According to Kaspersky, a Windows zero-day vulnerability fixed by Microsoft in its April 2023 Patch Tuesday patches has been exploited by hackers in a ransomware attack.
Microsoft's most recent wave of security patches addresses over 100 vulnerabilities, including CVE-2023-28252, a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS) driver.
Microsoft stated that the vulnerability has been exploited in the wild, but provided no details on the attacks. CVE-2023-28252 was reported by Kaspersky, Mandiant, and Chinese cybersecurity firm DBAppSecurity, and Kaspersky revealed some specifics about the attacks that exploited the vulnerability on Tuesday.
CLFS is a log file subsystem that Microsoft describes as a general-purpose logging service that may be utilized by software clients running in user or kernel mode. The CLFS vulnerability allows an authenticated attacker to gain System privileges.
According to Kaspersky, a cybercrime group notorious for carrying out ransomware operations has exploited the vulnerability as part of attacks to deliver the Nokoyawa malware.
"This group is notable for leveraging many similar but distinct Common Log File System (CLFS) drivers exploit, most likely developed by the same exploit author. We've identified five different exploits used in attacks on retail and wholesale, energy, manufacturing, healthcare, software development, and other industries since at least June 2022," Kaspersky said.
The Nokoyawa ransomware family, which targets Windows systems, first appeared in February 2022. The software encrypts files on infected PCs, but the criminals claim to have stolen vital information, which they threaten to disclose unless a ransom is paid.
Code similarities point to ties to the Karma and Nemty ransomware families, while attack chain similarities point to the infamous Hive operation, which was recently destroyed by law authorities.
In order to prevent abuse, Kaspersky has not disclosed too many details about the issue. The corporation intends to release more information nine days following Patch Tuesday. According to Kaspersky, scores of CLFS vulnerabilities have been discovered in the last five years, with at least three of them — not including CVE-2023-28252 — being exploited in the wild.
Please do not enter any spam link in the comment box.