Security researchers uncovered a zero-day CLFS elevation-of-privilege flaw (CVE-2023-28252) used to deploy Nokoyawa ransomware, with patches issued by Microsoft on April 11, 2023. The campaign involved multiple unique CLFS exploits and a chain that includes backdoors like Pipemagic, loaders, and Cobalt Strike BEACON. #Nokoyawa #CVE-2023-28252 #CLFS #Pipemagic #CobaltStrike
Keypoints
- In February 2023, Kaspersky detected multiple elevation-of-privilege exploits on Windows servers worldwide, culminating in a zero-day that affected various Windows versions including Windows 11.
- Microsoft assigned CVE-2023-28252 to the CLFS elevation-of-privilege vulnerability, with a patch released on April 11, 2023 (April Patch Tuesday).
- The zero-day was exploited by a sophisticated cybercrime group engaged in ransomware campaigns, using numerous similar CLFS driver exploits.
- Attackers leveraged the CVE-2023-28252 vulnerability to deploy Nokoyawa ransomware as a final payload, often after dropping other components.
- Prior to exploitation, some infections included a custom modular backdoor named Pipemagic launched via MSBuild, indicating a modular infection chain.
- The Nokoyawa variant used in these campaigns is a newer C-based ransomware with encrypted strings and a config supplied via a command-line parameter.
MITRE Techniques
- [T1068] Exploitation for Privilege Escalation β The CVE-2023-28252 CLFS elevation-of-privilege vulnerability is exploited to modify metadata blocks and obtain kernel read/write privileges. βCVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend a metadata block.β
- [T1082] System Information Discovery β The exploit leaks the addresses of kernel objects to achieve stable exploitation, using NtQuerySystemInformation. βThe exploit leaks the addresses of kernel objects to achieve stable exploitation. This is done using the NtQuerySystemInformation function β¦β
- [T1003.002] Credential Dumping: Security Account Manager β The main purpose of the privilege escalation is to dump the contents of the HKEY_LOCAL_MACHINESAM registry hive. βThe main purpose of using elevation-of-privilege exploits was to dump the contents of the HKEY_LOCAL_MACHINESAM registry hive.β
- [T1127] Trusted Developer Utilities: MSBuild β Pipemagic backdoor is launched via an MSBuild script. βthe victimβs machines were infected with a custom modular backdoor named βPipemagicβ that gets launched via an MSBuild script.β
- [T1486] Data Encrypted for Impact β Nokoyawa ransomware deployed as a final payload. βIn attacks using the CVE-2023-28252 zero-day, this group attempted to deploy Nokoyawa ransomware as a final payload.β
Indicators of Compromise
- [File] exploitation artifacts β C:UsersPublic.container*, C:UsersPublicMyLog*.blf, and other C:UsersPublicp_* files
- [Hash] Exploit β 46168ed7dbe33ffc4179974f8bf401aa
- [Hash] Cobalt Strike loaders β 1e4dd35b16ddc59c1ecf240c22b8a4c4, f23be19024fcc7c8f885dfa16634e6e7, a2313d7fdb2f8f5e5c1962e22b504a17
- [Domain] Cobalt Strike C2s β vnssinc[.]com, qooqle[.]top, vsexec[.]com, devsetgroup[.]com
- [Hash] Nokoyawa ransomware β 8800e6f1501f69a0a04ce709e9fa251c
Read more: https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/