Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa Ransomware Group

Vulnerability CVE-2023-28252

CVE-2023-28252 is a Common Log File System (CLFS) elevation-of-privilege
vulnerability for which Microsoft released a patch on April 11, 2023. The
vulnerability enables an attacker with user access to execute code in the target
system with elevated privileges. This vulnerability targets Common Log File
System, which is a log file subsystem utilized by kernel-mode and user-mode
applications to construct high-performance transaction logs.
Any application on the system that employs Microsoft-provided APIs can use the
CLFS filesystem.
Microsoft has provided the CreateLogFile function for creating or opening log
files. The log comprises a base log file (.blf), which is a master file containing
metadata and various containers that hold the actual data. The format of the blf
file is not documented, and users should only interact with the log file using the
CLFS API file. The primary drawback of using the blf file is that it contains kernel
structure as is and has fields that store memory pointers which could lead to
arbitrary code execution.
CVE-2023-28252 is an out-of-bound write vulnerability that can be abused when
the system attempts to extend the metadata block of the base log file. The
exploit leverages this vulnerability to tamper with another log file by
manipulating it and adding specially crafted elements in the base log file, which
are then treated as original.

For example, Kaspersky explains that the _CLFS_CONTAINER_CONTEXT structure
is stored in the base log file and has a field for storing a kernel pointer. By
changing the memory offset pointing to the valid _CLFS_CONTAINER_CONTEXT
structure to an offset pointing to malicious _CLFS_CONTAINER_CONTEXT
structure, it will result in directing pointer to a controller memory in a user level
and obtain kernel read/write privilege
Nokoyawa ransomware

The Nokoyawa ransomware surfaced in February 2022 and utilized the double
extortion ransomware technique. The group extracts sensitive information from
their victims and encrypts the data to demand a ransom from them.
Prior to deploying the ransomware in the system, the Threat Actors (TAs)
inserted a cobalt strike beacon and executed several other malicious actions for
lateral movement and data exfiltration. The ultimate payload of the attackers is
the Nokoyawa ransomware binary to encrypt the data for ransom.
The Nokoyawa ransomware was initially coded in the C programming language;
however, in September 2022, it was re-coded in the Rust programming
language. Several versions of the Nokoyawa ransomware exist with various
modes of operation.