When Microsoft announced that it discovered a state-sponsored threat group, Hafnium, was exploiting four separate zero-day vulnerabilities, the InfoSec community was already looking into their crystal ball to predict when other groups and cybercriminals were going to try the same exploitation method. They did not have to wait long. Despite a record number of organizations patching the flaws, other hackers quickly jumped on board the Exchange Server express. Several ransomware strains already have been distributed to exploit those flaws.
The vulnerabilities, a collection of four in total, were nicknamed ProxyLogon. When abused in a specific way, ProxyLogon will grant the attacker initial access to the victim’s compromised network. Initially, Hafnium deployed web shells on the now-compromised Exchange server to exfiltrate valuable data without the victim’s knowledge. This method of achieving initial access to vulnerable Exchange servers to silently steal information was quickly adopted by other threat actors. These actors, however, used it to drop malware took a more overt approach.
Soon, ransomware operators tried to gain access to vulnerable servers that remained unpatched or that were patched incorrectly. It is important to note that Microsoft has released a tool to help make patching potentially vulnerable servers easier, along with extensive guidance on how to patch servers.
One of the first – quite possibly the first – ransomware strain security researchers discovered which attempted to use the ProxyLogon flaws was DearCry. Shortly after, reports noted that those behind the Black Kingdom strain were also using the ProxyLogon flaws as a means to grant attackers initial access.
Black Kingdom and ProxyLogon
The Black Kingdom strain of ransomware, also known as GAmmAWare, while not as notorious as Sodinokibi and Ryuk ransomware, still poses a significant threat to organizations. The discovery that Black Kingdom was using the ProxyLogon vulnerabilities was initially made by Marcus Hutchins. Hutchins noted that the vulnerabilities were being used to execute PowerShell scripts that would then download the ransomware executable and attempt to push the ransomware to other computers on the same network. The discovery was made via one of Hutchins’ honeypot machines, a machine left purposefully vulnerable to attack so security researchers could analyze attack tactics and malware. Hutchins believed the attack on the honeypot was part of a failed campaign.
Screenshot of Black Kingdom ransom demanding message:
Following Hutchins’ discovery, Michael Gillespie, the creator of ransomware identification site ID Ransomware, reported that the ransomware had encrypted other victims’ devices and was by no means a completely failed campaign. ID Ransomware received its first submissions to identify Black Kingdom on March 18. Four days after the first submissions, over 30 unique submissions were made to the website. Victims were traced to the U.S., Canada, Austria, Switzerland, Russia, France, Israel, United Kingdom, Italy, Germany, Greece, Australia and Croatia. According to both researchers, two different ransom notes had been dropped onto victims’ machines. The first being decrypt_file.TxT and the other named ReadMe.txt. The two varied slightly with regards to the text contained. A sample of the decrypt_file.TxT version reads as follows,
| We Are Back
We hacked your (( Network )), and now all files, documents, images,
databases, and other important data are safely encrypted using the strongest algorithms ever.
You cannot access any of your files or services .
But do not worry. You can restore everthing and get back business very soon ( depends on your actions ) before I tell how you can restore your data, you have to know certain things :
We have downloaded most of your data ( especially important data ) , and if you don’t contact us within 2 days, your data will be released to the public.
To see what happens to those who didn’t contact us, just google : ( Blackkingdom Ransomware )
We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free
just send the files you want to decrypt to (firstname.lastname@example.org
| How to contact us and recover all of your files ?
The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .
[ + ] Instructions:
1- Send the decrypt_file.txt file to the following email ===> email@example.com
2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :
[ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]
3- confirm your payment by sending the transfer url to our email address
4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,
so that you can recover all your files.
## Note ##
Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.
By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.
Your ID ==>”
A look at the provided Bitcoin wallet address showed only one victim has paid the 10,000 USD ransom since the campaign kicked off. Even though organizations have been patching these flaws at a far higher rate than is typical, some may still be vulnerable to a Black Kingdom attack. It is recommended that organizations follow Microsoft’s guidance and make patching a priority if it hasn’t been done already.
