Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks

A Windows zero-day tracked as CVE-2023-28252 and fixed by Microsoft with its April Patch Tuesday updates has been exploited in Nokoyawa ransomware attacks.

A Windows zero-day vulnerability fixed by Microsoft with its April 2023 Patch Tuesday updates has been exploited by cybercriminals in ransomware attacks, according to Kaspersky.

Microsoft’s latest round of security updates addresses roughly 100 vulnerabilities, including CVE-2023-28252, which has been described as a privilege escalation flaw affecting the Windows Common Log File System (CLFS) driver.

Microsoft warned that the vulnerability has been exploited in the wild, but did not share any information on the attacks.

Kaspersky, Mandiant and Chinese cybersecurity firm DBAppSecurity have been credited for reporting CVE-2023-28252, and Kaspersky on Tuesday shared some details about the attacks exploiting the vulnerability.

CLFS is a log file subsystem described by Microsoft as a general-purpose logging service that can be used by software clients running in user- or kernel-mode. The vulnerability affecting CLFS allows an authenticated attacker to elevate privileges to System.

According to Kaspersky, a cybercrime group known for conducting ransomware operations has been exploiting the vulnerability as part of attacks whose goal is to deliver the Nokoyawa ransomware.

“This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries,” Kaspersky noted.

The Nokoyawa ransomware family, which is designed to target Windows systems, emerged in February 2022. The malware encrypts files on compromised systems, but the cybercriminals also claim to steal valuable information that they threaten to leak unless a ransom is paid.

Advertisement. Scroll to continue reading.

Code similarities suggest ties to the Karma and Nemty ransomware families, while attack chain similarities connect it to the notorious Hive operation, disrupted recently by law enforcement. 

Kaspersky has not shared too many details on the vulnerability in an effort to prevent abuse. The company plans on releasing additional information nine days after Patch Tuesday. 

Kaspersky pointed out that dozens of CLFS vulnerabilities were discovered in the past five years and at least three of them — not including CVE-2023-28252 — have been exploited in the wild

Related: Veritas Vulnerabilities Exploited in Ransomware Attacks Added to CISA ‘Must Patch’ List

Related: Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days

Related: Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.