15 June 2020

Black Kingdom ransomware targets enterprises via unpatched Pulse Secure VPN software


Black Kingdom ransomware targets enterprises via unpatched Pulse Secure VPN software

The crew behind Black Kingdom ransomware is exploiting a known vulnerability in Pulse Secure VPN software to gain access to corporate networks, researchers from REDTEAM.PL have found.

The experts have detailed tactics, techniques, and procedures (TTPs) used by the threat actor in the recent blog post. According to the report, the gang is exploiting CVE-2019-11510, a critical vulnerability that impacts earlier versions of Pulse Secure VPN. The flaw allows an unauthenticated remote attacker to read arbitrary files by sending a specially crafted URI. Although this vulnerability was patched in April last year, many companies still have not updated their software despite numerous reports about CVE-2019-11510 being exploited in the wild.

According to REDTEAM.PL’s analysis, once attackers gain initial access to a company’s infrastructure using CVE-2019-11510, they establish persistence by impersonating a legitimate scheduled task for Google Chrome (GoogleUpdateTaskMachineUSA - Black Kingdom task).

This task executes a PowerShell code that downloads a script named “reverse.ps1,” which is likely used to open the reverse shell on a haсked host.

The researchers said the attack were launched from the IP address (198.13.49.179), which is managed by Choopa, a web hosting that provides virtual private servers (VPS) and is known for being used by malicious actors to host their malicious software.

The IP address resolves to three domains, one of which is connected to servers in the US and Italy hosting Android malware and cryptocurrency mining tools.

Back to the list

Latest Posts

Microsoft: Russia combines missile and cyberattacks in Ukraine

Microsoft: Russia combines missile and cyberattacks in Ukraine

In parallel with cyber threat activity Russia would likely conduct influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.
5 December 2022
Spanish police dismantle 'Black Panthers' SIM swap group

Spanish police dismantle 'Black Panthers' SIM swap group

The scammers stole about €250,000 from nearly 100 victims.
5 December 2022
Google releases emergency security update to fix Chrome zero-day bug

Google releases emergency security update to fix Chrome zero-day bug

With the new update the tech giant fixed the ninth Chrome zero-day since the start of 2022.
5 December 2022