A report released by Kaspersky Labs recently shed light on a threat actor that made use of a Common Log File System (CLFS) exploit to escalate privileges. Kaspersky has attributed this attack to a group that has used multiple distinct but similar CLFS driver exploits that are most likely from the same developer.
Kaspersky’s analysis suggests that this exploit was used to dump the contents of the HKEY_LOCAL_MACHINESAM registry hive to continue their attack. Upon discovering this exploit, Kaspersky submitted their analysis to Microsoft for review. Microsoft responded promptly and assigned CVE-2023-28252 to the vulnerability. The company resolved the issue on April 11, 2023, as part of their April patch Tuesday.
Despite the cybercriminals’ sophistication, there is significant overlap between their goals and the methods they use to achieve them. This time, the attackers used a previously unknown way to escalate privileges and perform OS Credential Dumping, a well-known technique tracked by MITRE as T1003.002. While zero-day usage is always a concern, the follow-up activity is relatively simple to detect with proper logging or an Endpoint Detection and Response (EDR) tool, which can give security teams the critical time they need to get ahead of a ransomware attack.
Binary Defense is a company that provides Managed Detection and Response services to help teams gain vital time in worst-case scenarios. Their service offering is essential, given the significant increase in ransomware attacks that businesses and organizations face today.
The Kaspersky report highlights the importance of having a reliable EDR tool to detect such attacks promptly. These tools enable security teams to detect malicious activity, get alerts, and respond quickly before an attacker can deliver their final payload.
Leveraging the recently discovered exploit, a group of criminals has recently been using the Nokoyawa ransomware to exploit a Windows zero-day vulnerability and hit several organizations worldwide. This group is using the same techniques and tactics that attackers have been using in previous campaigns, attempting to gain access to organizations’ networks by enticing employees to click on links or download attachments from phishing emails.
Once the attackers have gained initial access, they use the CLFS exploit to escalate privileges, move laterally through the network, and deploy ransomware. Ransomware is a type of malware that encrypts user files and demands a ransom to restore access. Ransomware attacks are frequently lucrative for attackers and can seriously disrupt business operations for extended periods.
An attack of this nature is a nightmare scenario for any organization, and it highlights the importance of regular security awareness training, vulnerability management, and endpoint protection. The more organizations can do to protect themselves, the better they will be in identifying and responding to threats.
In conclusion, the Kaspersky report emphasizes the importance of having a reliable EDR tool to detect these types of attacks promptly. The attacker’s methods and tactics are nothing new, but security measures must be in place to detect and respond to these attacks before they become catastrophic. With the increasing frequency and sophistication of ransomware attacks, businesses and organizations must take all necessary measures to reduce the risk of falling victim to cybercriminals.