Zero-day exploits of ransomware operators (Windows OS)
In February 2023, I discovered a number of attempts to execute a 0-day elevation of privilege exploit on Microsoft Windows servers owned by various companies around the world. This exploit used a previously unknown vulnerability in the Common Log File System (CLFS) driver and supported the latest versions/builds of Windows OS (including Windows 11). The vulnerability was assigned CVE-2023-28252 and fixed after my prompt report to Microsoft. Further analysis showed that this exploit was used by a sophisticated group of cybercriminals who are conducting ransomware attacks and have used at least five different Common Log File System (CLFS) vulnerabilities since June 2022. Some of them were confirmed to be 0-days.
In this presentation, I will share an in-depth analysis of:
- The internals of the Common Log File System (CLFS) driver and the main reasons why it is being exploited that often lately
- The root cause of the five vulnerabilities used by attackers and their exploitation
- Techniques used by attackers and new exploit mitigations from Microsoft
I will also share the tactics, techniques, and procedures (TTPs) of the attackers and how the usage of these and similar exploits can be detected.
Mr. Boris Larin
Boris Larin, Principal Security Researcher, Kaspersky, Twitter: @oct0xor
Boris is a Principal Security Researcher in the Global Research & Analysis Team (GReAT) at Kaspersky. In his current role, Boris is responsible for finding zero-days exploited in the wild. He has discovered a number of large APT attacks and reported 15 zero-day exploits used in the wild in different malware campaigns. Besides work, Boris is very passionate about reverse engineering, vulnerability research and video games. Previously, Boris was the first researcher recognized in Sony PlayStation’s bug bounty program on HackerOne after discovering critical vulnerabilities in the firmware of PlayStation 3 & 4. He also makes “impossible” modifications for video games – he reverse engineered and rewrote Metal Gear Solid 2 to add a full-fledged third-person camera to the game. He has presented his research at many conferences such as: CanSecWest, Security Analyst Summit (SAS), BlueHat, TyphoonCon, CodeBlue, Chaos Communication Congress, OffensiveCon, etc.