Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks

April 12, 2023

A Windows zero-day vulnerability, tracked as CVE-2023-28252, has been fixed by Microsoft in its April 2023 Patch Tuesday updates. The vulnerability has been exploited by cybercriminals in ransomware attacks, according to Kaspersky. Microsoft's latest security updates address around 100 vulnerabilities, including CVE-2023-28252, which is described as a privilege escalation flaw affecting the Windows Common Log File System (CLFS) driver. Microsoft warned that the vulnerability has been exploited in the wild but did not share any information on the attacks. Kaspersky, Mandiant, and Chinese cybersecurity firm DBAppSecurity have been credited for reporting CVE-2023-28252, and Kaspersky shared some details about the attacks exploiting the vulnerability on Tuesday.

The CLFS is a log file subsystem described by Microsoft as a general-purpose logging service that can be used by software clients running in user- or kernel-mode. The vulnerability affecting CLFS allows an authenticated attacker to elevate privileges to System. Kaspersky revealed that a cybercrime group known for conducting ransomware operations has been exploiting the vulnerability as part of attacks whose goal is to deliver the Nokoyawa ransomware. Kaspersky noted, “This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries.”

The Nokoyawa ransomware family, designed to target Windows systems, emerged in February 2022. The malware encrypts files on compromised systems, but the cybercriminals also claim to steal valuable information that they threaten to leak unless a ransom is paid. Code similarities suggest ties to the Karma and Nemty ransomware families, while attack chain similarities connect it to the notorious Hive operation, which was recently disrupted by law enforcement.

Kaspersky has not shared too many details on the vulnerability in an effort to prevent abuse. The company plans on releasing additional information nine days after Patch Tuesday. Kaspersky pointed out that dozens of CLFS vulnerabilities were discovered in the past five years and at least three of them — not including CVE-2023-28252 — have been exploited in the wild.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.