Microsoft Confirms Attack Campaign
A few days after both Hutchins and Gillespie announced the discovery of the Black Kingdom attack campaign, Microsoft confirmed that an attack campaign against Exchange servers was indeed underway. Microsoft noted that approximately 1,500 Exchange servers had web shells deployed by Black Kingdom attackers. It was also noted that, while the servers had been compromised, no secondary activity typical of a modern ransomware campaign had been detected. Such activities can include data exfiltration followed by data encryption. This indicates that the attackers looked to maintain their presence on compromised networks with the intention of striking at a later date when the organization may be more inclined to pay the ransom.
In these instances, patching might not be enough, as the Exchange Server and larger network may already be compromised. In such instances network administrators would need to conduct a full investigation of the network, dating back to before the patch was implemented as well as after. This time frame is often referred to as the exposure window. The exposure window can be extended to include the earliest possible indicator of the attack. For those who were targeted by Hafnium, this was February 27, 2021. While the earliest possible instance of a Black Kingdom attack is still not known, it is safe to assume it would be around the time of Microsoft’s initial announcement of the ProxyLogon vulnerabilities. With both the Hafnium and the Black Kingdom attacks, the deployment of web shells should be regarded as a key indicator of compromise. Further, regarding Black Kingdom, the web shell is sent over Tor once the initial compromise is complete. By looking for these indicators when carrying out an investigation, rooting out future threats will save a fair amount of stress later.
Black Kingdom vs. Black Kingdom
This is not the first time the InfoSec community has encountered a ransomware strain going by the name Black Kingdom. In June 2020, a ransomware strain by that name exploited Pulse VPN flaws to gain initial access to networks. Attack attempts were, again, caught by honeypots, and allowed researchers to analyze the malware. The ransomware was able to remain persistent on compromised machines by successfully tricking the operating system into believing that it is a legitimate scheduled Google Chrome task. When the ransomware began its encryption process, it appended .DEMON to the end of encrypted files. Attackers then dropped a ransom note demanding approximately $5,000 USD to decrypt the files once the attack was discovered.
There are several similarities between the two Black Kingdom strains. Both are written in Python and compiled in a Windows executable. Both use similar tactics; exploiting recently disclosed vulnerabilities to gain initial access to vulnerable networks. There are also differences – different Bitcoin address wallets and different ransom notes. The differences are relatively inconsequential, and there is more evidence to suggest that they are related and spread by the same ransomware operators. Absolute proof is still required to make the definitive link, but the balance of probabilities suggests both campaigns are linked.
Not Just Black Kingdom
Black Kingdom is not the only ransomware strain that hopped on the ProxyLogon bandwagon. It is not just DearCry, either; but there is strong evidence to suggest the Sodinokibi is distributed using the same method. On March 19, reports emerged that Acer, the Taiwanese computer manufacturing giant, suffered a ransomware incident. It was reported that the attackers demanded a staggering $500 million USD as a ransom – very likely the highest ransom amount demanded to date.
The size of both the company and the ransom demand makes the incident newsworthy. Acer itself did not directly address the incident, but stated,
“Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.” …
“We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cybersecurity disciplines and best practices, and be vigilant to any network activity abnormalities.”
Despite not addressing the matter directly, Bleeping Computer did manage to get a sample of the ransom note used in the attack and confirmed it was Sodinokibi, tracked by the publication as REvil. Later, security researchers discovered the malware sample used in the attack and discovered that the attackers were demanding $50 million USD. Vitali Kremez later discovered that Sodinokibi operatives recently targeted Acer via the ProxyLogon vulnerabilities.
We can be fairly certain that there will be future ransomware victims with these flaws used as a distribution method. Given that security researchers noted networks compromised without additional ransomware activity, administrators are advised to conduct full investigations of networks, even if the flaws have been patched.