Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks

A Windows zero-day tracked as CVE-2023-28252 and fixed by Microsoft with its April Patch Tuesday updates has been exploited in Nokoyawa ransomware attacks.

A Windows zero-day vulnerability fixed by Microsoft with its April 2023 Patch Tuesday updates has been exploited by cybercriminals in ransomware attacks, according to Kaspersky.

Microsoft’s latest round of security updates addresses roughly 100 vulnerabilities, including CVE-2023-28252, which has been described as a privilege escalation flaw affecting the Windows Common Log File System (CLFS) driver.

Microsoft warned that the vulnerability has been exploited in the wild, but did not share any information on the attacks.

Kaspersky, Mandiant and Chinese cybersecurity firm DBAppSecurity have been credited for reporting CVE-2023-28252, and Kaspersky on Tuesday shared some details about the attacks exploiting the vulnerability.

CLFS is a log file subsystem described by Microsoft as a general-purpose logging service that can be used by software clients running in user- or kernel-mode. The vulnerability affecting CLFS allows an authenticated attacker to elevate privileges to System.

According to Kaspersky, a cybercrime group known for conducting ransomware operations has been exploiting the vulnerability as part of attacks whose goal is to deliver the Nokoyawa ransomware.

“This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries,” Kaspersky noted.

Advertisement. Scroll to continue reading.

The Nokoyawa ransomware family, which is designed to target Windows systems, emerged in February 2022. The malware encrypts files on compromised systems, but the cybercriminals also claim to steal valuable information that they threaten to leak unless a ransom is paid.

Code similarities suggest ties to the Karma and Nemty ransomware families, while attack chain similarities connect it to the notorious Hive operation, disrupted recently by law enforcement. 

Kaspersky has not shared too many details on the vulnerability in an effort to prevent abuse. The company plans on releasing additional information nine days after Patch Tuesday. 

Kaspersky pointed out that dozens of CLFS vulnerabilities were discovered in the past five years and at least three of them — not including CVE-2023-28252 — have been exploited in the wild

Related: Veritas Vulnerabilities Exploited in Ransomware Attacks Added to CISA ‘Must Patch’ List

Related: Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days

Related: Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.