A Windows zero-day vulnerability fixed by Microsoft with its April 2023 Patch Tuesday updates has been exploited by cybercriminals in ransomware attacks, according to Kaspersky.
Microsoft’s latest round of security updates addresses roughly 100 vulnerabilities, including CVE-2023-28252, which has been described as a privilege escalation flaw affecting the Windows Common Log File System (CLFS) driver.
Microsoft warned that the vulnerability has been exploited in the wild, but did not share any information on the attacks.
Kaspersky, Mandiant and Chinese cybersecurity firm DBAppSecurity have been credited for reporting CVE-2023-28252, and Kaspersky on Tuesday shared some details about the attacks exploiting the vulnerability.
CLFS is a log file subsystem described by Microsoft as a general-purpose logging service that can be used by software clients running in user- or kernel-mode. The vulnerability affecting CLFS allows an authenticated attacker to elevate privileges to System.
According to Kaspersky, a cybercrime group known for conducting ransomware operations has been exploiting the vulnerability as part of attacks whose goal is to deliver the Nokoyawa ransomware.
“This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries,” Kaspersky noted.
The Nokoyawa ransomware family, which is designed to target Windows systems, emerged in February 2022. The malware encrypts files on compromised systems, but the cybercriminals also claim to steal valuable information that they threaten to leak unless a ransom is paid.
Code similarities suggest ties to the Karma and Nemty ransomware families, while attack chain similarities connect it to the notorious Hive operation, disrupted recently by law enforcement.
Kaspersky has not shared too many details on the vulnerability in an effort to prevent abuse. The company plans on releasing additional information nine days after Patch Tuesday.
Kaspersky pointed out that dozens of CLFS vulnerabilities were discovered in the past five years and at least three of them — not including CVE-2023-28252 — have been exploited in the wild.
Related: Veritas Vulnerabilities Exploited in Ransomware Attacks Added to CISA ‘Must Patch’ List
Related: Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days
Related: Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
