The crew behind Black Kingdom ransomware is exploiting a known vulnerability in Pulse Secure VPN software to gain access to corporate networks, researchers from REDTEAM.PL have found.
The experts have detailed tactics, techniques, and procedures (TTPs) used by the threat actor in the recent blog post. According to the report, the gang is exploiting CVE-2019-11510, a critical vulnerability that impacts earlier versions of Pulse Secure VPN. The flaw allows an unauthenticated remote attacker to read arbitrary files by sending a specially crafted URI. Although this vulnerability was patched in April last year, many companies still have not updated their software despite numerous reports about CVE-2019-11510 being exploited in the wild.
According to REDTEAM.PL’s analysis, once attackers gain initial access to a company’s infrastructure using CVE-2019-11510, they establish persistence by impersonating a legitimate scheduled task for Google Chrome (GoogleUpdateTaskMachineUSA - Black Kingdom task).
This task executes a PowerShell code that downloads a script named “reverse.ps1,” which is likely used to open the reverse shell on a haсked host.
The researchers said the attack were launched from the IP address (126.96.36.199), which is managed by Choopa, a web hosting that provides virtual private servers (VPS) and is known for being used by malicious actors to host their malicious software.
The IP address resolves to three domains, one of which is connected to servers in the US and Italy hosting Android malware and cryptocurrency mining tools.