Full Report
A 36-year-old Yemeni national, who is believed to be the developer and primary operator of 'Black Kingdom' ransomware, has been indicted by the United States for conducting 1,500 attacks on Microsoft Exchange servers. [...]
Analysis Summary
# Threat Actor: Black Kingdom
## Attribution & Identity
The actor is associated with the **Black Kingdom** ransomware operation. The U.S. Department of Justice (DoJ) has indicted an administrator (identified as Ahmed, believed to reside in Yemen) for their role in these attacks.
## Activity Summary
Black Kingdom operators have been historically active using specific vulnerabilities for initial access to deploy ransomware. The primary activities highlighted involve:
1. **Microsoft Exchange Exploitation (2021):** Leveraging the ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to compromise Microsoft Exchange servers. Microsoft confirmed that Black Kingdom compromised approximately 1,500 Exchange servers using these flaws.
2. **Pulse VPN Exploitation (2020):** In June 2020, Black Kingdom used flaws in Pulse Secure VPN (specifically CVE-2019-11510) to breach corporate networks and deploy their ransomware.
## Tactics, Techniques & Procedures
- **Initial Access via Exploitation:** Design and use of ransomware specifically engineered to exploit vulnerabilities for network entry.
- Exploiting Microsoft Exchange ProxyLogon flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
- Exploiting Pulse Secure VPN vulnerabilities (CVE-2019-11510).
- **Deployment:** Writing web shells onto compromised servers after exploiting Exchange flaws.
## Targeting
- **Sectors:** Corporate networks (implied by use of Exchange servers and VPNs).
- **Geography:** The indicted administrator is believed to reside in Yemen. Targeting locations are not explicitly detailed beyond the victims' organizations.
- **Victims:** Organizations utilizing vulnerable Microsoft Exchange servers and Pulse Secure VPNs. The article notes Microsoft confirmed 1,500 Exchange servers were compromised.
## Tools & Infrastructure
- **Malware families used:** Black Kingdom ransomware.
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided context, other than mentioning the use of *Black Kingdom email addresses* for proof-of-payment submission.
## Implications
The ongoing indictment highlights efforts by law enforcement (US DoJ) to prosecute key figures in major ransomware operations. The actor specialized in high-impact, initial access techniques targeting perimeter systems (Exchange, VPNs), indicating a sophisticated approach focused on quickly achieving broad network compromise.
## Mitigations
- Patching critical vulnerabilities immediately, particularly those affecting remote access services like Microsoft Exchange and Pulse Secure VPN.
- Specific CVEs to monitor and mitigate: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (ProxyLogon), and CVE-2019-11510.
- Monitoring for unauthorized web shell deployment on internet-facing servers.