15 June 2020

Black Kingdom ransomware targets enterprises via unpatched Pulse Secure VPN software


Black Kingdom ransomware targets enterprises via unpatched Pulse Secure VPN software

The crew behind Black Kingdom ransomware is exploiting a known vulnerability in Pulse Secure VPN software to gain access to corporate networks, researchers from REDTEAM.PL have found.

The experts have detailed tactics, techniques, and procedures (TTPs) used by the threat actor in the recent blog post. According to the report, the gang is exploiting CVE-2019-11510, a critical vulnerability that impacts earlier versions of Pulse Secure VPN. The flaw allows an unauthenticated remote attacker to read arbitrary files by sending a specially crafted URI. Although this vulnerability was patched in April last year, many companies still have not updated their software despite numerous reports about CVE-2019-11510 being exploited in the wild.

According to REDTEAM.PL’s analysis, once attackers gain initial access to a company’s infrastructure using CVE-2019-11510, they establish persistence by impersonating a legitimate scheduled task for Google Chrome (GoogleUpdateTaskMachineUSA - Black Kingdom task).

This task executes a PowerShell code that downloads a script named “reverse.ps1,” which is likely used to open the reverse shell on a haсked host.

The researchers said the attack were launched from the IP address (198.13.49.179), which is managed by Choopa, a web hosting that provides virtual private servers (VPS) and is known for being used by malicious actors to host their malicious software.

The IP address resolves to three domains, one of which is connected to servers in the US and Italy hosting Android malware and cryptocurrency mining tools.

Back to the list

Latest Posts

New LV ransomware is actually a tweaked REvil’s binary, researchers say

New LV ransomware is actually a tweaked REvil’s binary, researchers say

An analysis of the LV ransomware binary revealed that LV is a modified version of the REvil 2.03 beta binary.
24 June 2021
MITRE introduces D3FEND framework for tailoring defenses against cyber threats

MITRE introduces D3FEND framework for tailoring defenses against cyber threats

Funded by the US National Security Agency, the D3FEND framework is still in the experimental research phase.
24 June 2021
The European Commission proposes a joint security unit to counter “serious cyber incidents”

The European Commission proposes a joint security unit to counter “serious cyber incidents”

The Joint Cyber Unit will be operational by June 2022 and should be fully established by 2023.
24 June 2021