



In February, Kaspersky experts discovered an attack leveraging a zero-day vulnerability in Microsoft Common Log File System (CLFS).

Cybercrime groups attempted to deploy the Nokoyawa ransomware using exploits developed for various versions and builds of Windows OS, including Windows 11. Microsoft assigned his CVE-2023-28252 to this vulnerability and patched it as part of Patch Tuesday.

Threat actors have attempted similar elevation of privilege exploits in attacks on various small businesses in the Middle East and North America, and formerly in the Asia region.

While most of the vulnerabilities Kaspersky discovered are used by APTs, this vulnerability was found to be exploited for cybercriminal purposes by sophisticated groups conducting ransomware attacks. This group is distinguished by its use of a similar but unique Common Log File System (CLFS) exploit. Kaspersky has seen at least five exploits of this kind. They were used in attacks against retail and wholesale, energy, manufacturing, healthcare, software development, and other industries.

Microsoft has assigned CVE-2023-28252 to the discovered zero-day. This is a privilege escalation vulnerability in the Common Log File System, caused by manipulation of the file formats used by this subsystem. Kaspersky researchers confirmed the vulnerability in February after he checked numerous additional attempts to run similar privilege escalation exploits on Microsoft Windows servers belonging to various small businesses in the Middle East and North America regions. discovered.

CVE-2023-28252 was first discovered by Kaspersky in an attack in which cybercriminals attempted to deploy new versions of the Nokoyawa ransomware. This older variant of ransomware was just a rebranded version of the JSWorm ransomware, but in the aforementioned attack, the Nokoyawa variant was completely different from his JSWorm in terms of codebase.

Nokoyawa Ransom Note

The exploit used in the attack was developed to support various versions and builds of Windows OS, including Windows 11. Attackers used her CVE-2023-28252 vulnerability to elevate privileges and steal credentials from the Security Account Manager (SAM) database.

Boris Larin, Lead Security Researcher, Global Research and Analysis Team (GReAT), said:

“It used to be primarily an Advanced Persistent Attacker (APT) tool, but now cybercriminals have the resources to acquire zero-days and use them in their attacks on a daily basis,” he says. .

“There are also exploit developers willing to help them and develop exploit after exploit. important to.”

Kaspersky products detect and prevent exploits of the above vulnerabilities and related malware.

To protect your organization from attacks that exploit the aforementioned vulnerabilities, Kaspersky experts recommend the following:

Update Microsoft Windows as soon as possible and update regularly. Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business. It features exploit prevention, behavioral detection, and a remediation engine that can roll back malicious actions. Install anti-APT and EDR solutions to enable threat discovery and detection, investigation, and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill with specialized training.

