-1699. This vulnerability permits connecting to an unrestricted IP address. In case a malicious actor exploits this vulnerability, UCS will be used to listen on all IP addresses, which include those able to accept or remove communications, remotely control the impacted devices, modify device configurations, and change or steal sensitive information. The vulnerability with a CVSS score of 10 out of 10 could be exploited remotely with low attack complexity.

The second vulnerability, monitored as CVE-2023-1966, impacts UCS v1.x and v2.0 and is caused by unnecessary privileges. A remote attacker can upload and implement code remotely at the OS level, enabling changes to be done on the configurations and access to sensitive information on the impacted products. The vulnerability has been assigned a CVSS score of 7.4 out of 10.

Ilumina discovered the vulnerabilities and reported them to the Cybersecurity and Infrastructure Agency (CISA). Illumina states it doesn’t know of any cases of attempted or actual exploitation of the vulnerabilities; nevertheless, because of the seriousness of the vulnerabilities and the simplicity of exploitation, it is recommended to patch them immediately.

On April 5, 2023, Illumina informed clients regarding the vulnerabilities telling them to watch out for indications of exploitation. To help users address the vulnerability, there is already a patch released with a Vulnerability Instructions Guide that is based on the particular settings of their devices. The U.S. Food and Drug Administration (FDA) lately released an alert to healthcare companies and laboratory staff that the vulnerabilities may introduce issues with patient results and client systems. If unable to apply the patch yet, steps must be taken to minimize the possibility of exploitation, such as limiting network exposure, making sure the impacted devices aren’t accessible online, identifying control system networks and putting remote devices behind firewalls, and just utilizing safe strategies to remotely access the devices, for instance, a Virtual Private Network (VPN).

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.