The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024

Research

Attackers Exploit Windows Vulnerability to Deliver Nokoyawa Ransomware

Executive Summary

  • On April 11, security researchers announced the discovery of CVE-2023-28252, a zero-day vulnerability under active exploitation by a sophisticated cybercriminal group.
  • The vulnerability affects all versions of Windows and could therefore be quite widespread; however, a patch is available.
  • The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team leveraged SecurityScorecard’s Attack Surface Intelligence tool and its exclusive access to network flow (NetFlow) data to identify possible activity linked to the group exploiting the vulnerability.
  • Attack Surface Intelligence identified a population of servers the vulnerability might affect, but the available NetFlow data did not offer clear evidence of activity linked to the group exploiting it.
    • Other traffic data may reflect suspicious activity but does not offer clear evidence of a successful attack by the same cybercriminal group discussed in the report that first identified CVE-2023-28252.

Background

On April 11, security researchers announced the discovery of CVE-2023-28252, a zero-day vulnerability encountered while investigating a series of attempts to exploit similar vulnerabilities intended to culminate in the deployment of the Nokoyawa strain of ransomware. Microsoft issued a software update addressing the vulnerability in its Patch Tuesday release on the same day.

CVE-2023-28252 affects the Common Log File System (CLFS) driver in all current Windows versions using the driver. CLFS vulnerabilities are fairly common. Before this newest one, researchers had already disclosed thirty-two vulnerabilities affecting CLFS since 2018, and have even observed threat actors exploiting five different CLFS vulnerabilities to deliver the same payload (Nokoyawa ransomware) since 2022 alone. Like CVE-2023-28252, three of these earlier vulnerabilities used to deliver Nokoyawa (CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376) were zero-days detected in the wild.

The April 11 report additionally notes that the most recent activity had targeted small and medium businesses in the Middle East, North America, and Asia. It further situates CVE-2023-28252 within the attackers’ larger campaign; the vulnerability can enable privilege escalation, but attackers must first have initial access to a target system to exploit it. After exploitation, attackers must still establish command and control (C2) communications before finally delivering and deploying the Nokoyawa strain of ransomware. The report provides additional indicators of compromise (IoCs) related to these and other stages of the campaign, including the Cobalt Strike Beacon domains used for C2.

Methodology

To identify possible targets, STRIKE Team researchers searched Attack Surface Intelligence for possible targets for exploitation of CVE-2023-28252. While simply searching for all IP addresses where Windows is in use would return more results than researchers could feasibly study, by querying Attack Surface Intelligence for specific Windows products, rather than the Windows operating system in general, and then narrowing the results by region, based on the above notes regarding Kaspersky’s targeting, researchers could identify a group of IP addresses for which they could collect a traffic sample.

Researchers queried Attack Surface Intelligence with each product name specified in Microsoft’s update guide for CVE-2023-28252. The search returned the following results:

  • product:’Windows Server 2012 R2′: all of this query’s results are located in China. Given that the original report noted that some of the activity related to the exploitation of the vulnerability targeted organizations located in Asia, researchers accepted all of these IP addresses as possible targets.
  • product:’Windows 10′: returned results in both the United States and the United Kingdom. Because the report noted that some of the activity had targeted North American organizations, researchers narrowed these results to those in the United States with the following query: (and country_name:’United States’ product:’Windows 10′)
  • product:’Windows Server 2019′:  all of this query’s results are located in Singapore. Given that the original report noted that some of the activity related to the exploitation of the vulnerability targeted organizations located in Asia, researchers accepted all of these IP addresses as possible targets.

Researchers then collected a two-month sample (February 13, 2023-April 13, 2023) of traffic involving these potential target IP addresses using a strategic partner’s NetFlow data.

They next used the same partner data source to collect a sample of DNS queries, PDNS data, and HTTP requests containing the domains listed as IoCs. DNS queries involving the IoC domains, which the report identified as Cobalt Strike Beacon domains, could reflect the use of Cobalt Strike’s DNS Beacon feature. The PDNS information identified the IP addresses to which these domains had resolved recently, allowing researchers to identify other possible C2 communications in the sample of traffic involving possible target IP addresses by searching for the IP addresses hosting the Cobalt Strike Beacon domains in the possible target IP addresses’ traffic sample.

Finally, researchers focused on the largest transfers of data in the traffic sample because large data transfers are a common feature of ransomware and other data extortion attacks, and could represent data exfiltration.

Findings

The IP addresses to which the Beacon domains resolve are:

  • 91.213.50[.]95
  • 77.91.85[.]130
  • 84.32.188[.]217
  • 20.69.178[.]82
  • 15.197.130[.]221
  • 5.230.74[.]249

None of these IP addresses appeared in the traffic sample involving possible target IP addresses.

The results of the DNS and HTTP queries enabled researchers to identify a previously unspecified dimension of the TTPs employed by the threat actors responsible for this campaign. The results suggest that, at least recently, they specifically use Cobalt Strike’s DNS Beacon rather than Cobalt Strike’s HTTP-based C2 features (the previous report on the activity simply noted that the group used Cobalt Strike without further details). The attempt at collecting a two-month sample of HTTP requests containing the Beacon domains returned no results. But, a similar attempt for DNS queries returned 166 results.

In the DNS query results, all of the source IP addresses belong to Cloudflare, all queried the same domain (qooqle[.]top, which resolves to 5.230.74[.]249 as of April 17), and all went to the same destination IP, 64.32.22[.]100. Attack Surface Intelligence additionally identifies visit[.]keznews[.]com as 64.32.22[.]100’s hostname. A discussion from December 2021 noted that that hostname led to a phishing site. While this does not indicate that 64.32.22[.]100 is involved in the same activity as discussed in the report on the exploitation of CVE-2023-28252, it may nonetheless suggest links to other suspicious activity.

The sample of traffic involving possibly vulnerable IP addresses contained a total of  305,644 flows. Of these, the largest (those transferring 10 MB or more) featured fifty-eight unique IP addresses. According to VirusTotal, vendors have linked twenty-two of these to malicious activity. These transfers may reflect exfiltration, but could also reflect more benign activity. The vendor-detected IP addresses involved in these transfers are available in an appendix below.

Mitigations

Microsoft included an update addressing CVE-2023-28252 in its April 11 Patch Tuesday release, so we advise that all Windows users apply it.

Conclusion

The exploitation and discovery of CVE-2023-28252 may be representative of a wider trend, which the exploitation of previous CLFS vulnerabilities by the same group may also suggest. They may indicate an increasing tendency among threat actors, also reflected in the frequent sale of new vulnerabilities on forums such as Exploit and XSS, to exploit or otherwise monetize zero-day vulnerabilities more shortly after their discovery.

APPENDIX: VENDOR-DETECTED IP ADDRESSES INVOLVED IN LARGE DATA TRANSFERS

  • 167.71.185[.]75
  • 142.93.79[.]172
  • 167.99.36[.]92
  • 143.198.4[.]69
  • 68.183.148[.]4
  • 143.198.179[.]104
  • 68.183.44[.]164
  • 188.166.25[.]179
  • 143.198.18[.]160
  • 134.209.181[.]25
  • 178.62.211[.]234
  • 138.197.12[.]142
  • 146.190.199[.]58
  • 146.190.20[.]13
  • 64.227.67[.]229
  • 167.71.88[.]191
  • 138.197.97[.]155
  • 134.209.208[.]100
  • 139.59.179[.]152
  • 167.172.157[.]98
  • 159.203.106[.]175
  • 165.227.131[.]14