Hackers exploit CVE-2023-28252 0-day to deploy the Nokoyawa ransomware

In February 2023, Kaspersky technologies detected a series of elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, North America, and Asia. These exploits closely resembled known Common Log File System (CLFS) driver exploits, prompting further investigation. One exploit was found to be a zero-day, affecting multiple versions of Windows, including Windows 11. The exploit was heavily obfuscated, but Kaspersky reverse-engineered it and reported the findings to Microsoft. The vulnerability was assigned CVE-2023-28252, and a patch was released on April 11, 2023.

Unlike previous zero-days discovered by Kaspersky, this vulnerability was exploited by a sophisticated cybercrime group conducting ransomware attacks. The group has been active since at least June 2022, targeting various industries using five different exploits. The CVE-2023-28252 zero-day was used to deploy the Nokoyawa ransomware.

Nokoyawa ransom note | Image credit: Kaspersky

CLFS is a log file subsystem first introduced in Microsoft Windows Server 2003 R2 / Microsoft Vista and is implemented in the clfs.sys driver. It can be used by any application, and Microsoft provides an API for it. The base log files (.blf) store metadata and can be created using the CreateLogFile function. The API documentation reveals that the technology is quite complex, and with its long development history, it has led to numerous vulnerabilities. At least thirty-two such vulnerabilities have been discovered since 2018, with three detected as zero-days.

CVE-2023-28252 is an out-of-bounds write vulnerability exploitable when the system attempts to extend the metadata block. The exploit uses the vulnerability to corrupt another specially crafted base log file object, enabling kernel read/write privileges. The exploit also leaks addresses of kernel objects to achieve stable exploitation using the NtQuerySystemInformation function.

Fuzzing could have potentially discovered CVE-2023-28252, but the clfs.sys driver code’s extensive use of try/catch blocks may have masked the vulnerability during previous fuzzing attempts. This highlights the need for more effective fuzzing approaches.

Attackers primarily used the elevation-of-privilege exploits to dump the contents of the HKEY_LOCAL_MACHINE\SAM registry hive. They employed Cobalt Strike BEACON as their main tool, launching it with custom loaders to avoid antivirus detection. In some cases, a custom modular backdoor named “Pipemagic” was used before exploiting the CLFS vulnerability. The CVE-2023-28252 zero-day was used to deploy the Nokoyawa ransomware, which has evolved from its early variants based on the JSWorm codebase.

Organizations are urged to apply the patch released by Microsoft for CVE-2023-28252 to protect their systems from potential attacks.