The vulnerability identified as CVE-2023-28252 is a privilege escalation flaw affecting the Windows Common Log File System driver. Credit: Elnur/Shutterstock Microsoft has released a patch for a Windows zero day vulnerability that has been exploited by cybercriminals in ransomware attacks. The vulnerability, identified as CVE-2023-28252, is a privilege escalation flaw affecting the Windows Common Log File System (CLFS) driver.CLFS is a general purpose logging service that can be used by dedicated client applications and that multiple clients can share to optimize log access. The vulnerability allows an attacker to elevate privileges to the system in low-complexity attacks without any user interaction. Microsoft has credited Kaspersky Labs’ Boris Larin, Mandiant’s Genwei Jiang, and DBAPPSecurity WeBin Lab’s Quan Jin for reporting the vulnerability. Vulnerability used to deploy Nokoyawa ransomwareThe vulnerability has been used by a sophisticated cybercriminal group to deploy the Nokoyawa ransomware as a final payload, according to Kaspersky. The group is known for its use of many similar but unique CLFS driver exploits that were likely developed by the same exploit author. “Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development, and other industries,” Kaspersky said in a blog post. Nokoyawa ransomware was discovered in February 2022, sharing code with another ransomware family known as Karma. The initial version of the ransomware was written in the C programming language, and a second version of the ransomware was discovered in September 2022, written in the Rust programming language.The threat group behind the ransomware performs double extortion ransomware attacks: exfiltrating sensitive information from organizations, followed by file encryption and a ransom payment demand, security firm Zscaler said in a blog post. The CLFS system vulnerabilityCVE-2023-28252 is a CLFS vulnerability that can be exploited when the system attempts to extend the metadata block. The vulnerability gets triggered by the manipulation of the base log file, according to Kaspersky. The exploit uses the vulnerability to corrupt another specially crafted base log file object in a way that a fake element of the base log file gets treated as a real one.Attackers use Cobalt Strike Beacon as their main tool. It’s launched with a variety of custom loaders aimed at preventing antivirus detection. “In this attack, cybercriminals used a newer version of Nokoyawa that is quite distinct from the JSWorm codebase. It’s written in C and has encrypted strings. It was launched with an encrypted json config provided with a “–config” command line argument,” Kaspersky said. Kaspersky said it will add more details about the vulnerability and triggers after 9 days of the release of the patch. This is to ensure that everyone has enough time to patch their systems before other actors develop exploits for CVE-2023-28252.There have been several vulnerabilities reported previously as well in the CLFS system. Searching for “Windows Common Log File System Driver Elevation Of Privilege Vulnerability” shows that there have been at least 32 such vulnerabilities (not counting CVE-2023-28252) discovered since 2018, where three of them were detected in the wild as zero days (CVE-2022-24521, CVE-2022-37969, CVE-2023-23376), according to Kaspersky. Microsoft released patches for 96 other security bugs as part of April’s Patch Tuesday, including 45 remote code execution vulnerabilities. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe