15 June 2020

Black Kingdom ransomware targets enterprises via unpatched Pulse Secure VPN software


Black Kingdom ransomware targets enterprises via unpatched Pulse Secure VPN software

The crew behind Black Kingdom ransomware is exploiting a known vulnerability in Pulse Secure VPN software to gain access to corporate networks, researchers from REDTEAM.PL have found.

The experts have detailed tactics, techniques, and procedures (TTPs) used by the threat actor in the recent blog post. According to the report, the gang is exploiting CVE-2019-11510, a critical vulnerability that impacts earlier versions of Pulse Secure VPN. The flaw allows an unauthenticated remote attacker to read arbitrary files by sending a specially crafted URI. Although this vulnerability was patched in April last year, many companies still have not updated their software despite numerous reports about CVE-2019-11510 being exploited in the wild.

According to REDTEAM.PL’s analysis, once attackers gain initial access to a company’s infrastructure using CVE-2019-11510, they establish persistence by impersonating a legitimate scheduled task for Google Chrome (GoogleUpdateTaskMachineUSA - Black Kingdom task).

This task executes a PowerShell code that downloads a script named “reverse.ps1,” which is likely used to open the reverse shell on a haсked host.

The researchers said the attack were launched from the IP address (198.13.49.179), which is managed by Choopa, a web hosting that provides virtual private servers (VPS) and is known for being used by malicious actors to host their malicious software.

The IP address resolves to three domains, one of which is connected to servers in the US and Italy hosting Android malware and cryptocurrency mining tools.

Back to the list

Latest Posts

Vulnerability summary for the week: January 22, 2021

Vulnerability summary for the week: January 22, 2021

A weekly vulnerability digest.
22 January 2021
Windows Remote Desktop servers abused to amplify DDoS attacks

Windows Remote Desktop servers abused to amplify DDoS attacks

The Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.
22 January 2021
Hackers accidentally exposed stolen credentials via Google search

Hackers accidentally exposed stolen credentials via Google search

The stolen data was saved in a publicly visible file that was indexable by Google.
22 January 2021