Categories
Cybersecurity Advisories

CVE-2023-28252: Windows Zero-Day Vulnerability Exploited in Nokoyawa Ransomware Attacks

Microsoft has patched an actively exploited zero-day vulnerability in the Windows Common Log File System (CLFS) that allows attackers to elevate privileges to SYSTEM on target machines and deploy Nokoyawa ransomware payloads. CISA added the flaw, tracked as CVE-2023-28252 (CVSSv3 score: 7.8 – High), to its KEV and orders FCEB agencies to secure their systems against it. The vulnerability affects all supported Windows server and client versions and can be exploited by local attackers in low-complexity attacks without user interaction.

Exploited with Nokoyawa ransomware

This zero-day was utilized by a sophisticated cybercrime group that carries out ransomware attacks. Security researchers have found that the gang has used other exploits targeting the CLFS driver since June 2022 with similar but unique characteristics that were likely developed by the same exploit author. Researchers have identified five different CLFS exploits used by the group in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries.

Nokoyawa ransomware surfaced in February 2022 as a strain that is capable of targeting 64-bit Windows-based systems in double extortion attacks. The threat actors would also steal sensitive files from compromised networks and threaten to leak them online unless a ransom is paid. Nokoyawa shares code with JSWorm, Karma, and Nemty ransomware, and has been rewritten in Rust. The CVE-2023-28252 zero-day was used to deploy the Nokoyawa ransomware, which has been developed from its early variants based on the JSWorm codebase.

Victimology

The vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

Recommendation

Organizations are urged to apply the patch released by Microsoft for CVE-2023-28252 to protect their systems from potential attacks.

IOCS