While the majority of zero-days in the past were used by APTs, this particular zero-day was used by a sophisticated cybercrime group #Nokoyawa that carries out #ransomware attacks. This group is notable for its use of a large number of similar but unique Common Log File System (#CLFS) driver exploits.
CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block. The vulnerability gets triggered by the manipulation of the base log file. The discovered exploit uses the vulnerability to corrupt another specially crafted base log file object in a way that a fake element of the base log file gets treated as a real one. The exploit leaks the addresses of kernel objects to achieve stable exploitation.
Once infected, the malware, attackers use Cobalt Strike BEACON as their main tool. It’s launched with a variety of custom loaders aimed to prevent AV detection. In attacks using the CVE-2023-28252 zero-day, this group attempted to deploy Nokoyawa ransomware as a final payload.
Malware:
Kaspersky detects the CVE-2023-28252 exploit and related malware with the verdicts:
PDM:Exploit.Win32.Generic
PDM:Trojan.Win32.Generic
HEUR:Trojan-Ransom.Win32.Generic
Win64.Agent*
Indicators of Compromise #IOC
After finishing, the exploit leaves files used for exploitation at the hard-coded path in the “C:\Users\Public\” folder. Companies can check if the exploit was launched on their servers or employees’ machines by looking for the presence of the “C:\Users\Public\.container*”, “C:\Users\Public\MyLog*.blf”, and “C:\Users\Public\p_*” files.
Exploitation artifacts
C:\Users\Public\.container* C:\Users\Public\MyLog*.blf C:\Users\Public\p_*
Exploit
46168ed7dbe33ffc4179974f8bf401aa
CobaltStrike loaders
1e4dd35b16ddc59c1ecf240c22b8a4c4 f23be19024fcc7c8f885dfa16634e6e7 a2313d7fdb2f8f5e5c1962e22b504a17
CobaltStrike C2s
vnssinc[.]com qooqle[.]top vsexec[.]com devsetgroup[.]com
Nokoyawa ransomware
8800e6f1501f69a0a04ce709e9fa251c
PLEASE RUN SCANs to check any IOC
Source: Nokoyawa ransomware attacks with Windows zero-day | Securelist
CISA Issued warning of NOKOYAWA ransomware under heading - " APT28 Exploits Known Vulnerability To Carry Out Reconnaissance and Deploy Malware on Cisco Routers".
In a joint statement he UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) issued details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.
They assessed that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.
Detailed UK Government Advisory is here:
Malware Analysis report is here:
Please take all precautions and secure up your networks