Get in Touch
Windows zero-day exploited by Nokoyawa ransomware
Target Industry
The following industry sectors have been targeted as of the time of writing:
– Retail and wholesale
– Energy
– Manufacturing
– Healthcare
– Software development.
Overview
As part of the Microsoft Patch Tuesday for April 2023, an actively exploited zero-day vulnerability was listed amongst the security flaws addressed by Microsoft. The zero-day flaw, tracked as CVE-2023-28252(CVSSv3 Score: 7.8), relates to a Windows Common Log Sile System Driver Elevation of Privilege (EoP) vulnerability. Although actively exploited in the wild, a Proof-of-Concept (PoC) has yet to be released.
Exploit of the vulnerability was initially detected in February 2023 by a threat group that was discovered to have used a substantial number of unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. With regards to the vulnerability, the threat actor must be authenticated with user access and have the capabilities to execute code on the target system to launch the elevation-of-privilege (EoP) exploit.
Impact
Successful exploitation of CVE-2023-28252 allows a threat actor to obtain SYSTEM privileges via a vulnerability in the Windows Common Log File.
Vulnerability Detection
A security patch has been released by Microsoft. Previous versions therefore remain vulnerable to potential exploitation.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as Nokoyawa. EDRs can alert system users of potential breaches and prevent further progress prior to the malware causing significant damage.
Affected Products
– Windows Server 2012 R2 (Server Core installation)
– Windows Server 2012 R2
– Windows Server 2012 (Server Core installation)
– Windows Server 2012
– Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
– Windows Server 2008 R2 for x64-based Systems Service Pack 1
– Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
– Windows Server 2008 for x64-based Systems Service Pack 2
– Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
– Windows Server 2008 for 32-bit Systems Service Pack 2
– Windows Server 2016 (Server Core installation)
– Windows Server 2016
– Windows 10 Version 1607 for x64-based Systems
– Windows 10 Version 1607 for 32-bit Systems
– Windows 10 for x64-based Systems
– Windows 10 for 32-bit Systems
– Windows 10 Version 22H2 for 32-bit Systems
– Windows 10 Version 22H2 for ARM64-based Systems
– Windows 10 Version 22H2 for x64-based Systems
– Windows 11 Version 22H2 for x64-based Systems
– Windows 11 Version 22H2 for ARM64-based Systems
– Windows 10 Version 21H2 for x64-based Systems
– Windows 10 Version 21H2 for ARM64-based Systems
– Windows 10 Version 21H2 for 32-bit Systems
– Windows 11 version 21H2 for ARM64-based Systems
– Windows 11 version 21H2 for x64-based Systems
– Windows 10 Version 20H2 for ARM64-based Systems
– Windows 10 Version 20H2 for 32-bit Systems
– Windows 10 Version 20H2 for x64-based Systems
– Windows Server 2022 (Server Core installation)
– Windows Server 2022
– Windows Server 2019 (Server Core installation)
– Windows Server 2019
– Windows 10 Version 1809 for ARM64-based Systems
– Windows 10 Version 1809 for x64-based Systems
– Windows 10 Version 1809 for 32-bit Systems
Containment, Mitigations & Remediations
It is strongly recommended that the relevant security patches are applied to the respective Microsoft products. The patches can be found directly at the [Microsoft Patch Tuesday April 2023 Security Guide](https://msrc.microsoft.com/update-guide/en-us).
As stated previously, one main method of reducing the threat of ransomware is to detect it in the early stages using an effective and monitored EDR solution. An effective EDR tool will increase detection of malicious attempts of ransomware compromise and halt them if detected. Organisations can also perform routine back-ups of sensitive data that is required to operate business affairs. It also strongly recommended that an offline copy is retained, in the event that back-ups are impacted by the attack. Therefore, if a breach occurs and the business can no longer function, a back-up is ready to use, and the business can continue to operate with minimal disruption. However, this does not nullify the fact that customer and employee data may have also been lost, and potentially released at will by the threat actor if ransom demands are not met.
It is also strongly recommended that organisations follow the mitigation steps outlined below to reduce the risk of being subjected to a ransomware attack:
– Ensure copies of critical data are in the cloud, on an external hard drive or storage device. This information should not be accessible from the compromised network.
– Secure back-up copies and ensure that data is not accessible for modification or deletion from the system where the data resides.
– Enforce that multi-factor authentication (MFA) with strong passwords, including for remote access services.
– Ensure that computers, devices, and applications have been patched.
– Monitor cyber threat reporting regarding the publication of compromised Virtual Private Network (VPN) login
credentials.
– Consider adding an email banner to emails received from outside the organisation.
Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/Remote Desktop Protocol logs.
– Audit user accounts with administrative privileges and configure access controls in accordance with the principle of least privilege.
– Implement network segmentation.
Indicators of Compromise
Associated files:
– C:\Users\Public\.container*
– C:\Users\Public\MyLog*.blf
– C:\Users\Public\p_*
Associated file hashes (MD5):
– 46168ed7dbe33ffc4179974f8bf401aa
– 1e4dd35b16ddc59c1ecf240c22b8a4c4
– f23be19024fcc7c8f885dfa16634e6e7
– a2313d7fdb2f8f5e5c1962e22b504a17
– 8800e6f1501f69a0a04ce709e9fa251c
Associated command and control (C2) domains:
– vnssinc[.]com
– qooqle[.]top
– vsexec[.]com
– devsetgroup[.]com
Threat Landscape
Ransomware continues to be one of the prominent threats facing the private sector. The frequency of reported campaigns indicates that the threat is growing as criminal groups are becoming comfortable demanding ever-increasing ransom fees. Advanced Persistent Threat (APT) groups do not often exploit zero-day vulnerabilities within their attack chain. However, financially motivated cybercriminal groups are continuously gathering the resources required to exploit unknown vulnerabilities and routinely use them in their campaigns. Additionally, developers are now willing to aid such groups in producing vulnerable exploits.
Last month, Microsoft published remediations for 83 security flaws in the March 2023 Patch Tuesday release, including two actively exploited zero-day vulnerabilities. Moving into the April disclosure, a leading attack vector continues to be that of privilege escalation, ranked second highest behind remote code execution (RCE) vulnerabilities. Further, information disclosure, denial-of-service and spoofing vulnerabilities cases continue to account for a similar proportion of reported security flaws, compared to March 2023. April is the third consecutive month in which at least one of the vulnerabilities in a Patch Tuesday release had been exploited in the wild prior to disclosure.
Threat Group
A threat actor has been reported to have exploited CVE-2023-28252 to deploy the Nokoyawa ransomware variant on systems belonging to small to medium-sized organisations in the US, the Middle East, and Asia. At the time of writing, it has yet to be confirmed as to which ransomware gang has deployed the Nokoyawa variant. Although a dedicated Nokoyawa ransomware group exists, several notorious ransomware operators use the Nokoyawa variant, including: AvosLocker, Black Basta, BlackCat, and Royal.
Quorum Cyber Actions
A threat hunt will be conducted with the available Indicators of Compromise (IoCs) relating to the exploitation of CVE-2023-2852) by exploiting CVE-2023-28252 Nokoyawa ransomware for all SOC customers.
Mitre Methodologies
Tactics:
TA0004 – Privilege Escalation
Further Information
Microsoft Advisory
Kaspersky Analysis
