Microsoft has patched a zero-day vulnerability in the Windows Common Log File System (CLFS) that has been actively exploited by cybercriminals to escalate privileges and deploy Nokoyawa ransomware payloads. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems against it by May 2nd.
The CLFS security flaw, tracked as CVE-2023-28252, was discovered by Genwei Jiang of Mandiant and Quan Jin of DBAPPSecurity's WeBin Lab. It affects all supported Windows server and client versions and can be exploited by local attackers in low-complexity attacks without user interaction. Successful exploitation allows threat actors to gain SYSTEM privileges and fully compromise targeted Windows systems. Microsoft patched this zero-day and 96 other security bugs as part of this month's Patch Tuesday, which included 45 remote code execution vulnerabilities.
Kaspersky's Global Research and Analysis Team (GReAT) recently found the CVE-2023-28252 flaw being exploited in Nokoyawa ransomware attacks. In a press release, Kaspersky stated, "researchers uncovered the vulnerability in February as a result of additional checks into a number of attempts to execute similar elevation of privilege exploits on Microsoft Windows servers belonging to different small and medium-sized businesses in the Middle Eastern and North American regions." The CVE-2023-28252 was first spotted by Kaspersky in an attack where cybercriminals attempted to deploy a newer version of Nokoyawa ransomware.
According to Kaspersky, the Nokoyawa ransomware gang has used other exploits targeting the Common Log File System (CLFS) driver since June 2022, with similar yet distinct characteristics, linking them all to a single exploit developer. The group has used at least five more CLFS exploits to target multiple industry verticals, including but not limited to retail and wholesale, energy, manufacturing, healthcare, and software development. Since 2018, Microsoft has patched at least 32 local privilege escalation vulnerabilities in the Windows CLFS driver, with three of them (CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376) also exploited in the wild as zero-days, according to Kaspersky.
Boris Larin, lead security researcher at Kaspersky, said, "Cybercrime groups are becoming increasingly more sophisticated using zero-day exploits in their attacks. Previously it was primarily a tool of Advanced Persistent Threat actors (APTs), but now cybercriminals have the resources to acquire zero-days and routinely use them in attacks." Nokoyawa ransomware emerged in February 2022 as a strain capable of targeting 64-bit Windows-based systems in double extortion attacks, where the threat actors also steal sensitive files from compromised networks and threaten to leak them online unless a ransom is paid. Nokoyawa shares code with JSWorm, Karma, and Nemty ransomware and has been rewritten in Rust as of September 2022, in a switch from the initial Nokoyawa ransomware version, developed using the C programming language. Larin added, "Early variants of Nokoyawa were just 'rebranded' variants of JSWorm ransomware. In this attack, cybercriminals used a newer version of Nokoyawa that is quite distinct from the JSWorm codebase."