Pulse Secure VPN Vulnerabilities Leveraged by Black Kingdom Ransomware

Attackers have been actively scanning for endpoints running certain versions of the popular Pulse Secure VPN software, vulnerable to a critical remotely exploitable (RCE) vulnerability, that was first disclosed in July 2019.

Latest findings

Recently, the Black Kingdom ransomware group exploited the vulnerability (CVE-2019-11510) in unpatched Pulse Secure VPN software to gain access to corporate networks.
  • In June 2020, Black Kingdom ransomware operators gained initial access to enterprise infrastructures via Pulse Secure VPN vulnerability (CVE-2019-11510) by impersonating a legitimate scheduled task for Google Chrome, with a single letter making the difference.
  • REDTEAM.PL researchers found that the malicious task was named GoogleUpdateTaskMachineUSA, which was trying to pose as the legitimate task ‘GoogleUpdateTaskMachineUA’.
  • The malicious Black Kingdom task ‘GoogleUpdateTaskMachineUSA’ executes a PowerShell code that downloads a script named “reverse.ps1,” to open a reverse shell on a haсked host.

Not a new vulnerability

This is not the first time when this vulnerability was exploited. Earlier also, the attackers were seen targeting unpatched Pulse Secure VPN servers by exploiting CVE-2019-11510.
  • In May 2020, a ransomware attack targeted a law firm Grubman Shire Meiselas & Sacks as one of its associated domains was using an unpatched Pulse Secure VPN server.
  • In April 2020, hackers used stolen Active Directory credentials to deploy a ransomware attack on the systems of U.S. hospitals and government entities after exploiting the vulnerability in associated Pulse Secure VPN servers.
  • In January 2020, REvil (Sodinokibi) ransomware attacked Travelex by leveraging the vulnerability in Pulse Secure VPN enterprise solution. In the same month, the ransomware operators exploited unpatched Pulse Secure VPN servers to gain a foothold and disable antivirus.

Immediate action required

Pulse Secure LLC released the patch for this vulnerability in August 2019. The US Cybersecurity and Infrastructure Security Agency (CISA) warned organizations to patch their Pulse Secure VPN servers in January 2020 and April 2020. Organizations should apply the software patch immediately to reduce the risk.