Photo: Pit Stock / Shutterstock.com
For the second month in a row now, Microsoft has released patches to fix an already-exploited zero-day vulnerability in Windows. It was discovered by Mandiant researchers and is a privilege escalation bug in the Windows Common Log File System driver tracked as CVE-2023-28252. Successful exploitation can give an attacker administrator privileges on the target system.
Overall, the Windows maker ended up fixing 98 vulnerabilities in the Windows ecosystem this Patch Tuesday. These also included Microsoft Office, Word and Publisher remote code execution vulnerabilities which haven’t been actively exploited yet. The vulnerability has also been added to the CISA’s catalogue of known exploited vulnerabilities, with Federal Civilian Executive Branch (FCEB) agencies ordered to fix the issue by May 2.
As for CVE-2023-28252, Microsoft hasn’t released much information yet, including any additional details on exploitation or indicators of compromise that’d help defenders find signs of infection. However, this also slows down attackers from coming up with new exploits in case they don’t have one already. What we do know though is that it affects all supported Windows server and client versions and can be exploited locally by attackers in low-complexity attacks that don’t require user interaction.
Security researchers from Kaspersky’s Global Research and Analysis team also discovered that the vulnerability was being used to carry out Nokoyawa ransomware attacks. The Nokoyawa ransomware gang has also used other exploits targeting the CLFS driver since at least June 2022 and at least five more CLFS exploits to target multiple industries, including critical infrastructure such as energy and healthcare.
Nokoyawa is a comparatively new ransomware gang that first appeared in February 2022 and shares code with JSWorm, Karma and Nemty ransomware. While early versions of the Nokoyawa ransomware were just ‘rebranded’ variants of JSWorm, the gang has since rewritten the ransomware in Rust from its original programming language C as of September 2022.
In the News: 5-year-old Windows Defender bug that caused CPU usage spikes when using Firefox patched