Microsoft has fixed a zero-day vulnerability in the Windows common log file system (CLFS) that cybercriminals were actively exploiting to deploy Nokoyawa ransomware payloads and escalate privileges. This vulnerability, coded CVE-2023-28252, was discovered by specialists from Mandiant and DbAppsecurity, and affects all supported server and client versions of Windows. The flaw can be used in low-complexity attacks by local attackers without the intervention of the user. Successful operation enables cybercriminals to take over the target system’s privileges and compromise the Windows target systems entirely.
Kaspersky Lab researchers warned that the vulnerability was being exploited by the Nokoyawa ransomware gang. The team has reportedly used at least five more CLFS exploits for several industries, including retail and wholesale, energy, and healthcare. The Nokoyawa Ransomware appeared in February 2022 and uses a double-extortion method to attack 64-bit systems based on Windows, stealing confidential files from compromised networks and threatening to put them on the network if not paid ransom. The early Nokoyawa was just a rebranding of the JSWORM program options, while the newer Nokoyawa version is significantly different from the codebase JSWORM.
As part of Tuesday Corrections, Microsoft fixed CVE-2023-28252, along with 96 other security errors, including 45 remote code execution vulnerabilities. In light of the CISA operation, the vulnerability was added to the federal agency’s list of known exploited vulnerabilities (key), ordering the agencies of the Federal Civil Executive power (FCEB) to protect their systems from it until May 2nd. Then, the security researchers at Kaspersky discovered the vulnerability in February through a series of additional checks surveys of attempted exploits of raising privileges on Microsoft Windows servers belonging to various small to medium-sized businesses in the Middle East and North American regions.
The vulnerability discovered by Mandiant and DbAppsecurity enabled cybercriminals to gain system privileges and fully compromise the target Windows systems successfully. Microsoft has fixed the vulnerability, but users are still encouraged to update their systems to avoid future attacks.