Nokoyawa ransomware attacks with Windows zero-day

In February, Kaspersky experts discovered an attack using a zero-day vulnerability in the Microsoft Common Log File System (CLFS). A cybercriminal group used an exploit developed for different versions and builds of Windows OS, including Windows 11, and attempted to deploy the Nokoyawa ransomware. Microsoft assigned CVE2023-28252 to this vulnerability and patched it today as part of Patch Tuesday. The threat actor also attempted to execute similar elevation of privilege exploits in attacks on different small and medium-sized businesses in the Middle East and North America, and previously in Asia.

While most of the vulnerabilities discovered by Kaspersky are used by APTs, this one turned out to be exploited for cybercrime purposes by a sophisticated group that carries out ransomware attacks. This group stands out by the usage of similar but unique Common Log File System (CLFS) exploits. Kaspersky has seen at least five different exploits of this kind. They were used in attacks on retail and wholesale, energy, manufacturing, healthcare, software development, and other industries.

“Cybercrime groups are becoming increasingly more sophisticated using zero-day exploits in their attacks. Previously, it was primarily a tool of Advanced Persistent Threat actors (APTs), but now cybercriminals have the resources to acquire zero-days and routinely use them in attacks. There are also exploit developers willing to help them and develop exploit after exploit. It’s very important for businesses to download the latest patch from Microsoft as soon as possible, and use other methods of protection, such as EDR solutions”, said Boris Larin, Lead Security Researcher with the Global Research and Analysis Team (GReAT).