Microsoft has patched a zero-day vulnerability in the Windows Common Log File System (CLFS), actively exploited by cybercriminals to escalate privileges and deploy Nokoyawa ransomware payloads.
In light of its ongoing exploitation, CISA also added the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities today, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems against it by May 2nd.
Tracked as CVE-2023-28252, this CLFS security flaw was discovered by Genwei Jiang of Mandiant and Quan Jin of DBAPPSecurity’s WeBin Lab.
It affects all supported Windows server and client versions and can be exploited by local attackers in low-complexity attacks without user interaction.
Successful exploitation enables threat actors to gain SYSTEM privileges and fully compromise targeted Windows systems.
Microsoft patched this zero-day and 96 other security bugs as part of this month’s Patch Tuesday, including 45 remote code execution vulnerabilities.
Exploited in ransomware attacks
Security researchers with Kaspersky’s Global Research and Analysis Team (GReAT) also recently found the CVE-2023-28252 flaw exploited in Nokoyawa ransomware attacks.
“Kaspersky researchers uncovered the vulnerability in February as a result of additional checks into a number of attempts to execute similar elevation of privilege exploits on Microsoft Windows servers belonging to different small and medium-sized businesses in the Middle Eastern and North American regions,” the company said in a press release.
“CVE-2023-28252 was first spotted by Kaspersky in an attack in which cybercriminals attempted to deploy a newer version of Nokoyawa ransomware.”
​According to Kaspersky, the Nokoyawa ransomware gang has used other exploits targeting the Common Log File System (CLFS) driver since June 2022, with similar yet distinct characteristics, linking them all to a single exploit developer.
The group has used at least five more CLFS exploits to target multiple industry verticals, including but not limited to retail and wholesale, energy, manufacturing, healthcare, and software development.
Redmond has patched at least 32 local privilege escalation vulnerabilities in the Windows CLFS driver since 2018, with three of them (CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376) also exploited in the wild as zero-days, according to Kaspersky.
“Cybercrime groups are becoming increasingly more sophisticated using zero-day exploits in their attacks,” said lead security researcher Boris Larin.
“Previously it was primarily a tool of Advanced Persistent Threat actors (APTs), but now cybercriminals have the resources to acquire zero-days and routinely use them in attacks.”
Ransomware evolution
Nokoyawa ransomware surfaced in February 2022 as a strain capable of targeting 64-bit Windows-based systems in double extortion attacks, where the threat actors also steal sensitive files from compromised networks and threaten to leak them online unless a ransom is paid.
Nokoyawa shares code with JSWorm, Karma, and Nemty ransomware, and it has been rewritten in Rust as of September 2022, in a switch from the initial Nokoyawa ransomware version, developed using the C programming language.
“Early variants of Nokoyawa were just ‘rebranded’ variants of JSWorm ransomware, which we wrote about previously,” Larin said in today’s report.
“In this attack, cybercriminals used a newer version of Nokoyawa that is quite distinct from the JSWorm codebase.”