GuidePoint Security has revealed its first encounter with BianLian’s PowerShell backdoor – the first encounter in 2024 to be reported publicly thus far.
GuidePoint Security’s Research and Intelligence Team (GRIT) discovered malicious activity while responding to an incident that began with the exploitation of TeamCity vulnerabilities for initial access, resulting in deploying a novel implementation of a PowerShell backdoor.
Through their analysis, GuidePoint Security ultimately identified the threat actor group behind the attack and provided highly confident attribution to the BianLian ransomware group.
In this technical blog, Drew Schmitt, Practice Lead, GRIT, breaks down BianLian’s use of a novel PowerShell backdoor following the exploitation of TeamCity vulnerabilities.
The research deep dives into BianLian’s exploitation of TeamCity vulnerabilities and post-exploitation behaviors, BianLian’s PowerShell implementation of their GO backdoor, and attribution of the PowerShell backdoor to BianLian.
You can read the details in their new blog, now live at https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/.
Related
This entry was posted on March 10, 2024 at 9:48 am and is filed under Commentary with tags GuidePoint. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Novel PowerShell Backdoor Discovered By GuidePoint Security
GuidePoint Security has revealed its first encounter with BianLian’s PowerShell backdoor – the first encounter in 2024 to be reported publicly thus far.
GuidePoint Security’s Research and Intelligence Team (GRIT) discovered malicious activity while responding to an incident that began with the exploitation of TeamCity vulnerabilities for initial access, resulting in deploying a novel implementation of a PowerShell backdoor.
Through their analysis, GuidePoint Security ultimately identified the threat actor group behind the attack and provided highly confident attribution to the BianLian ransomware group.
In this technical blog, Drew Schmitt, Practice Lead, GRIT, breaks down BianLian’s use of a novel PowerShell backdoor following the exploitation of TeamCity vulnerabilities.
The research deep dives into BianLian’s exploitation of TeamCity vulnerabilities and post-exploitation behaviors, BianLian’s PowerShell implementation of their GO backdoor, and attribution of the PowerShell backdoor to BianLian.
You can read the details in their new blog, now live at https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/.
Share this:
Like this:
Related
This entry was posted on March 10, 2024 at 9:48 am and is filed under Commentary with tags GuidePoint. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.