CVE-2023-28252(Nokoyawa Ransomware Reports)
Executive Summary
SHA256 hash= 3c9f4145e310f616bd5e36ca177a3f370edc13cf2d54bb87fe99972ecf3f09b4
MD5 hash= 8800e6f1501f69a0a04ce709e9fa251c
What is the CVE-2023–28252 vulnerability?
A CVE-2023–28252 vulnerability is belonging to the privilege-elevation vulnerabilities. In this Vulnerability attacker use the BLF file and manipulate it and extend his privileges entire System able to continue their attack scenario in entire System.
this Vulnerability is Related to CLFS (Common Log file system) CVE-2023–28252 vulnerability to elevate privileges and steal credentials from the Security Account Manager (SAM) database.
Using this CVE-2023–28252 Zero-day Attacker deploy Nokoyawa ransomware as a final payload.
An attacker was used the CVE-2023–28252 vulnerability for privilege Escalation and in the end its dump the Contents of the HKEY_LOCAL_MACHINE\SAM registry hive for still the Credentials.
What is Elevation-of-privilege exploit?
An Elevated privileges open doors for attackers to mess with security settings,configurations and data, they often get access to lower privilege accounts first and then use them to obtain
high-level privileges and gain full access to organization’s IT environment.
An This Scenario Attacker was using the CLFS Vulnerability for This Exploit.
What is CLFS in windows:
CLFS is the log file subsystem that was used for creation of logs of application.
using the CreateLogFile function — a log is made up of a base log file (.blf file name extension) that is a master file containing metadata, and a number of containers that hold the actual data.
a container which holds the actual data was created using AddLogContainer and AddLogContainerSet functions.
Vulnerability Exploitation:
As per the Kaspersky report when researcher check the data of .blf (base log file) which have the kernel level access they observed some memory pointers was added in the code it means this file have the capabilities to give the Elevation-of-privilege.
CVE-2023–28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block.
The vulnerability gets triggered by the manipulation of the base log file.
an attacker uses this vulnerability to corrupt another specially crafted base log file object in a way that a fake element of the base log file gets treated as a real one.
_CLFS_CONTAINER_CONTEXT is an example of the structure that gets stored in base log files but contains a field for storing a kernel pointer. but what if attacker change the context and inject malicious code in this case field value is ignored because structure was read from base log file from disk. in the result structure into an offset pointing to a specially crafted malicious _CLFS_CONTAINER_CONTEXT structure makes it possible to provide a pointer to a controlled memory in a user level and obtain kernel read/write privileges with it.
The exploit leaks the addresses of kernel objects to achieve stable exploitation. This is done using the NtQuerySystemInformation function. an data which was return from class NtQuerySystemInformation is EPROCESS kernel addresses for currently executed processes.
How Discover CVE-2023–28252 Vulnerability?
As the Exploit is on code level its easily detected help of the fuzzing. But there are already so many vulnerabilities found in this component, so if it’s discoverable by fuzzing, why has it not been found before?
Examining the clfs.sys driver code in disassembler shows extensive use of try/catch blocks to catch exceptions.
In many parts of the code when an exception occurs it gets masked by an exception handler and the code continues its normal execution like nothing happened.
Post exploitation and malware:
main purpose of using elevation-of-privilege exploits was to dump the contents of the HKEY_LOCAL_MACHINE\SAM registry hive.
AN HKEY_LOCAL_MACHINE\SAM registry hive that stores credentials and account information for local users. using this Attacker Still users credential details for further exploitation.
for malware attacker may have to use the Cobalt Strike BEACON as their main tool. It’s launched with a variety of custom loaders aimed to prevent AV detection.
AN Cobalt Strike BEACON is Trojan.CobaltStrike penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine.
Many cybercriminals that operate malware use the Cobalt Strike tool to drop multiple payloads after compromising a network.
in the next for backdoor activity is used Pipemagic backdoor malware for exploitation.
using this backdoor it deploys Nokoyawa ransomware as a final payload.
cybercriminals used a newer version of Nokoyawa that is quite distinct from the JSWorm codebase.
It’s written in C and has encrypted strings. It was launched with an encrypted json config provided with a “–config” command line argument.
Conclusions:
We detect the CVE-2023–28252 exploit and related malware with the verdicts:
PDM:Exploit.Win32.Generic
PDM:Trojan.Win32.Generic
HEUR:Trojan-Ransom.Win32.Generic
Win64.Agent*
Indicators of compromise:
In the last exploit leaves files used for exploitation at the hard-coded path in the “C:\Users\Public\” folder.
we can check if the exploit was launched on their servers or employees’ machines by looking for the presence of the“C:\Users\Public\.container*”, “C:\Users\Public\MyLog*.blf”, and “C:\Users\Public\p_*” files.
Exploitation artifacts
C:\Users\Public\.container*
C:\Users\Public\MyLog*.blf
C:\Users\Public\p_*
Exploit
46168ed7dbe33ffc4179974f8bf401aa
Cobalt Strike loaders
1e4dd35b16ddc59c1ecf240c22b8a4c4
f23be19024fcc7c8f885dfa16634e6e7
a2313d7fdb2f8f5e5c1962e22b504a1
Cobalt Strike C2s
vnssinc[.]com
qooqle[.]top
vsexec[.]com
devsetgroup[.]com
Nokoyawa ransomware
8800e6f1501f69a0a04ce709e9fa251c
3c9f4145e310f616bd5e36ca177a3f370edc13cf2d54bb87fe99972ecf3f09b4
we also detect these attacks with the help of Behavioral Detection Engine and the Exploit Prevention component.
Nokoyawa Ransomware Reports
Stay Connected for more information!