A report recently released by Kaspersky Labs has detailed a threat actor making use of a CLFS (Common Log File System) exploit to escalate privileges. The group Kaspersky attributed to this attack is well known for its many distinct but similar CLFS driver exploits that likely come from the same exploit developer. Kaspersky’s working theory is that the privilege escalation was used to dump the contents of the HKEY_LOCAL_MACHINESAM registry hive to continue their attack. After reviewing this exploit, Kaspersky submitted their analysis to Microsoft for review. Microsoft promptly assigned CVE-2023-28252 to the vulnerability, and a patched it on April 11, 2023, as part of the April patch Tuesday.
Analyst Notes
Regardless of a cybercriminal’s sophistication, there is significant overlap between their goals and the techniques they use to achieve them. In this instance, the attackers used a previously unknown procedure to escalate their privileges and perform OS Credential Dumping, a well-known technique tracked by MITRE as T1003.002. Despite their zero-day usage, the follow up activity is simple to detect with proper logging or an EDR (Endpoint Detection and Response) tool and can give a security team the critical time they need to get ahead of a ransomware attack. Binary Defense’s Managed Detection and Response service gives teams crucial time in the worst-case scenario.
