15 June 2020

Black Kingdom ransomware targets enterprises via unpatched Pulse Secure VPN software


Black Kingdom ransomware targets enterprises via unpatched Pulse Secure VPN software

The crew behind Black Kingdom ransomware is exploiting a known vulnerability in Pulse Secure VPN software to gain access to corporate networks, researchers from REDTEAM.PL have found.

The experts have detailed tactics, techniques, and procedures (TTPs) used by the threat actor in the recent blog post. According to the report, the gang is exploiting CVE-2019-11510, a critical vulnerability that impacts earlier versions of Pulse Secure VPN. The flaw allows an unauthenticated remote attacker to read arbitrary files by sending a specially crafted URI. Although this vulnerability was patched in April last year, many companies still have not updated their software despite numerous reports about CVE-2019-11510 being exploited in the wild.

According to REDTEAM.PL’s analysis, once attackers gain initial access to a company’s infrastructure using CVE-2019-11510, they establish persistence by impersonating a legitimate scheduled task for Google Chrome (GoogleUpdateTaskMachineUSA - Black Kingdom task).

This task executes a PowerShell code that downloads a script named “reverse.ps1,” which is likely used to open the reverse shell on a haсked host.

The researchers said the attack were launched from the IP address (198.13.49.179), which is managed by Choopa, a web hosting that provides virtual private servers (VPS) and is known for being used by malicious actors to host their malicious software.

The IP address resolves to three domains, one of which is connected to servers in the US and Italy hosting Android malware and cryptocurrency mining tools.

Back to the list

Latest Posts

Twitch downplays extent of the recent breach, says only small number of customers affected

Twitch downplays extent of the recent breach, says only small number of customers affected

Twitch said that no login credentials or full credit card info data belonging to users or streamers were exposed in the data breach.
18 October 2021
REvil goes off the radar after group’s Tor sites were hijacked

REvil goes off the radar after group’s Tor sites were hijacked

At present, it is unknown who compromised the gang servers.
18 October 2021
US security agencies say ransomware hackers targeted 3 different US water facilities in 2021

US security agencies say ransomware hackers targeted 3 different US water facilities in 2021

Over the past few months, hackers have targeted wastewater plants in California, Maine and Nevada with ransomware attacks.
18 October 2021