CVE-2023-28252 Exploited by Nokoyawa Ransomware
Microsoft on this month patch Tuesday has released a patch for a Windows Zeroday vulnerability that has been exploited by cybercriminals in ransomware attacks. The vulnerability identified as CVE-2023-28252 is a privilege escalation flaw affecting the Windows Common Log File System (CLFS) driver.
CLFS is a general-purpose logging service that can be used by dedicated client applications and that multiple clients can share to optimize log access. The vulnerability allows an attacker to elevate privileges to the system in low-complexity attacks without any user interaction.
The vulnerability has been used by a sophisticated cybercriminal group to deploy the Nokoyawa ransomware as a final payload. They are known for its use of many similar but unique CLFS driver exploits that were likely developed by the same exploit author.
Nokoyawa ransomware was discovered in February 2022, sharing code with another ransomware family known as Karma. The initial version of the ransomware was written in C programming language, and a second version of the ransomware was discovered in September 2022, written in Rust programming language.
The threat group behind the ransomware performs double extortion ransomware attacks: exfiltrating sensitive information from organizations, followed by file encryption and a ransom payment demand, security firm.
The vulnerability gets triggered by the manipulation of the base log file. The exploit uses the vulnerability to corrupt another specially crafted base log file object in a way that a fake element of the base log file gets treated as a real one.
Attackers use Cobalt Strike Beacon as their main tool. It’s launched with a variety of custom loaders aimed at preventing antivirus detection.
More details about the vulnerability is still awaited giving the room for patching. This is to ensure that everyone has enough time to patch their systems before other actors develop exploits for CVE-2023-28252.